Skip to content

chore: resolve dependabot security advisories for transitive deps#560

Merged
jonathannorris merged 2 commits intomainfrom
chore/fix-dependabot-alerts
Mar 27, 2026
Merged

chore: resolve dependabot security advisories for transitive deps#560
jonathannorris merged 2 commits intomainfrom
chore/fix-dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Mar 24, 2026

Summary

  • Pin patched versions for transitive packages called out by Dependabot (undici, flatted, tar, @tootallnate/once, diff).
  • Bump direct axios and lodash to versions that clear npm audit.

Why

Dependabot flagged multiple CVEs/GHSAs in the lockfile; Yarn resolutions force safe versions where upstream ranges still resolve to vulnerable builds. Axios and lodash were direct deps still in vulnerable ranges per yarn npm audit.

Tests: yarn test:ci and yarn npm audit (clean).

@jonathannorris jonathannorris requested a review from a team as a code owner March 24, 2026 09:14
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Mar 24, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 devcycle-mcp-server 876b847 Mar 24 2026, 09:16 AM

Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates dependency versions to address Dependabot / npm audit security advisories by bumping direct dependencies and adding Yarn resolutions to force patched transitive versions.

Changes:

  • Bump direct deps axios and lodash to newer versions.
  • Add Yarn resolutions entries for vulnerable transitive packages (e.g., undici, flatted, tar, @tootallnate/once, diff).
  • Regenerate yarn.lock to reflect the new dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File Description
package.json Bumps direct deps and adds resolutions to force patched transitive versions.
yarn.lock Lockfile updates reflecting the new direct versions and forced transitive resolutions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
Comment on lines +179 to +184
"agents/@modelcontextprotocol/sdk": "1.27.1",
"flatted": "^3.4.2",
"undici": "^7.24.0",
"tar": "^7.5.11",
"@tootallnate/once": "^3.0.1",
"diff@npm:^4.0.1": "4.0.4"
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description says these transitive deps are being “pinned”, but several new resolutions entries use caret ranges (e.g., flatted: ^3.4.2, undici: ^7.24.0, tar: ^7.5.11, @tootallnate/once: ^3.0.1). If the intent is strict pinning for supply-chain safety and reproducible future lock updates, consider using exact versions here (as is already done for some other resolutions like tmp).

Copilot uses AI. Check for mistakes.
@jonathannorris jonathannorris merged commit 78f624b into main Mar 27, 2026
6 checks passed
@jonathannorris jonathannorris deleted the chore/fix-dependabot-alerts branch March 27, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@suthar26 suthar26 suthar26 approved these changes

@JamieSinn JamieSinn Awaiting requested review from JamieSinn

@jsalaber jsalaber Awaiting requested review from jsalaber

@kaushalkapasi kaushalkapasi Awaiting requested review from kaushalkapasi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @suthar26