Skip to content

chore: resolve open dependabot security alerts#423

Draft
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts
Draft

chore: resolve open dependabot security alerts#423
jonathannorris wants to merge 1 commit into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

Copy link
Copy Markdown
Member

Summary

Resolved all 11 open Dependabot security alerts by bumping vulnerable (mostly transitive) dependencies via npm overrides and one direct-dependency bump. Lockfile-first where the dependency tree allowed it; overrides used for transitive packages and for the OpenTelemetry suite (siblings pinned the vulnerable @opentelemetry/core exactly).

Verified locally: lint, build, and test all pass.

Dependabot Alerts Resolved

Alert Package Severity Fix
#123 minimatch high Override minimatch@>=9.0.0 <9.0.7 -> ^9.0.7 (resolves to 9.0.9)
#189 @babel/core low Override -> ^7.29.6 (resolves to 7.29.7)
#190 js-yaml medium Override -> ^4.2.0
#191 launch-editor medium Override -> ^2.14.1
#192 form-data high Override -> ^4.0.6
#193 protobufjs medium Override -> ^7.6.3 (resolves to 7.6.4)
#194 @opentelemetry/core medium Direct dep -> ^2.8.0 + self-ref override to force all transitive instances to 2.8.0
#195 multer medium Override -> ^2.2.0
#196 multer high Override -> ^2.2.0
#197 webpack-dev-server medium Override -> ^5.2.5
#198 http-proxy-middleware medium Override -> ^3.0.6 (resolves to 3.0.7)

Notes

  • This is a demo repo and already relies on npm overrides; new entries follow the existing pattern.
  • The launch-editor > shell-quote nested override was replaced with a top-level shell-quote override (kept to preserve the prior shell-quote fix) and a direct launch-editor override.
  • No unresolvable alerts: every alert had a patched version available.

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris marked this pull request as draft June 22, 2026 14:14
@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9fe41fbc-75df-47a1-9ee9-4aba9d5a22ca

📥 Commits

Reviewing files that changed from the base of the PR and between 359677e and e69746d.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Walkthrough

package.json is updated to bump @opentelemetry/core from ^2.0.0 to ^2.8.0 in dependencies, and the overrides block is expanded with an @opentelemetry/core mapping, updated versions for js-yaml, minimatch, and webpack-dev-server, and new entries for @babel/core, form-data, protobufjs, multer, and http-proxy-middleware.

Changes

Dependency and Override Updates

Layer / File(s) Summary
Direct dependency and overrides block
package.json
@opentelemetry/core bumped to ^2.8.0 in dependencies; overrides updated with an @opentelemetry/core mapping, js-yaml ^4.2.0, minimatch/test-exclude.minimatch ^9.0.7, webpack-dev-server ^5.2.5, flattened launch-editor entry, and new overrides for @babel/core, form-data, protobufjs, multer, and http-proxy-middleware.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and accurately summarizes the main change: resolving Dependabot security alerts through dependency updates.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, providing a detailed table of resolved alerts, implementation details, and verification notes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Comment @coderabbitai help to get the list of available commands and usage tips.

@jonathannorris jonathannorris marked this pull request as ready for review June 22, 2026 14:17
@jonathannorris jonathannorris enabled auto-merge June 22, 2026 14:17
@jonathannorris jonathannorris requested a review from Copilot July 6, 2026 14:16
@jonathannorris jonathannorris marked this pull request as draft July 6, 2026 14:19
auto-merge was automatically disabled July 6, 2026 14:19

Pull request was converted to draft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant