Skip to content

chore(deps): auto-fix Dependabot alerts#1560

Closed
priyanshu92 wants to merge 1 commit intomainfrom
copilot/dependabot-autofix-24821793803
Closed

chore(deps): auto-fix Dependabot alerts#1560
priyanshu92 wants to merge 1 commit intomainfrom
copilot/dependabot-autofix-24821793803

Conversation

@priyanshu92
Copy link
Copy Markdown
Contributor

@priyanshu92 priyanshu92 commented Apr 23, 2026

Re-opened from #1559 under a human author so the Microsoft CLA bot will evaluate.

Summary

Fixes all 33+ open Dependabot security alerts (32 moderate, 1 high) in a single consolidated PR.

Alerts Addressed

1. brace-expansion (GHSA-f886-m6hf-6m8v) — Moderate

  • Old version: 1.1.12 → New version: 1.1.14
  • Path: @vscode/vsce > minimatch@3.1.5 > brace-expansion
  • Issue: Zero-step sequence causes process hang and memory exhaustion
  • Fix: Updated via npm audit fix

2. path-to-regexp (GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7) — High

  • Old version: 8.3.0 → New version: 8.4.2
  • Path: @vscode/test-web > @koa/router > path-to-regexp
  • Issue: DoS via sequential optional groups and multiple wildcards
  • Fix: Updated via npm audit fix

3. uuid (GHSA-w5hq-g745-h8pq) — Moderate

  • Old versions: 8.3.2, 9.0.1, 11.1.0 → New version: 14.0.0
  • Affected packages: @azure/msal-node, all @fluidframework/* packages, @microsoft/generator-powerpages, istanbul-lib-processinfo (via nyc)
  • Issue: Missing buffer bounds check in v3/v5/v6 when buf is provided
  • Fix: Added "uuid": "^14.0.0" to overrides in package.json to force all transitive instances to the patched version

Additional updates (via npm audit fix)

  • @fluidframework/azure-client and fluid-framework: 2.91.0 → 2.93.0 (resolves uuid@11 transitives)
  • Various other @fluidframework/* packages: 2.91.0 → 2.93.0
  • @fluidframework/server-services-client: 7.0.0 → 7.0.1

Verification

  • npm audit reports 0 vulnerabilities after fixes
  • npm run build passes (pre-existing telemetry-generated module warning is unrelated)
  • npm test passes — all 95 unit tests pass

@priyanshu92
chore(deps): fix Dependabot security alerts
4c96e1d 
- brace-expansion 1.1.12 → 1.1.14 (GHSA-f886-m6hf-6m8v, moderate)
  via @vscode/vsce > minimatch@3.1.5; fixed by npm audit fix

- path-to-regexp 8.3.0 → 8.4.2 (GHSA-j3q9-mxjg-w52f / GHSA-27v5-c462-wpq7, high)
  via @vscode/test-web > @koa/router; fixed by npm audit fix

- uuid <14.0.0 → 14.0.0 (GHSA-w5hq-g745-h8pq, moderate)
  Missing buffer bounds check in v3/v5/v6 when buf is provided.
  Added overrides.uuid=^14.0.0 to force all transitive instances
  (@azure/msal-node, @fluidframework/*, @microsoft/generator-powerpages,
  istanbul-lib-processinfo/nyc) to the patched version.
  Also updated @fluidframework/azure-client and fluid-framework from
  2.91.0 → 2.93.0 (picked up by npm audit fix).
@priyanshu92 priyanshu92 requested review from a team as code owners April 23, 2026 07:31
@priyanshu92 priyanshu92 enabled auto-merge (squash) April 23, 2026 07:33
@priyanshu92 priyanshu92 mentioned this pull request Apr 23, 2026
Closed
auto-merge was automatically disabled April 23, 2026 07:54

Pull request was closed

@priyanshu92 priyanshu92 deleted the copilot/dependabot-autofix-24821793803 branch April 23, 2026 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@priyanshu92