Skip to content

chore: resolve open dependabot security alerts#979

Open
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts-3
Open

chore: resolve open dependabot security alerts#979
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts-3

Conversation

@jonathannorris

@jonathannorris jonathannorris commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • Resolved 3 open Dependabot security alerts (all medium severity) by forcing patched versions of transitive npm dependencies via Yarn resolutions.

Dependabot Alerts Resolved

Alert Package Severity Fix
#202 uuid medium Bumped 8.3.2 -> 11.1.1 via resolution (CVE-2026-41907)
#201 ws medium Bumped 8.19.0 -> 8.21.0 via scoped ws@^8.18.0 resolution (CVE-2026-45736)
#180 postcss medium Bumped transitive 8.4.49 -> 8.5.15 via resolution (CVE-2026-41305)

The ws@^7 dependency is outside the vulnerable range (>= 8.0.0) and was intentionally left untouched.

Verified with yarn build (Docusaurus build succeeds; remaining warnings are pre-existing and unrelated).

@jonathannorris
chore: resolve open dependabot security alerts
7579ac5 
- uuid 8.3.2 -> 11.1.1 (medium, alert #202, CVE-2026-41907)
- ws 8.19.0 -> 8.21.0 (medium, alert #201, CVE-2026-45736)
- postcss 8.4.49 -> 8.5.12 (medium, alert #180, CVE-2026-41305)
Copilot AI review requested due to automatic review settings June 10, 2026 13:36
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Deploying devcycle-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: fe6fd9d
Status: ✅  Deploy successful!
Preview URL: https://95db3e08.devcycle-docs.pages.dev
Branch Preview URL: https://chore-dependabot-alerts-3.devcycle-docs.pages.dev

View logs

Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates dependency overrides to address medium-severity Dependabot alerts by bumping vulnerable transitive packages via Yarn resolutions and regenerating yarn.lock.

Changes:

  • Added Yarn resolutions entries intended to force patched versions of uuid, ws, and postcss.
  • Updated yarn.lock to reflect resolved versions (uuid@11.1.1, ws@8.21.0, postcss@8.5.12).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
package.json Adds/adjusts Yarn resolutions to override vulnerable transitive dependencies.
yarn.lock Updates the lockfile to the resolved versions produced by the new overrides.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
Comment thread package.json Outdated
@jonathannorris jonathannorris enabled auto-merge (squash) June 10, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris