Skip to content

chore: resolve open dependabot security alerts#1381

Merged
jonathannorris merged 6 commits into
mainfrom
chore/dependabot-alerts
May 13, 2026
Merged

chore: resolve open dependabot security alerts#1381
jonathannorris merged 6 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented May 8, 2026
edited
Loading

Summary

  • Resolved open Dependabot security alerts by updating the direct postcss dependency and adding resolutions to pin transitive dependencies to patched versions.

Note: alert #80 (tsup DOM clobbering, low) has no patched version available and is skipped. Alerts #108 and #104 (mermaid) are already fixed by the direct mermaid@11.10.0 dependency. Alerts #204 and #205 (fast-xml-builder) are already fixed by the fast-xml-parser: ^5.7.0 resolution pulling in fast-xml-builder@1.2.0.

Dependabot Alerts Resolved

Alert Package Severity Fix
#208 @babel/plugin-transform-modules-systemjs high Pinned to >=7.29.4 via resolutions
#207 fast-uri high Pinned to >=3.1.2 via resolutions
#206 fast-uri high Pinned to >=3.1.2 via resolutions
#205 fast-xml-builder high Already fixed via fast-xml-parser: ^5.7.0 resolution
#204 fast-xml-builder medium Already fixed via fast-xml-parser: ^5.7.0 resolution
#203 ip-address medium Pinned to >=10.1.1 via resolutions
#202 postcss medium Bumped direct dep to ^8.5.10; forced via resolutions
#131 webpack low Pinned to 5.99.9 via resolutions
#130 webpack low Pinned to 5.99.9 via resolutions
#113 js-yaml medium Scoped to markdownlint-cli2/js-yaml: >=4.1.1 via resolutions

@jonathannorris jonathannorris requested review from a team as code owners May 8, 2026 18:25
@netlify
Copy link
Copy Markdown

netlify Bot commented May 8, 2026
edited
Loading

Deploy Preview for openfeature ready!

Name Link
🔨 Latest commit 3ffde44
🔍 Latest deploy log https://app.netlify.com/projects/openfeature/deploys/6a037ce4d647540008989581
😎 Deploy Preview https://deploy-preview-1381--openfeature.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies, including postcss, and adds new entries to package.json to address transitive dependency issues. Feedback indicates that these security fixes were incorrectly added to a dependency block instead of a resolutions field; specifically, using a resolution selector like styled-components/postcss as a package name will cause installation failures, and some additions are redundant.

Comment thread package.json
@jonathannorris jonathannorris marked this pull request as draft May 8, 2026 20:02
@jonathannorris jonathannorris marked this pull request as ready for review May 11, 2026 14:16
@jonathannorris jonathannorris enabled auto-merge May 11, 2026 14:16
@jonathannorris
chore: resolve open dependabot security alerts
73eb38a 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: remove unnecessary yarn resolutions
db8f78d 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
fix: scope js-yaml resolution to markdownlint-cli2 to preserve gray-m…
0bd57d7 
…atter 3.x compat

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
fix: pin webpack to 5.99.9 to restore webpackbar compat
a70bf19 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: resolve additional dependabot security alerts
c931df4 
- fast-uri >=3.1.2 via resolution (high, alerts #206 and #207)
- @babel/plugin-transform-modules-systemjs >=7.29.4 via resolution (high, alert #208)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris force-pushed the chore/dependabot-alerts branch from 8d9b75d to c931df4 Compare May 12, 2026 19:14
@jonathannorris
chore: revert cosmetic quote changes in vercel.ts and video-embed.tsx
3ffde44 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris added this pull request to the merge queue May 13, 2026
Merged via the queue into main with commit 5145098 May 13, 2026
9 checks passed
@jonathannorris jonathannorris deleted the chore/dependabot-alerts branch May 13, 2026 09:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@askpt askpt askpt approved these changes

@beeme1mr beeme1mr Awaiting requested review from beeme1mr

@toddbaert toddbaert Awaiting requested review from toddbaert

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris @askpt