fix(deps): follow-redirects — GHSA-r4q5-vmmm-2653 (medium)

[kemister85]

⚠️ Generated by dependabot-autopilot — human review required before merge. Do not auto-merge.

What was run

This branch was produced by dependabot-autopilot, an autonomous agent that:

1. Cloned the repo from main
2. Analysed the Dependabot advisory and the project's manifest
3. Edited package.json with the minimal change to resolve the vulnerability (the agent has no shell / no network access — it can only read and edit files in the workspace)
4. Re-ran yarn install so the lockfile reflects the fix
5. Ran the full validation suite below and only pushed the branch once validation completed
6. Opened this PR for human review — it will never be auto-merged by the tool

Advisory

• Alert: Update composer.md #95 — view
• Advisory: GHSA-r4q5-vmmm-2653
• Package: follow-redirects
• Severity: medium
• Vulnerable range: <= 1.15.11
• Patched in: 1.16.0
• Summary: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets

Agent summary

Perfect! The fix has been applied successfully.

Summary

I've resolved Dependabot alert #95 (GHSA-r4q5-vmmm-2653) by adding a Yarn resolutions field to package.json that forces follow-redirects to use version ^1.16.0 or later. The vulnerable package (version 1.15.6) was a transitive dependency coming through http-proxy (used by the http-server devDependency), so a direct version bump wasn't possible. The resolutions field instructs Yarn to override the transitive dependency version across the entire dependency tree, ensuring the patched version 1.16.0+ is installed instead of the vulnerable 1.15.6. When the lockfile is regenerated, it will reflect this resolution and eliminate the security vulnerability.

Validation results

Stage	Result	Duration	Notes
yarn install (regenerates lockfile)	✅ pass	4.4s	Ensures the dependency change actually takes effect
yarn build:production (Antora build)	✅ pass	23.6s	Full site build must succeed
Playwright smoke (/ + dynamically discovered internal link)	✅ pass	2.7s	Real Chromium, HTTP 200 + rendered content

All validation stages passed on the patched code. This is still a draft-level change — please review the diff and advisory link before merging.

Visual evidence: 2 Playwright screenshots were captured during the smoke test. They are visible on the autopilot dashboard at the run detail page.

Validation log (tail)

=== stage: yarn install ===
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 4.29s.


=== stage: yarn build:production ===
o missing attribute: version"}
{"level":"warn","time":1776760051420,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051420,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051420,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051421,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051424,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051424,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051424,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
Done in 23.49s.


=== stage: playwright smoke ===
GET http://127.0.0.1:4000/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/1/screenshot/01-root.png
GET http://127.0.0.1:4000/tinymce/latest/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/1/screenshot/02-deep.png

Diff summary

commit 00d2734c551384f5e5dbb6624bfb236c216247e3
Author: dependabot-autopilot <dependabot-autopilot@users.noreply.github.com>
Date:   Tue Apr 21 18:27:39 2026 +1000

    chore(deps): regenerate yarn.lock

 yarn.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

---

Do not auto-merge this PR. Every change here must be reviewed by a human.