Skip to content

fix(deps): resolve 9 Dependabot alerts in js/#545

Merged
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts
Jul 9, 2026
Merged

fix(deps): resolve 9 Dependabot alerts in js/#545
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

Resolves all 9 open Dependabot alerts. Every alert is a transitive, dev-scope dependency in js/package-lock.json; all are remediated via a single overrides block in js/package.json.

Fixed

Package Alert(s) Old → New Needs Advisory
js-yaml #71 (med) 3.14.2 → 3.15.0 ≥ 3.15.0 Quadratic-complexity DoS in merge-key handling
lodash #62 (high), #63 (med) 4.17.23 → 4.18.1 ≥ 4.18.0 Code injection via _.template; prototype pollution in _.unset/_.omit
merge #14 (high) 1.2.1 → 2.1.1 ≥ 2.1.1 Prototype pollution (major bump)
minimatch #54 (high) 3.0.4 / 3.1.2 → 3.1.5 ≥ 3.1.3 ReDoS in matchOne()
minimist #30 (crit), #9 (med) 0.0.10 → 0.2.4 ≥ 0.2.4 Prototype pollution — scoped optimist > minimist override; root minimist was already 1.2.8 and untouched
postcss #66 (med), #35 (med) 7.0.39 → 8.5.16 ≥ 8.5.10 XSS via unescaped </style>; line-return parsing (major bump — no 7.x patch exists)

Test plan

  • npm install — clean, resolutions confirmed at/above each threshold.
  • npm run build (gulp lint + build + uglify) — ✅ green.
  • npm test (karma + jasmine, headless Chrome) — ✅ 22/22 passing.

The postcss 7→8 and merge 1→2 major bumps were the primary risk; build and tests confirm no breakage. Verified locally on Node v18.

Out of scope

npm audit reports 5 further issues (brace-expansion, es5-ext, micromatch, socket.io-parser, ws) that are not in the current Dependabot alert set and are not addressed here.

All alerts are transitive dev-scope deps, remediated via npm `overrides`
in js/package.json. Verified: `npm install` clean, `gulp` build green,
karma/jasmine suite 22/22 passing (postcss 7->8 and merge 1->2 are major
bumps — build and tests confirmed unaffected).

- js-yaml 3.14.2 -> 3.15.0 (#71, GHSA quadratic-complexity DoS, needs >= 3.15.0)
- lodash 4.17.23 -> 4.18.1 (#62 code injection via _.template, #63 prototype
  pollution in _.unset/_.omit, needs >= 4.18.0)
- merge 1.2.1 -> 2.1.1 (#14 prototype pollution, needs >= 2.1.1; major bump)
- minimatch 3.0.4/3.1.2 -> 3.1.5 (#54 ReDoS in matchOne(), needs >= 3.1.3)
- minimist (under optimist) 0.0.10 -> 0.2.4 (#30 critical + #9 prototype
  pollution, needs >= 0.2.4; per-parent override, root minimist already 1.2.8)
- postcss 7.0.39 -> 8.5.16 (#66 XSS via unescaped </style>, #35 line-return
  parsing, needs >= 8.5.10; major bump, no 7.x patch exists)

Note: `npm audit` still reports separate issues (brace-expansion, es5-ext,
micromatch, socket.io-parser, ws) that are NOT in the Dependabot alert set;
out of scope for this change.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 9, 2026 14:52
@DeepDiver1975

Copy link
Copy Markdown
Member Author

CI note: the JS Unit check failed on the first run with ChromeHeadless has not captured in 5000 ms — the pre-existing flaky Chrome-launch timeout also being addressed in #544, unrelated to these dependency bumps. Re-ran the job and it passed 22/22. All checks now green.

@phil-davis phil-davis merged commit c829eb0 into master Jul 9, 2026
19 of 20 checks passed
@phil-davis phil-davis deleted the fix/dependabot-alerts branch July 9, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants