chore: resolve open dependabot security alerts#421
Conversation
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including upgrading serialize-javascript to version 7.0.5 and @tootallnate/once to version 3.0.1, while adding minimatch and removing randombytes. Feedback highlights that the serialize-javascript upgrade introduces a breaking requirement for Node.js 20.0.0, which may impact environments on older LTS versions. Additionally, it is recommended to use caret ranges instead of the >= operator in the dependency overrides to ensure stability and prevent unintended major version upgrades.
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
jonathannorris
requested review from
askpt,
beeme1mr,
Copilot,
toddbaert and
z4kn4fein
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds npm overrides to mitigate several Dependabot security alerts by forcing patched versions of vulnerable transitive dependencies.
Changes:
- Added overrides for
serialize-javascript,@tootallnate/once,fast-uri, and@babel/plugin-transform-modules-systemjs. - Kept existing
test-excludeoverride (withminimatch) and extended the override list.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Bump @opentelemetry/sdk-node to ^0.217.0 (alert #165, high) - Bump @opentelemetry/auto-instrumentations-node to ^0.75.0 (alert #164, high) - Bump related @opentelemetry/* packages to OTel 2.x for compatibility - Update scripts/tracing.js to use Resource API from OTel 2.x - Add webpack-dev-server ^5.2.4 override (alerts #69, #70, #166, medium) Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
- Remove fast-uri override (ajv ^3.0.1 range already covers patched 3.1.2) - Remove @babel/plugin-transform-modules-systemjs override (@babel/preset-env ^7.29.0 already covers patched 7.29.4) - Downgrade @tootallnate/once override from ^3.0.1 to ^2.0.1 (http-proxy-agent requires major-2; patched 2.0.1 is in range) - Remove protobufjs override; update @opentelemetry packages to 0.218.0 which drops the protobufjs dependency entirely Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Summary
Addresses all open Dependabot security alerts by bumping direct deps where possible, adding overrides only where a major-version jump is required.
Dependabot Alerts Resolved
serialize-javascript^7.0.5(required:copy-webpack-plugin/css-minimizer-webpack-pluginpin^6.x)fast-uri3.1.2)@babel/plugin-transform-modules-systemjs7.29.4)@opentelemetry/auto-instrumentations-node^0.76.0@opentelemetry/sdk-node^0.218.0protobufjs7.6.1)uuid^11.1.1(no patch available in v8/v9/v10 line)@tootallnate/oncehttp-proxy-agent's^2range allows2.0.1qs^6.15.2tmp~0.2.1range allows0.2.7axios^1.16.0webpack-dev-server^5.2.4(required:@nx/webpack@17pins^4.x)Notes
npm installrequires--legacy-peer-depsdue to a pre-existing@nestjs/schematics/prettierpeer dependency conflict unrelated to this change.