Skip to content

fix: bump vulnerable transitive dependencies via resolutions#595

Merged
jonathannorris merged 3 commits intomainfrom
fix/dependabot-alerts
Apr 6, 2026
Merged

fix: bump vulnerable transitive dependencies via resolutions#595
jonathannorris merged 3 commits intomainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Mar 31, 2026

Summary

  • Adds yarn resolutions entries to force patched versions of vulnerable transitive dependencies
  • Fixes 9 open Dependabot alerts: brace-expansion, picomatch, flatted, and undici
Package Old Version Patched Version Severity
brace-expansion 1.1.11 1.1.13 medium
brace-expansion 2.0.1, 2.0.2 2.0.3 medium
picomatch 2.3.1 2.3.2 medium
picomatch 4.0.2 4.0.4 medium / high
flatted 3.3.3 3.4.2 high
undici 7.14.0 7.24.6 medium / high

Copilot AI review requested due to automatic review settings March 31, 2026 19:21
@jonathannorris jonathannorris requested a review from a team as a code owner March 31, 2026 19:21
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot-reported vulnerabilities by forcing patched versions of several vulnerable transitive dependencies using Yarn resolutions, and updating the lockfile accordingly.

Changes:

  • Added Yarn resolutions overrides for brace-expansion, picomatch, flatted, and undici to ensure patched versions are selected.
  • Updated yarn.lock to reflect the resolved patched versions and checksums.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds resolutions entries to force patched transitive dependency versions.
yarn.lock Updates locked versions/checksums for the affected transitive dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
Copilot AI review requested due to automatic review settings April 6, 2026 19:46
Copilot AI reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 7 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment on lines +88 to +91
"flatted@^3.2.9": "^3.4.2",
"undici@^7.10.0": "^7.24.6",
"lodash@^4.17.15": "^4.18.0",
"lodash@^4.17.21": "^4.18.0"
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description/table lists fixes for brace-expansion, picomatch, flatted, and undici, but this change also introduces new lodash resolutions (and the lockfile moves lodash to 4.18.1). Please either document lodash as part of the security bump (including the versions/alerts being addressed) or drop the lodash resolutions if they’re unintended.

Copilot uses AI. Check for mistakes.
Comment thread proxies/nodejs/package.json
Comment on lines 14 to 18
"packageManager": "yarn@4.9.2",
"resolutions": {
"diff@^4.0.1": "^4.0.4"
"diff@^4.0.1": "^4.0.4",
"lodash@^4.17.21": "^4.18.0"
}
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds a lodash resolution, but lodash isn’t mentioned in the PR summary/table of patched dependencies. Please document why lodash is being forced here (which alert/vulnerability it addresses) or remove the resolution if it’s not required.

Copilot uses AI. Check for mistakes.
Comment thread proxies/openfeature-nodejs/package.json
Comment on lines 16 to 21
"packageManager": "yarn@4.9.2",
"resolutions": {
"diff@^4.0.1": "^4.0.4",
"qs@^6.5.2": "^6.14.2"
"qs@^6.5.2": "^6.14.2",
"lodash@^4.17.21": "^4.18.0"
}
Copy link

Copilot AI Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds a lodash resolution, but lodash isn’t mentioned in the PR summary/table of patched dependencies. Please document why lodash is being forced here (which alert/vulnerability it addresses) or remove the resolution if it’s not required.

Copilot uses AI. Check for mistakes.
@jonathannorris jonathannorris merged commit 3c1dade into main Apr 6, 2026
12 checks passed
@jonathannorris jonathannorris deleted the fix/dependabot-alerts branch April 6, 2026 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JamieSinn JamieSinn JamieSinn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @JamieSinn