chore: resolve open dependabot security alerts#244
Conversation
- dagger.io/dagger v0.19.8 -> v0.20.6 (medium, Dependabot alert 30)
- @angular/{common,compiler,core,platform-browser,...} ^19.0.0 -> ^19.2.20 (high, Dependabot alerts 16, 20, 21)
- uuid ^11.0.0 -> ^14.0.0 (medium, Dependabot alert 35)
- vite ^6.0.0 -> ^6.4.2 (medium+high, Dependabot alerts 29, 34)
- vitest ^2.1.0 -> ^2.1.9
- overrides: vite ^6.4.2 (resolves vite <=6.4.1 pulled in by vitest, alerts 29, 34)
- overrides: postcss ^8.5.10 (medium, alert 36)
- overrides: rollup ^4.59.0 (high, alert 13)
- overrides: esbuild ^0.25.0 (medium, alert 8)
- overrides: minimatch ^9.0.7 (high, alert 15)
- overrides: picomatch ^4.0.4 (medium, alerts 25, 27)
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
jonathannorris
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies in the project, including Dagger, Angular, and various development tools like Vite and Vitest. The reviewer noted that the added overrides in package.json should be used cautiously and monitored for future removal as upstream packages are updated.
There was a problem hiding this comment.
Pull request overview
Updates Go and Node dependencies to address Dependabot security alerts, primarily by upgrading Dagger (dropping vulnerable OTLP/telemetry transitive deps) and adding npm overrides to remediate frontend transitive vulnerabilities in the Angular integration test project.
Changes:
- Bump
dagger.io/daggertov0.20.6and refresh Go indirect deps, removing OTLP/OTel exporter + gRPC/protobuf-related transitive modules. - Update Angular integration test dependencies (Angular
^19.2.20,uuid^14.0.0,vite^6.4.2,vitest^2.1.9). - Add npm
overridesfor several transitive dependencies (includingvite) to force patched versions.
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| test/angular-integration/package.json | Updates Angular/Vite/Vitest/uuid versions and adds npm overrides to address transitive vulnerabilities. |
| test/angular-integration/package-lock.json | Regenerates lockfile to reflect updated dependency graph and patched versions. |
| go.mod | Bumps Dagger and trims/remaps indirect deps after telemetry stack changes. |
| go.sum | Updates checksums in line with the new Go module graph after the dependency upgrades. |
Files not reviewed (1)
- test/angular-integration/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
dagger.io/daggertov0.20.6, which removes the vulnerablego.opentelemetry.io/otel/exporters/otlp/otlploghttptransitive dependency entirely;v0.20.6also dropped its gRPC/OTLP telemetry stack so a number of indirect deps (otlp*,grpc,protobuf,grpc-gateway,genproto) are removed fromgo.modas a result^19.2.20anduuidto^14.0.0intest/angular-integrationviteto^6.4.2andvitestto^2.1.9; added avitenpm override to force^6.4.2through the vitest dependency treeoverridesforpostcss,rollup,esbuild,minimatch, andpicomatchto resolve transitive vulnerabilitiesNotes
vitestmajor version bump (^2.x->^3.x) is intentionally left out — that's a separate change.@generated/openfeature.generated) that isn't present in the repo, so those tests fail onmainbefore and after this PR.