MLE-27299 Bumping dependencies to fix npm audit#1067
Conversation
|
Copyright Validation Results ⏭️ Skipped (Excluded) Files
✅ All files have valid copyright headers! |
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s dependency override for minimatch to a newer patched version to address a reported CVE.
Changes:
- Bump
minimatchoverride from10.2.2to10.2.4inpackage.json. - Update
package-lock.jsonto reflect the resolvedminimatch@10.2.4artifact and integrity hash.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Updates the overrides pin for minimatch to 10.2.4. |
| package-lock.json | Updates the lockfile resolution for minimatch (and includes some lockfile metadata churn). |
Bumped minimatch, and added a force on serialize-javascript (used by mocha) and underscore (used by jsdoc).
rjrudin
changed the title
| "minimatch": "10.2.4", | ||
| "semver": "7.5.3", | ||
| "serialize-javascript": "7.0.4", | ||
| "strip-ansi": "6.0.0", | ||
| "supports-color": "7.2.0", | ||
| "tar-fs": "2.1.4", | ||
| "underscore": "1.13.8", | ||
| "wrap-ansi": "6.2.0" |
There was a problem hiding this comment.
If serialize-javascript and underscore are being added only to address transitive npm audit vulnerabilities (and not because the app directly imports them), prefer pinning transitive versions via overrides (npm) to avoid introducing new direct dependencies, extra install footprint, and ongoing upgrade/licensing surface area. Consider moving these pins into an overrides block (or the repo’s equivalent) and keep direct dependencies limited to packages actually used by the code.
There was a problem hiding this comment.
They are in an overrides block!
No description provided.