Skip to content

fix: address open dependabot security alerts#556

Merged
jonathannorris merged 2 commits intomainfrom
chore/fix-dependabot-alerts
Mar 12, 2026
Merged

fix: address open dependabot security alerts#556
jonathannorris merged 2 commits intomainfrom
chore/fix-dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Mar 11, 2026

Summary

  • Bump direct deps (hono, ajv, minimatch, @modelcontextprotocol/sdk) to patched versions
  • Add yarn resolutions for transitive minimatch@3/5/7, rollup, and qs vulnerabilities
  • Addresses 20 of 25 open dependabot alerts

Remaining alerts

5 alerts deferred — they require breaking version changes (agents 0.2→0.3+, tar 6→7, @tootallnate/once 1/2→3) and need separate PRs with more careful migration.

@jonathannorris jonathannorris requested a review from a team as a code owner March 11, 2026 14:12
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Mar 11, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 devcycle-mcp-server 06bae8b Mar 11 2026, 02:14 PM

Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR focuses on reducing Dependabot security alerts by upgrading several direct dependencies and pinning vulnerable transitive dependency versions via Yarn resolutions.

Changes:

  • Bumped direct dependencies to patched versions (@modelcontextprotocol/sdk, ajv, minimatch, hono).
  • Added Yarn resolutions to force patched transitive versions of minimatch (3/5/7) and rollup.
  • Refreshed yarn.lock to reflect the updated dependency graph (including patched transitive versions like qs).

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File Description
package.json Updates direct dependency ranges and adds resolutions to pin vulnerable transitive packages.
yarn.lock Updates the lockfile to the resolved patched versions across the dependency graph.
oclif.manifest.json Updates manifest version metadata to align with the release version.
mcp-worker/package.json Bumps hono dependency in the worker workspace.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
Comment on lines +174 to +178
"minimatch@npm:^3.1.1": "3.1.4",
"minimatch@npm:^3.1.2": "3.1.4",
"minimatch@npm:^5.0.1": "5.1.8",
"minimatch@npm:^7.2.0": "7.4.8",
"rollup@npm:^4.43.0": "4.59.0"
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description mentions adding yarn resolutions for a transitive qs vulnerability, but the resolutions block only pins minimatch and rollup (no qs entry). If qs still needs to be forced for security, add an explicit qs resolution; otherwise, update the PR description to reflect that qs was addressed via lockfile upgrades rather than a resolution.

Copilot uses AI. Check for mistakes.
Copilot AI review requested due to automatic review settings March 11, 2026 14:33
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jonathannorris jonathannorris merged commit 7df1fce into main Mar 12, 2026
10 checks passed
@jonathannorris jonathannorris deleted the chore/fix-dependabot-alerts branch March 12, 2026 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@suthar26 suthar26 suthar26 approved these changes

@JamieSinn JamieSinn Awaiting requested review from JamieSinn

@kaushalkapasi kaushalkapasi Awaiting requested review from kaushalkapasi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @suthar26