Skip to content

[DPEDE-1784](deps): Bump defu from 6.1.4 to 6.1.6#2008

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-defu-6.1.6
Open

[DPEDE-1784](deps): Bump defu from 6.1.4 to 6.1.6#2008
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-defu-6.1.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 4, 2026

Copy link
Copy Markdown
Contributor

Bumps defu from 6.1.4 to 6.1.6.

Release notes

Sourced from defu's releases.

v6.1.6

compare changes

📦 Build

v6.1.5

compare changes

🩹 Fixes

  • Prevent prototype pollution via __proto__ in defaults (#156)
  • Ignore inherited enumerable properties (11ba022)

✅ Tests

  • Add more tests for plain objects (b65f603)

❤️ Contributors

Changelog

Sourced from defu's changelog.

v6.1.6

compare changes

📦 Build

❤️ Contributors

v6.1.5

compare changes

🩹 Fixes

  • Prevent prototype pollution via __proto__ in defaults (#156)
  • Ignore inherited enumerable properties (11ba022)

🏡 Chore

✅ Tests

  • Add more tests for plain objects (b65f603)

🤖 CI

❤️ Contributors

Commits
  • 001c290 chore(release): v6.1.6
  • 407b516 build: fix mixed types
  • 23e59e6 chore(release): v6.1.5
  • 11ba022 fix: ignore inherited enumerable properties
  • 3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
  • d3ef16d chore(deps): update actions/checkout action to v6 (#151)
  • 869a053 chore(deps): update actions/setup-node action to v6 (#149)
  • a97310c chore(deps): update codecov/codecov-action action to v6 (#154)
  • 89df6bb chore: fix typecheck
  • 9237d9c ci: bump node
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [defu](https://github.com/unjs/defu) from 6.1.4 to 6.1.6.
- [Release notes](https://github.com/unjs/defu/releases)
- [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md)
- [Commits](unjs/defu@v6.1.4...v6.1.6)

---
updated-dependencies:
- dependency-name: defu
  dependency-version: 6.1.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 4, 2026
@dependabot dependabot Bot requested a review from a team as a code owner April 4, 2026 06:21
@lumen-jenkins-prod

Copy link
Copy Markdown

The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-2008/1/. ❌

@cl-aifel-test

cl-aifel-test Bot commented Jun 29, 2026

Copy link
Copy Markdown

🔖 aifel-verdict — AiFEL dependency-triage verdict (schema 1.1)

AiFEL verdict — 🚨 Escalate (ci-health) — human review required

Patch bump of defu 6.1.4→6.1.6 fixes a high-severity prototype-pollution advisory (CVSS 7.5) with no breaking changes and no in-repo usage; escalated solely because critical CI on the default branch is passing at only 64% across 28 runs.

TL;DR

  • Merge: 🔍 review, then merge — the dependency itself is safe; confirm the CI failures are pre-existing and unrelated to this PR, then merge.
  • Breaks your code? ✅ Most likely not.
  • Security? ✅ this bump fixes GHSA-737v-mqg7-c878 (CVE-2026-35209, CVSS 7.5).
  • Update: defuyou have 6.1.4, this PR installs 6.1.6 (patch, spans 2 releases). Fixes GHSA-737v-mqg7-c878 (prototype pollution via __proto__); no code impact.
Signal Value Interpretation
Bump type patch z-version increment (6.1.4→6.1.6); semver promises no breaking changes — only bug and security fixes. Both releases confirmed as fixes-only in the changelog.
Dependency risk low Patch bump with no breaking changes in range; defu is not imported anywhere in repo source (api_usage_found: false), so blast radius is zero. Safe to merge on the dependency axis.
Security risk low This bump fixes GHSA-737v-mqg7-c878 (CVE-2026-35209, CVSS 7.5 high — prototype pollution via __proto__ key); the vulnerable range is ≤6.1.4 and 6.1.6 is fully outside it. No advisories affect the new version.
CI health risk high Critical checks passing at 64.3%, flakiness 0%, 28 critical runs on default branch → ci_confidence: low. Multiple npm_and_yarn Dependabot update runs and other workflows are failing; these failures appear pre-existing and unrelated to the defu bump.
API usage in repo false Scanned repo source for all import forms of defu (ESM from, require, dynamic import, re-export); 0 matches — package is not directly used in source.
Cross-repo signal standalone No publishable root manifest found in the repo root.
Data completeness complete All 5 signals obtained: classification ✅, api_usage ✅, release_notes ✅, ci_health ✅, cascade ✅.
📋 Why this route + what AiFEL checked (click to expand)

Why this route?

escalate because: critical CI health is low — pass rate 64.3% over 28 critical runs on the default branch, which crosses the Step 7 CI low → escalate threshold.

