Skip to content

fix: resolve open dependabot security alerts#974

Merged
jonathannorris merged 5 commits intomainfrom
fix/dependabot-alerts
Apr 28, 2026
Merged

fix: resolve open dependabot security alerts#974
jonathannorris merged 5 commits intomainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 22, 2026
edited
Loading

Summary

Resolved 7 open Dependabot security alerts by bumping vulnerable transitive dependencies via yarn resolutions.

Resolutions use minimum-version ranges (e.g. `^3.4.0`) rather than exact pins — the lockfile resolves to a specific version, while the range sets a security floor allowing future patch updates without another PR.

Dependabot Alerts Resolved

Alert Package Severity Fix
#174 `dompurify` medium Added yarn resolution `^3.4.0`
#175 `dompurify` medium Added yarn resolution `^3.4.0`
#176 `dompurify` medium Added yarn resolution `^3.4.0`
#177 `dompurify` medium Added yarn resolution `^3.4.0`
#173 `follow-redirects` medium Added yarn resolution `^1.16.0`
#178 `uuid` medium Added yarn resolution `^14.0.0` (v14.0.0 is the first patched release)
#179 `fast-xml-parser` medium Bumped yarn resolution from `^5.5.7` to `^5.7.0`

@jonathannorris
fix: resolve open dependabot security alerts
9ac7aa5 
- dompurify -> 3.4.0 via resolution (medium, alerts #174, #175)
- follow-redirects -> 1.16.0 via resolution (medium, alert #173)
Copilot AI review requested due to automatic review settings April 22, 2026 20:06
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves Dependabot security alerts by forcing patched versions of vulnerable transitive dependencies using Yarn resolutions.

Changes:

  • Add Yarn resolutions to pin dompurify to 3.4.0 and follow-redirects to 1.16.0.
  • Regenerate yarn.lock to reflect the new resolved versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds/updates resolutions entries to force patched dependency versions.
yarn.lock Updates locked versions/checksums for dompurify and follow-redirects based on the new resolutions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 22, 2026
edited
Loading

Deploying devcycle-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 1c50334
Status: ✅  Deploy successful!
Preview URL: https://407a94d4.devcycle-docs.pages.dev
Branch Preview URL: https://fix-dependabot-alerts-c2en.devcycle-docs.pages.dev

View logs

@jonathannorris
fix: add uuid 14.0.0 resolution to address remaining dependabot alert #…
97b23a6 
…178
@jonathannorris
fix: use ^ range style for uuid resolution
9a6ef58 
Match the version range style used by parent packages per dependency
resolution best practices.
Copilot AI review requested due to automatic review settings April 23, 2026 14:58
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
@jonathannorris jonathannorris enabled auto-merge (squash) April 24, 2026 13:55
@jonathannorris
fix: bump fast-xml-parser resolution to ^5.7.0
1c50334 
- fast-xml-parser ^5.5.7 -> ^5.7.0 (medium, alert #179)
Copilot AI review requested due to automatic review settings April 27, 2026 13:40
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment thread package.json
@jonathannorris jonathannorris merged commit 7444122 into main Apr 28, 2026
9 checks passed
@jonathannorris jonathannorris deleted the fix/dependabot-alerts branch April 28, 2026 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@suthar26 suthar26 suthar26 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @suthar26