Update dependencies and resolve security advisories#2388
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR performs dependency maintenance and security hardening at the repo root: it bumps js-yaml to v5 (removing redundant @types), applies npm overrides to pull vulnerable transitive deps onto patched versions, and updates the pinned commit for the PR reviewer GitHub Action.
Changes:
- Bump
js-yamlfrom4.2.0→5.2.0and remove@types/js-yaml. - Add
overridesto force patched transitive versions (form-data,tmp,dompurify). - Update the pinned commit SHA for
anthropics/claude-code-actionin the PR reviewer workflow.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
package.json |
Updates js-yaml version, removes @types/js-yaml, and adds security-focused overrides. |
package-lock.json |
Updates resolved dependency graph to match js-yaml@5.2.0 and the new override pins. |
THIRD_PARTY_LICENSES.txt |
Refreshes third-party attribution to reflect updated/removed packages (e.g., js-yaml, @types/js-yaml, dompurify). |
.github/workflows/pr-reviewer.yml |
Bumps the pinned SHA for anthropics/claude-code-action used by the PR reviewer workflow. |
js-yaml v5 throws on empty input instead of returning undefined, which would break workflow input refresh for blank/empty workflow files. Return early with no properties to preserve the previous graceful behavior. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The previous run's dist build-cache entry became unreadable to the build-images jobs after several rapid successive pushes to this branch. An empty commit produces a fresh merge sha (and a fresh dist-<sha> cache key), letting build and build-images hand off cleanly. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
marcocomi
approved these changes
Jun 30, 2026
marco-comi-openops
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Fixes OPS-4579
Additional Notes
Dependency maintenance and security hardening. Three independent updates, all backward-compatible:
1. Bump
js-yaml4.2.0 → 5.2.0@types/js-yaml— v5 is rewritten in TypeScript and ships its own type definitions.yaml.load()in the GitHubrun_workflowaction (packages/blocks/github/.../run-workflow-action.ts); that API is unchanged in v5.load()to the YAML 1.2CORE_SCHEMA, which actually parses GitHub Actions workflow files more correctly (bareon/yes/noare no longer coerced to booleans). The one behavioral change to note is thatload('')now throws instead of returningundefined, which is not reachable here since the action loads a real workflow file.2. Patch transitive security advisories via
overridesForced the nested/duplicated copies up to the patched versions our direct deps already use — no breaking top-level upgrades required:
form-data→$form-data(4.0.6) — fixes HIGH CRLF injection (GHSA-hmw2-7cc7-3qxx) in nx's bundled copytmp→ 0.2.7 — fixes HIGH path traversal (GHSA-7c78-jf6q-g5cm) in nx's bundled copydompurify→$dompurify(3.4.11) — fixes MODERATE XSS in monaco-editor's bundled copyPinning
form-dataandtmpcollapsed the entirenx/@nx/*advisory cascade (which was flagged solely because nx bundled those two).npm auditdropped from ~80 advisories to 9 (8 low, 1 moderate). The remaining items (@ai-sdk/*provider-utils,showdown) have no in-range fix and would require breaking major upgrades, so they are intentionally out of scope for this PR.3. Bump
anthropics/claude-code-action1.0.159 → 1.0.160 in the PR reviewer workflow.