Skip to content

Chore: Resolve vulnerabilities in transitive NPM dependencies#65

Merged
up1512001 merged 1 commit intodevelopfrom
chore/dependabot-issues
Mar 6, 2026
Merged

Chore: Resolve vulnerabilities in transitive NPM dependencies#65
up1512001 merged 1 commit intodevelopfrom
chore/dependabot-issues

Conversation

@imrraaj
Copy link
Contributor

@imrraaj imrraaj commented Mar 5, 2026

What

This PR adds overrides in package.json to address security vulnerabilities reported by Dependabot and npm audit.

Why

Fixes dependabot alerts

How

Testing Instructions

Screenshots

Additional Info

Checklist

  • I have read the Contribution Guidelines.
  • I have read the Development Guidelines.
  • My code is tested to the best of my abilities.
  • My code passes all lints (ESLint etc.).
  • My code has detailed inline documentation.
  • I have updated the project documentation as needed.

Copilot AI review requested due to automatic review settings March 5, 2026 11:56
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates JavaScript dependency resolutions to address reported security vulnerabilities and refreshes the plugin’s release metadata to 1.0.2.

Changes:

  • Add/extend npm overrides (incl. minimatch, serialize-javascript, and ajv for @wp-playground/*) to remediate audit/Dependabot alerts.
  • Regenerate package-lock.json with updated transitive dependency graph.
  • Bump plugin version references to 1.0.2 (plugin header, constant, readme stable tag, changelog).

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
readme.txt Updates “Stable tag” to 1.0.2.
package.json Adds new overrides to mitigate vulnerable transitive packages.
package-lock.json Reflects the resolved dependency updates from the new overrides/install.
onelogs.php Bumps plugin header version and ONELOGS_VERSION constant to 1.0.2.
CHANGELOG.md Adds 1.0.2 entry describing the dependency update.
Comments suppressed due to low confidence (1)

package.json:88

  • The new overrides entries use open-ended version ranges (e.g., >=10.2.1, >=7.0.3, >=8.18.0). Since these ranges don’t cap the major version, a future lockfile refresh could unexpectedly jump to a new major release (e.g., minimatch 11 / ajv 9) and introduce breaking changes. Consider pinning to an explicit version or at least a major-bounded range (e.g., ^10.2.1, ^7.0.3, ^8.18.0) to keep upgrades more predictable while still addressing the audit alerts.
		"webpack-dev-server@<=5.2.0": ">=5.2.1",
		"minimatch": ">=10.2.1",
		"serialize-javascript": ">=7.0.3",
		"@wp-playground/blueprints": {
			"ajv": ">=8.18.0"
		},
		"@wp-playground/tools": {
			"ajv": ">=8.18.0"
		},
		"@wp-playground/cli": {
			"ajv": ">=8.18.0"
		}

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@imrraaj imrraaj changed the title Chore: Update NPM dependencies Chore: Resolve vulnerabilities in transitive NPM dependencies Mar 5, 2026
@imrraaj imrraaj requested a review from up1512001 March 6, 2026 08:50
@up1512001 up1512001 merged commit b896756 into develop Mar 6, 2026
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@up1512001 up1512001 up1512001 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@imrraaj @up1512001