Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses Dependabot security alerts by updating release tooling and forcing patched transitive dependency versions via npm overrides.
Changes:
- Bump
semantic-releasefrom^19to^24.2.9. - Add npm
overridesto require patched versions ofhandlebars,picomatch,flatted, andglob-promise.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "eslint": "^7.32.0", | ||
| "prettier": "^2.8.8", | ||
| "semantic-release": "^19.0.3", | ||
| "semantic-release": "^24.2.9", |
There was a problem hiding this comment.
semantic-release@24.2.9 requires Node >=20.8.1 (per package-lock), but the repo currently has no engines constraint and the CI/release workflows run Node 15. This will cause npm ci / npx semantic-release to fail. Please either (a) raise the project’s supported Node version (add an engines.node range and update workflows accordingly) or (b) keep semantic-release on a version compatible with the existing Node runtime.
| "semantic-release": "^24.2.9", | |
| "semantic-release": "^17.0.0", |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1 @@ | |||
| legacy-peer-deps=true | |||
There was a problem hiding this comment.
Committing legacy-peer-deps=true disables npm's peer dependency resolution/validation for all installs, which can mask incompatible dependency graphs and make future upgrades harder. Prefer fixing the underlying peer dependency conflicts, or scope this to CI only (e.g., use npm ci --legacy-peer-deps in workflows) and document why it’s needed if it must remain.
| legacy-peer-deps=true |
| uses: actions/checkout@v1 | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v1 |
There was a problem hiding this comment.
This workflow still uses deprecated actions/checkout@v1 and actions/setup-node@v1. These older JS actions run on retired Node runtimes and can start failing as GitHub disables them; please upgrade to the current major versions (e.g., checkout v4 / setup-node v4) while updating the runner/Node version.
| uses: actions/checkout@v1 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v1 | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 |
| strategy: | ||
| matrix: | ||
| node-version: [15.x] | ||
| node-version: [20.x] | ||
| # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ | ||
|
|
There was a problem hiding this comment.
Since this job is now targeting Node 20, please also update the workflow’s Node-related actions (notably actions/setup-node@v1, and ideally actions/checkout@v2) to their current majors. The v1/v2 action generations run on retired Node runtimes and are at risk of being disabled by GitHub, causing CI failures.
| - name: Setup Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 15 | ||
| node-version: 20 |
There was a problem hiding this comment.
actions/setup-node@v1 is deprecated and runs on a retired Node runtime. With this workflow moving to Node 20, upgrade to the current major of setup-node (and consider bumping checkout as well) to avoid the action being disabled and breaking the benchmark workflow.
Summary
semantic-releasefrom^19to^24— v24 pulls in@semantic-release/npm@12which depends onnpm@10, resolving bundled vulnerable versions oftarandminimatchoverridesforhandlebars >= 4.7.9,picomatch >= 2.3.2,flatted >= 3.4.2, andglob-promise >= 6.0.7to force patched transitive depsglob-promise >= 6.0.7drops thenpm-install-peersdependency that was pulling innpm@6with bundled vulnerabletarandminimatchResolves all 14 open Dependabot alerts (#90, #91, #93, #94, #95, #97, #99, #101, #102, #103, #105, #106, #108, #109).