Skip to content

chore: fix Dependabot security alerts via yarn resolutions#84

Merged
jonathannorris merged 2 commits intomainfrom
fix/dependabot-alerts
Mar 31, 2026
Merged

chore: fix Dependabot security alerts via yarn resolutions#84
jonathannorris merged 2 commits intomainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Mar 31, 2026

Summary

  • Adds resolutions entries to package.json to force patched versions of vulnerable transitive dependencies
  • Addresses 11 open Dependabot alerts across 5 packages: handlebars, picomatch, flatted, and minimatch (v3 and v9 ranges)
  • All 52 tests pass
Package Before After Alerts
handlebars 4.7.7 4.7.9 #35, #37, #38, #39, #40, #42, #43
picomatch 2.3.1 2.3.2 #34
flatted 3.2.0 3.4.2 #32
minimatch 3.1.2 / 9.0.3 9.0.9 #27, #29

Notes

The minimatch@^9.0.7 resolution also collapses the v3 range — all dependents now resolve to 9.0.9.

🤖 Generated with Claude (OpenCode)

@jonathannorris jonathannorris requested a review from a team as a code owner March 31, 2026 19:11
Copilot AI review requested due to automatic review settings March 31, 2026 19:11
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to clear Dependabot security alerts by forcing patched versions of vulnerable transitive dependencies via Yarn resolutions, and updating the lockfile to reflect the resolved versions.

Changes:

  • Add Yarn resolutions for handlebars, picomatch, flatted, and minimatch (in addition to existing cross-spawn).
  • Regenerate yarn.lock so the dependency graph resolves to the targeted patched versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds new Yarn resolutions entries to force patched transitive dependency versions.
yarn.lock Updates the lockfile to match the resolved dependency graph (now in a modern Yarn/Berry lockfile format).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
Comment on lines +30 to +31
"flatted": "^3.4.2",
"minimatch": "^9.0.7"
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The minimatch resolution forces v9 for the whole dependency graph, but several dependencies in the lockfile still declare minimatch@^3.x (e.g. glob@7.x depends on minimatch@^3.0.4 / ^3.1.1). Overriding a major version like this can violate semver expectations and can break tooling at runtime even if the project’s own tests pass. Prefer upgrading the dependents to versions that natively use minimatch@9, or (if possible) pin minimatch@3 to a patched 3.x for the packages that require it, and keep minimatch@9 only where it’s already required.

Suggested change
"flatted": "^3.4.2",
"minimatch": "^9.0.7"
"flatted": "^3.4.2"

Copilot uses AI. Check for mistakes.
@jonathannorris jonathannorris merged commit 66ad114 into main Mar 31, 2026
6 checks passed
@jonathannorris jonathannorris deleted the fix/dependabot-alerts branch March 31, 2026 19:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@suthar26 suthar26 suthar26 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @suthar26