chore(deps): fix 4 open Dependabot alert(s)#1563
Closed
power-pages-github-app[bot] wants to merge 1 commit intomainfrom
Closed
chore(deps): fix 4 open Dependabot alert(s)#1563power-pages-github-app[bot] wants to merge 1 commit intomainfrom
power-pages-github-app[bot] wants to merge 1 commit intomainfrom
Conversation
- Add brace-expansion@1.1.13 override inside @vscode/vsce scope (GHSA-f886-m6hf-6m8v, moderate) - Add path-to-regexp@8.4.0 override for range >=8.0.0 <8.4.0 (GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7, high) - Pin uuid to 14.0.0 in both dependencies and overrides to deduplicate all transitive uuid instances to the patched version (GHSA-w5hq-g745-h8pq, moderate)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 4 open Dependabot alert(s) as enumerated by
npm audit(Dependabot API access was not available via the provided tokens; vulnerabilities identified via npm advisory database which reflects the same GHSA advisories).Alerts addressed
brace-expansion(adding gulp-based build infrastructure and CI flow #1, moderate, GHSA-f886-m6hf-6m8v) — vulnerable< 1.1.13→ patched1.1.13.Strategy: override. Added
"brace-expansion": "1.1.13"inside the@vscode/vscescoped override (which already pinsminimatch@3.1.5→brace-expansion@1.1.12).path-to-regexp(ACTION REQUIRED: Microsoft needs this private repository to complete compliance info #2, high, GHSA-j3q9-mxjg-w52f) — vulnerable>= 8.0.0, < 8.4.0→ patched8.4.0.Strategy: override. Added range-scoped override
"path-to-regexp@>=8.0.0 <8.4.0": "8.4.0"to fix only the vulnerable 8.x instance (via@vscode/test-web → @koa/router) without touchingsinon → nise → path-to-regexp@6.3.0(not in vulnerable range).path-to-regexp(setup-node v1.x' usage of add-path is now disabled in GH #3, high, GHSA-27v5-c462-wpq7) — vulnerable>= 8.0.0, < 8.4.0→ patched8.4.0.Strategy: override. Same override as ACTION REQUIRED: Microsoft needs this private repository to complete compliance info #2 addresses this alert.
uuid(Basic VSCode extension #4, moderate, GHSA-w5hq-g745-h8pq) — vulnerable< 14.0.0→ patched14.0.0.Strategy: override + direct-bump. Changed direct dependency from
^14.0.0to exact14.0.0and added"uuid": "14.0.0"to overrides. This forces npm to deduplicate all transitive uuid instances (previously@azure/msal-node@8.3.2,@microsoft/generator-powerpages@9.0.1,@fluidframework/*@11.1.0,nyc→istanbul-lib-processinfo@8.3.2) to the single patched version. uuid@14.0.0 provides CJS-compatible exports via thenodeexport condition, verified on Node.js 20.Collateral changes
uuiddependency range was changed from^14.0.0to14.0.0(exact) to allow the override to apply. Since 14.0.0 is the only 14.x version published, this has no practical effect on resolution.uuidpackages (8.x, 9.x, 11.x) were removed fromnode_modulesand deduplicated to the top-leveluuid@14.0.0.Verification
npm run build: PASS (exit code 0; pre-existingtelemetry-generated/buildRegionConfigurationwarning is CI-generated and unrelated to this change)npm test: PASS (95 tests passing)