Skip to content

chore(deps): fix all open dependabot security alerts#3388

Merged
tac0turtle merged 3 commits into
mainfrom
marko/dep-security-bumps
Jul 16, 2026
Merged

chore(deps): fix all open dependabot security alerts#3388
tac0turtle merged 3 commits into
mainfrom
marko/dep-security-bumps

Conversation

@tac0turtle

@tac0turtle tac0turtle commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Overview

Clears all 30 open Dependabot alerts across the Go modules and the docs site.

Go modules (all indirect deps, bumped via go get + go mod tidy)

Module Bump Alerts cleared
tools/da-debug golang.org/x/crypto v0.49.0 → v0.52.0, golang.org/x/net v0.52.0 → v0.55.0 13 alerts incl. 7 critical SSH advisories
root, apps/testapp, apps/evm, test/e2e quic-go v0.59.0 → v0.59.1 HTTP/3 QPACK trailer expansion memory exhaustion (medium)
apps/loadgen filippo.io/edwards25519 v1.1.0 → v1.1.1 MultiScalarMult invalid results (low)

Docs site

  • VitePress 1.6.x pins vite 5 (EOL, no patched release) and VitePress 2.x is still alpha, so the patched versions are forced via yarn resolutions: vite ^6.4.3, esbuild ^0.25.0, lodash-es ^4.18.0. All three vulns are dev-server-only; yarn build verified passing with the forced versions.
  • Removed stale docs/package-lock.json — the docs CI workflows only use yarn, so the npm lockfile just generated duplicate alerts.

Verification

  • All six touched Go modules build clean
  • Full unit test suite (just test, all go.mods) passes
  • govulncheck clean on bumped modules
  • yarn build in docs/ passes

Not actionable

govulncheck also flags GO-2024-3218 (Kademlia DHT content-censorship advisory in go-libp2p-kad-dht, reachable from pkg/p2p). No fixed version exists — it is a protocol-design issue every kad-dht consumer carries.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated networking, cryptography, system, and elliptic-curve libraries to newer patch versions.
    • Added version resolutions for key documentation build tools and utilities.
    • Kept dependency metadata otherwise unchanged.

tac0turtle and others added 2 commits July 16, 2026 14:49
- tools/da-debug: bump golang.org/x/crypto to v0.52.0 and golang.org/x/net
  to v0.55.0 (7 critical SSH advisories, plus high/medium DoS fixes)
- root, apps/testapp, apps/evm, test/e2e: bump quic-go to v0.59.1
  (HTTP/3 QPACK trailer expansion memory exhaustion)
- apps/loadgen: bump filippo.io/edwards25519 to v1.1.1
- docs: force patched vite ^6.4.3, esbuild ^0.25.0, lodash-es ^4.18.0 via
  yarn resolutions (vitepress 1.x pins EOL vite 5; vitepress 2 is still alpha)
- docs: remove stale package-lock.json — CI workflows only use yarn, the npm
  lockfile just generated duplicate alerts

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed⏩ skipped✅ passed⏩ skippedJul 16, 2026, 12:53 PM

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)
  • execution/evm/go.sum is excluded by !**/*.sum
  • execution/evm/test/go.sum is excluded by !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 85f6b8e1-3b07-48bc-b88c-3c962d3076ab

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Updates indirect Go dependencies across multiple modules, refreshes selected DA debug tool dependencies, and adds frontend dependency resolutions for the documentation package.

Changes

Dependency updates

Layer / File(s) Summary
Go module dependency alignment
go.mod, apps/*/go.mod, test/e2e/go.mod
Updates quic-go to v0.59.1 and edwards25519 to v1.1.1 across the affected Go modules.
DA debug dependency updates
tools/da-debug/go.mod
Updates indirect versions of golang.org/x/crypto, golang.org/x/net, and golang.org/x/sys.
Documentation dependency resolutions
docs/package.json
Adds enforced versions for esbuild, lodash-es, and vite.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

Suggested labels: T:dependencies

Suggested reviewers: julienrbrt

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the dependency security alert cleanup across Go modules and docs.
Description check ✅ Passed The description includes the required Overview and provides sufficient context, changes, and verification details.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch marko/dep-security-bumps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor
PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-07-16 14:22 UTC

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.32%. Comparing base (b4b895b) to head (b1b8974).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3388      +/-   ##
==========================================
- Coverage   62.34%   62.32%   -0.02%     
==========================================
  Files         120      120              
  Lines       13452    13452              
==========================================
- Hits         8386     8384       -2     
  Misses       4126     4126              
- Partials      940      942       +2     
Flag Coverage Δ
combined 62.32% <ø> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tac0turtle tac0turtle merged commit 8e8cdde into main Jul 16, 2026
52 of 53 checks passed
@tac0turtle tac0turtle deleted the marko/dep-security-bumps branch July 16, 2026 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant