Skip to content

Update dependencies and resolve security advisories#2388

Merged
MarceloRGonc merged 5 commits into
mainfrom
dependabot/update
Jun 30, 2026
Merged

Update dependencies and resolve security advisories#2388
MarceloRGonc merged 5 commits into
mainfrom
dependabot/update

Conversation

@MarceloRGonc

@MarceloRGonc MarceloRGonc commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Fixes OPS-4579

Additional Notes

Dependency maintenance and security hardening. Three independent updates, all backward-compatible:

1. Bump js-yaml 4.2.0 → 5.2.0

  • Removed the now-redundant @types/js-yaml — v5 is rewritten in TypeScript and ships its own type definitions.
  • The only usage in the codebase is yaml.load() in the GitHub run_workflow action (packages/blocks/github/.../run-workflow-action.ts); that API is unchanged in v5.
  • v5 defaults load() to the YAML 1.2 CORE_SCHEMA, which actually parses GitHub Actions workflow files more correctly (bare on/yes/no are no longer coerced to booleans). The one behavioral change to note is that load('') now throws instead of returning undefined, which is not reachable here since the action loads a real workflow file.

2. Patch transitive security advisories via overrides

Forced the nested/duplicated copies up to the patched versions our direct deps already use — no breaking top-level upgrades required:

  • form-data$form-data (4.0.6) — fixes HIGH CRLF injection (GHSA-hmw2-7cc7-3qxx) in nx's bundled copy
  • tmp → 0.2.7 — fixes HIGH path traversal (GHSA-7c78-jf6q-g5cm) in nx's bundled copy
  • dompurify$dompurify (3.4.11) — fixes MODERATE XSS in monaco-editor's bundled copy

Pinning form-data and tmp collapsed the entire nx/@nx/* advisory cascade (which was flagged solely because nx bundled those two). npm audit dropped from ~80 advisories to 9 (8 low, 1 moderate). The remaining items (@ai-sdk/* provider-utils, showdown) have no in-range fix and would require breaking major upgrades, so they are intentionally out of scope for this PR.

3. Bump anthropics/claude-code-action 1.0.159 → 1.0.160 in the PR reviewer workflow.

@MarceloRGonc MarceloRGonc changed the title Dependabot/update Update dependencies and resolve security advisories Jun 30, 2026
@linear

linear Bot commented Jun 30, 2026

Copy link
Copy Markdown

OPS-4579

@MarceloRGonc MarceloRGonc marked this pull request as ready for review June 30, 2026 14:18
Copilot AI review requested due to automatic review settings June 30, 2026 14:18
@MarceloRGonc MarceloRGonc requested a review from ravikiranvm June 30, 2026 14:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR performs dependency maintenance and security hardening at the repo root: it bumps js-yaml to v5 (removing redundant @types), applies npm overrides to pull vulnerable transitive deps onto patched versions, and updates the pinned commit for the PR reviewer GitHub Action.

Changes:

  • Bump js-yaml from 4.2.05.2.0 and remove @types/js-yaml.
  • Add overrides to force patched transitive versions (form-data, tmp, dompurify).
  • Update the pinned commit SHA for anthropics/claude-code-action in the PR reviewer workflow.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
package.json Updates js-yaml version, removes @types/js-yaml, and adds security-focused overrides.
package-lock.json Updates resolved dependency graph to match js-yaml@5.2.0 and the new override pins.
THIRD_PARTY_LICENSES.txt Refreshes third-party attribution to reflect updated/removed packages (e.g., js-yaml, @types/js-yaml, dompurify).
.github/workflows/pr-reviewer.yml Bumps the pinned SHA for anthropics/claude-code-action used by the PR reviewer workflow.

MarceloRGonc and others added 2 commits June 30, 2026 15:31
js-yaml v5 throws on empty input instead of returning undefined, which
would break workflow input refresh for blank/empty workflow files. Return
early with no properties to preserve the previous graceful behavior.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The previous run's dist build-cache entry became unreadable to the
build-images jobs after several rapid successive pushes to this branch.
An empty commit produces a fresh merge sha (and a fresh dist-<sha> cache
key), letting build and build-images hand off cleanly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@MarceloRGonc MarceloRGonc enabled auto-merge (squash) June 30, 2026 15:21
@MarceloRGonc MarceloRGonc merged commit 0906797 into main Jun 30, 2026
60 of 72 checks passed
@MarceloRGonc MarceloRGonc deleted the dependabot/update branch June 30, 2026 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants