Patch Dependabot vulnerabilities in npm and Python dependencies#29
Open
chrisrobison wants to merge 1 commit into
Open
Patch Dependabot vulnerabilities in npm and Python dependencies#29chrisrobison wants to merge 1 commit into
chrisrobison wants to merge 1 commit into
Conversation
- update root lockfile packages to patched versions for vite, rollup, picomatch, flatted, undici, and minimatch\n- update registry lockfile packages to patched versions for ajv, minimatch, and flatted\n- bump Python example backend pins: Flask 3.1.3 and PyJWT 2.12.0\n- verify npm audits are clean for root and registry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary\nThis PR updates lockfiles and pinned Python dependencies to resolve the currently open Dependabot advisories in where fixes were available.\n\n## Changes\n- update root to patched versions for:\n -
VITE v7.1.10 ready in 139 ms
➜ Local: http://localhost:5173/
➜ Network: use --host to expose 7.3.2\n - 4.60.1\n - 4.0.4\n - 3.4.2\n - 7.24.7\n - 3.1.5 and 9.0.9+\n- update to patched versions for:\n - 8.18.0\n - 3.1.5\n - 3.4.2\n - patched via transitive update\n- bump Python backend example pins in :\n - \n - \n\n## Verification\n- # npm audit report
brace-expansion 5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented
maxDoS protection - GHSA-jxxr-4gwj-5jf2fix available via
npm audit fixnode_modules/test-exclude/node_modules/brace-expansion
fast-uri <=3.1.1
Severity: high
fast-uri vulnerable to path traversal via percent-encoded dot segments - GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to host confusion via percent-encoded authority delimiters - GHSA-v39h-62p7-jpjc
fix available via
npm audit fixnode_modules/fast-uri
follow-redirects <=1.15.11
Severity: moderate
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - GHSA-r4q5-vmmm-2653
fix available via
npm audit fixnode_modules/follow-redirects
postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - GHSA-qx2v-qp2m-jg93
fix available via
npm audit fixnode_modules/postcss
qs 6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - GHSA-q8mj-m7cp-5q26
fix available via
npm audit fixnode_modules/qs
tmp <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - GHSA-ph9p-34f9-6g65
fix available via
npm audit fixnode_modules/tmp
uuid <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - GHSA-w5hq-g745-h8pq
fix available via
npm audit fixnode_modules/uuid
@azure/msal-node <=5.1.4
Depends on vulnerable versions of uuid
node_modules/@azure/msal-node
ws 8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - GHSA-58qx-3vcg-4xpx
fix available via
npm audit fixnode_modules/ws
9 vulnerabilities (7 moderate, 2 high)
To address all issues, run:
npm audit fix (repo root): 0 vulnerabilities\n- found 0 vulnerabilities (): 0 vulnerabilities\n-
RUN v4.0.16 /Users/cdr/Projects/larc-repos/react-adapter
No test files found, exiting with code 0: pass (no test files)\n\n## Note\nDependabot alert counts on the default branch remain unchanged until this PR is merged and GitHub reprocesses alerts.