Fix vulnerabilities in some examples.#69
Conversation
miguelcalderon
changed the title
|
@nutrient-code-reviewer |
|
closing in favor of #70 |
vladimir-tikhonov-nutrient
deleted the
miguel/update-vuln-deps-26.02.2026
branch
miguelcalderon
force-pushed
the
miguel/update-vuln-deps-26.02.2026
branch
from
5b5ab0e to
93ae4b0
Compare
|
@vladimir-tikhonov-nutrient I've reopened it to append some missing updates. |
examples/angular/package-lock.json
Outdated
| "version": "5.105.3", | ||
| "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.105.3.tgz", | ||
| "integrity": "sha512-LLBBA4oLmT7sZdHiYE/PeVuifOxYyE2uL/V+9VQP7YSYdJU7bSf7H8bZRRxW8kEPMkmVjnrXmoR3oejIdX0xbg==", | ||
| "version": "5.105.2", |
There was a problem hiding this comment.
This lockfile resolves webpack to 5.105.2, but main currently resolves 5.105.3. Since this PR is dependency/security remediation, can we avoid this patch-level downgrade?
examples/gatsbyjs/package-lock.json
Outdated
| "version": "5.105.3", | ||
| "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.105.3.tgz", | ||
| "integrity": "sha512-LLBBA4oLmT7sZdHiYE/PeVuifOxYyE2uL/V+9VQP7YSYdJU7bSf7H8bZRRxW8kEPMkmVjnrXmoR3oejIdX0xbg==", | ||
| "version": "5.105.2", |
There was a problem hiding this comment.
This lockfile resolves webpack to 5.105.2, while main has 5.105.3. Please avoid accidentally downgrading webpack in this remediation PR.
| "version": "5.105.3", | ||
| "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.105.3.tgz", | ||
| "integrity": "sha512-LLBBA4oLmT7sZdHiYE/PeVuifOxYyE2uL/V+9VQP7YSYdJU7bSf7H8bZRRxW8kEPMkmVjnrXmoR3oejIdX0xbg==", | ||
| "version": "5.105.2", |
There was a problem hiding this comment.
Direct webpack spec was bumped, but resolved version here is lower than main (5.105.3 -> 5.105.2). Could we keep at least the previous patched version?
examples/webpack/package-lock.json
Outdated
| "version": "5.105.3", | ||
| "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.105.3.tgz", | ||
| "integrity": "sha512-LLBBA4oLmT7sZdHiYE/PeVuifOxYyE2uL/V+9VQP7YSYdJU7bSf7H8bZRRxW8kEPMkmVjnrXmoR3oejIdX0xbg==", | ||
| "version": "5.105.2", |
There was a problem hiding this comment.
Resolved webpack is downgraded from 5.105.3 on main to 5.105.2 here. Please regenerate/pin so this PR does not reduce patch level.
| "version": "5.105.3", | ||
| "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.105.3.tgz", | ||
| "integrity": "sha512-LLBBA4oLmT7sZdHiYE/PeVuifOxYyE2uL/V+9VQP7YSYdJU7bSf7H8bZRRxW8kEPMkmVjnrXmoR3oejIdX0xbg==", | ||
| "version": "5.105.0", |
There was a problem hiding this comment.
This lockfile regresses several webpack-stack packages (webpack 5.105.3 -> 5.105.0, webpack-dev-server 5.2.3 -> 5.2.2, html-webpack-plugin 5.6.6 -> 5.5.0). Can we regenerate to avoid accidental downgrades?
vladimir-tikhonov-nutrient
left a comment
vladimir-tikhonov-nutrient
left a comment
There was a problem hiding this comment.
please see LLM findings above
|
@vladimir-tikhonov-nutrient good catch! Addressed now, thank you! |
2 participants
Summary
qsoverride → 16 → 0 vulnswebpackoverride to^5.105.0, bump dev deps → 2 → 0 vulnsajv-formats→ajvoverride to^8.18.0→ 7 → 6 vulns (remaining 6 are unfixableellipticaffecting all versions)ajvoverride to^8.18.0, bump workbox to 7.4.0 → 2 → 0 vulnsconst→letforbind:errorMsgbug → 1 remaining (Svelte 4 SSR vulns, fix requires Svelte 5 migration)minimatch/ajv/qsoverrides → 4 → 0 vulnsminimatch/ajv/qsoverrides → 4 → 0 vulnsAll examples verified to build successfully after changes.