Skip to content

fix: resolve open dependabot security alerts#816

Merged
BYK merged 1 commit into
masterfrom
fix/dependabot-security-updates
May 14, 2026
Merged

fix: resolve open dependabot security alerts#816
BYK merged 1 commit into
masterfrom
fix/dependabot-security-updates

Conversation

@BYK
Copy link
Copy Markdown
Member

@BYK BYK commented May 14, 2026

Summary

Resolves all 4 open Dependabot security alerts by bumping vulnerable dependencies:

Alert Package Severity CVE Fix
#156 fast-xml-builder HIGH GHSA-rf6f-7fwh-wjgh Bump fast-xml-parser to ^5.8.0 (pulls fast-xml-builder@1.2.0)
#155 fast-xml-builder MEDIUM GHSA-3v7f-55p6-f55p Same as above
#153 postcss MEDIUM GHSA-22cc-p3c6-wpvm Add postcss: ^8.5.10 pnpm override (resolves to 8.5.14)
#157 astro LOW GHSA-wr4h-v87w-p3r7 Bump astro to ^6.1.10 in docs (resolves to 6.3.3)

Changes

  • Root package.json: Bump fast-xml-parser from ^5.5.7 to ^5.8.0 in both devDependencies and pnpm.overrides; add postcss: ^8.5.10 to pnpm.overrides
  • docs/package.json: Bump astro from ^6.1.6 to ^6.1.10
  • Regenerated both pnpm-lock.yaml and docs/pnpm-lock.yaml

No source code changes. All vulnerable packages are either transitive dev dependencies or docs-only.

@BYK
fix: resolve open dependabot security alerts
73d45cb 
- Bump fast-xml-parser ^5.5.7 -> ^5.8.0 (devDep + override) to fix
  fast-xml-builder vulnerabilities (GHSA-rf6f-7fwh-wjgh, GHSA-3v7f-55p6-f55p)
- Add postcss ^8.5.10 pnpm override to fix XSS via unescaped </style>
  (GHSA-22cc-p3c6-wpvm)
- Bump astro ^6.1.6 -> ^6.1.10 in docs to fix server island replay
  vulnerability (GHSA-wr4h-v87w-p3r7)

Fixes dependabot alerts #153, #155, #156, #157.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026
edited
Loading

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-05-14 18:01 UTC

@BYK BYK enabled auto-merge (squash) May 14, 2026 17:59
@BYK BYK disabled auto-merge May 14, 2026 18:01
@BYK BYK merged commit a7098da into master May 14, 2026
21 checks passed
@BYK BYK deleted the fix/dependabot-security-updates branch May 14, 2026 18:01
@sentry-release-bot sentry-release-bot Bot mentioned this pull request May 14, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK