Skip to content

chore(deps): resolve open Dependabot alerts#1259

Draft
MarshallOfSound wants to merge 2 commits intomainfrom
deps/security-updates
Draft

chore(deps): resolve open Dependabot alerts#1259
MarshallOfSound wants to merge 2 commits intomainfrom
deps/security-updates

Conversation

@MarshallOfSound
Copy link
Copy Markdown
Member

@MarshallOfSound MarshallOfSound commented Apr 7, 2026

Note

3 vite alerts remain: vite@8.0.5 is blocked by npmMinimalAgeGate: 10080 in .yarnrc.yml. Re-run yarn up -R vite on or after 2026-04-13.

Resolves 24/27 open Dependabot alerts.

In-range (yarn up -R): tar, minimatch (3.x and 9.x), brace-expansion, picomatch.

Major bump: electron devDep ^35.7.5^39.8.5. Spans 4 majors but is a test fixture only; tests should be re-run.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 7, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednode-abi@​4.2.0 ⏵ 4.28.0100 +110087 +294 +7100
Updatedelectron@​35.7.5 ⏵ 39.8.694 +1100 +40100 +198 +1100

View full report

@MarshallOfSound
test: refresh node-abi and nan for electron 39 compatibility
0b3acbf 
node-abi@4.2.0 does not include the ABI mapping for electron 39; bump
the lockfile entry to 4.28.0 (in-range for ^4.2.0).

nan@2.23.0 in the test fixture lockfiles still calls v8::Object::SetPrototype,
which was removed in the V8 shipped with electron 39. nan@2.26.2 uses
SetPrototypeV2 with a fallback. Refresh the native-app1 and workspace-test
fixture lockfiles (in-range for ^2.14.1 / ^2.22.2).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MarshallOfSound