chore(deps): apply npm audit fix + overrides to clear vulnerability alerts#265
Merged
Merged
Conversation
…lerts Brings open Dependabot alerts on validation/ from 11 to 1. - npm audit fix (no-force) clears brace-expansion, minimatch (3 advisories), and rollup via transitive bumps — non-breaking semver re-resolution. - overrides block in validation/package.json forces lodash@^4.18.0, postcss@^8.5.10, and protobufjs@^7.5.5 across all consumers, resolving the lodash + postcss + protobufjs alerts. The remaining alert is uuid (moderate) via gherkin-lint > gherkin > cucumber-messages > uuid. Bound to the existing plan to replace gherkin-lint (camaraproject#138). uuid@14 was attempted via override but cucumber-messages@8.0.0 does require('uuid/v4'), which uuid 14 removed from its exports. Verified: gherkin-lint, Spectral 6.15.1, Redocly 2.30.3 all run clean against ReleaseTest fixtures; 1011 / 1011 validation engine tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
cleanup
What this PR does / why we need it:
Brings open Dependabot alerts on
validation/from 11 to 1.npm audit fix(no-force) clearsbrace-expansion,minimatch(3 advisories), androllupvia transitive bumps — non-breaking semver re-resolution.overridesblock invalidation/package.jsonforceslodash@^4.18.0,postcss@^8.5.10, andprotobufjs@^7.5.5across all consumers, resolving the lodash + postcss + protobufjs alerts.The remaining alert (
uuidmoderate, viagherkin-lint > gherkin > cucumber-messages > uuid) is bound to the existing plan to replacegherkin-lint(#138).uuid@14was attempted via override butcucumber-messages@8.0.0doesrequire('uuid/v4'), which uuid 14 removed from itsexports.Verification
npm audit: 1 underlying advisory remains —uuid(moderate), reachable viagherkin-lint > gherkin > cucumber-messages > uuid. npm-audit prints this as 4 chain entries; Dependabot reports it as 1 alert.npx gherkin-lint: clean run on a ReleaseTest feature fixturenpx spectral lint: runs cleanly, expected OWASP warnings on a sample API specnpx redocly bundle: bundle producedpython3 -m pytest validation/tests/: 1011 / 1011 passingWhich issue(s) this PR fixes:
Fixes #
(no tracking issue; addresses 10 of 11 open Dependabot alerts surfaced after #260 merged)
Special notes for reviewers:
validation/package.jsongains a 3-entryoverridesblock.validation/package-lock.jsonre-resolves accordingly.Changelog input
Additional documentation
This section can be blank.