Escalation category: ci-health — the dependency and security axes are both low risk; CI health alone triggers escalation. This is not a signal that the dependency is dangerous.

Confidence breakdown — score: 0.85. List the factors that produced it, not just the number:

  • ✅ Patch bump — semver guarantees no breaking changes

  • ✅ No in-repo usage of defu (api_usage_found: false) — zero blast radius

  • ✅ Fixes GHSA-737v-mqg7-c878 (CVSS 7.5) — a net security improvement; no remaining advisories

  • ✅ No cascade conflicts (no other open Dependabot PRs for defu)

  • ✅ Changelog confirms only fixes: prototype-pollution patch (v6.1.5) and build type correction (v6.1.6)

  • ⚠️ Critical CI is low (pass rate 64.3%, 28 critical runs) — confidence docked 0.15

  • 💡 To reach a lower route: bring the critical CI pass rate on master to ≥70% (→ spot_check) or ≥90% (→ auto_eligible). The failing runs in the CI window are primarily other Dependabot update PRs (npm_and_yarn group bumps for unrelated packages) — if a human reviewer confirms those failures pre-date this PR and are not caused by defu, this PR may be cleared. Note: fixing informational workflows (if any) will NOT change the route.

What AiFEL checked

  1. Triage — classified patch (defu 6.1.4→6.1.6).
  2. Symbol extraction — none found (0 import sites across 0 files scanned).
  3. Release-notes comparator — v6.1.5: fixes prototype pollution via __proto__ in defaults and ignores inherited enumerable properties; v6.1.6: build fix for mixed types. No breaking changes in range.
  4. CI health — 28 critical runs on default branch: pass 64.3%, flaky 0% → confidence low; informational excluded: none.
  5. Cascade coordinator — 0 conflicts.
  6. Data completeness — obtained 5/5 signals; missing: none.

Will merging break your code?

Per AiFEL analysis, most likely won't impact your code. defu is not imported anywhere in the repo source and the changelog documents only a security fix and a build-type correction — no breaking API changes in either release.

Security advisories

✅ This bump resolves all 1 known advisories and none affect 6.1.6 — clear on the security axis.

Resolved by this bump (1): GHSA-737v-mqg7-c878 (CVE-2026-35209, CVSS 7.5 high — prototype pollution via __proto__ key in defaults argument; affected range ≤6.1.4; first patched 6.1.5) — no action needed.

Packages — what you have vs what this PR installs

Ecosystem Package You have This PR installs What changes for you
npm defu 6.1.4 6.1.6 Fixes GHSA-737v-mqg7-c878 (prototype pollution, CVSS 7.5); routine patch, no code impact

Machine-readable verdict
{
  "schema_version": "1.1",
  "classification": "patch",
  "risk_band": "low",
  "ci_confidence": "low",
  "decision_route": "escalate",
  "data_completeness": "complete",
  "escalate_reason": "risk",
  "missing_signals": [],
  "confidence": 0.85,
  "packages": [{"ecosystem": "npm", "name": "defu", "old_version": "6.1.4", "new_version": "6.1.6"}],
  "breaking_changes": [],
  "cascade_conflicts": [],
  "summary": "Patch bump of defu 6.1.4→6.1.6 that fixes GHSA-737v-mqg7-c878 (prototype pollution, CVSS 7.5); defu is unused in repo source; escalated on CI health (pass rate 64.3% over 28 critical runs).",
  "upgrade_risk_note": null,
  "cross_repo_signal": "standalone",
  "api_usage_found": false,
  "advisory_ids": [],
  "max_cvss": null,
  "feedback_capture_marker": "aifel-CenturyLink-Chi-2008",
  "agent_version": "1.1.1-aw"
}

🤖 Generated by AiFEL — AI-assisted Dependabot triage. Advisory only; a human reviewer still decides and merges.
📝 Share your AiFEL experience

@cl-aifel-test cl-aifel-test Bot added the aifel/escalate AiFEL: human review required (breaking change or risk) label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aifel/escalate AiFEL: human review required (breaking change or risk) dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants