Skip to content

fix(deps): resolve all Dependabot security alerts #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kherembourg merged 1 commit into from
Mar 16, 2026
Merged

fix(deps): resolve all Dependabot security alerts #226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,14 @@
"@types/react": "^18.2.12",
"@types/react-native": "^0.70.14",
"cacache/glob": "^10.5.0",
"flatted": ">=3.3.4",
"js-yaml": "^4.1.1",
"lodash": ">=4.17.23",
"lodash-es": ">=4.17.23",
"tar": ">=7.5.7"
"minimatch": ">=3.1.3",
"fast-xml-parser": ">=4.5.4",
Comment on lines +35 to +36
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semver lower bounds allow resolution to arbitrary future major versions

Both of these constraints resolve today to major-version jumps far beyond what the lower bound implies:

  • "fast-xml-parser": ">=4.5.4" → resolves to 5.5.6 (v4 → v5 major bump; transitive deps in rn-purchasely-test declare ^4.4.1 which is semver-incompatible with v5).
  • "minimatch": ">=3.1.3" → resolves to 10.2.4 (v3 → v10, a seven-major-version jump).

While the tests pass today, these open-ended ranges mean a future yarn install could silently advance to v6 of fast-xml-parser or v11+ of minimatch, potentially introducing runtime breakage with no diff-visible change. The same pattern exists in both test-project package.json files.

Consider pinning to the actual minimum compatible major version that was validated:

Suggested change
"minimatch": ">=3.1.3",
"fast-xml-parser": ">=4.5.4",
"minimatch": ">=10.2.4",
"fast-xml-parser": ">=5.0.0",
Prompt To Fix With AI 
This is a comment left during a code review.
Path: package.json
Line: 35-36

Comment:
**Semver lower bounds allow resolution to arbitrary future major versions**

Both of these constraints resolve today to major-version jumps far beyond what the lower bound implies:

- `"fast-xml-parser": ">=4.5.4"` → resolves to **5.5.6** (v4 → v5 major bump; transitive deps in `rn-purchasely-test` declare `^4.4.1` which is semver-incompatible with v5).
- `"minimatch": ">=3.1.3"` → resolves to **10.2.4** (v3 → v10, a seven-major-version jump).

While the tests pass today, these open-ended ranges mean a future `yarn install` could silently advance to v6 of `fast-xml-parser` or v11+ of `minimatch`, potentially introducing runtime breakage with no diff-visible change. The same pattern exists in both test-project `package.json` files.

Consider pinning to the actual minimum compatible major version that was validated:

```suggestion
    "minimatch": ">=10.2.4",
    "fast-xml-parser": ">=5.0.0",
```

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code Fix in Cursor Fix in Codex

"tar": ">=7.5.10",
"undici": ">=7.24.0"
},
"workspaces": [
"packages/*",
Expand Down
Loading
Loading