Skip to content

chore: resolve open dependabot security alerts#24

Merged
jonathannorris merged 4 commits into
mainfrom
chore/dependabot-alerts
Jun 19, 2026
Merged

chore: resolve open dependabot security alerts#24
jonathannorris merged 4 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

@jonathannorris jonathannorris commented Jun 19, 2026

Copy link
Copy Markdown
Member

Summary

  • Bumped fast-uri to 3.1.2 to resolve high severity vulnerabilities (alerts #115, #116)
  • Bumped ip-address to 10.1.1 to resolve medium severity vulnerability (alert #114)
  • Bumped picomatch to 4.0.4 to resolve medium severity vulnerability (alert #113)
  • Bumped @semantic-release/npm to >=13.1.5 to satisfy engine requirements and pull in patched npm@11 bundled deps
  • Pinned Node.js to 22.14.x in CI workflows to satisfy @semantic-release/npm@13.1.5 engine requirement

Dependabot Alerts Resolved

Alert Package Severity Fix
#115, #116 fast-uri high Bumped to 3.1.2 via override
#114 ip-address medium Bumped to 10.1.1 via override
#113 picomatch medium Bumped to 4.0.4 via override

@jonathannorris
chore: resolve open dependabot security alerts
40d72ce 
- fast-uri 3.1.0 -> 3.1.2 (high, alerts #115 #116)
- ip-address 10.1.0 -> 10.1.1 (medium, alert #114)
- picomatch 4.0.3 -> 4.0.4 (medium, alert #113)
- @semantic-release/npm bumped to >=13.0.0 to pull in npm@11 with patched bundled deps
@jonathannorris
chore: bump workflows to Node 22, pin override ranges
f5b0a6e
@jonathannorris
chore: pin exact override versions; exclude .worktrees/ from prettier
48e209c
@jonathannorris
chore: pin Node to 22.14.x to satisfy @semantic-release/npm@13.1.5 en…
9ec65bd 
…gine requirement
Copilot AI review requested due to automatic review settings June 19, 2026 14:03
@jonathannorris jonathannorris requested a review from a team as a code owner June 19, 2026 14:03
@jonathannorris jonathannorris enabled auto-merge (squash) June 19, 2026 14:03
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to resolve outstanding Dependabot security alerts by updating vulnerable transitive npm dependencies via overrides, updating the lockfile accordingly, and aligning GitHub Actions CI Node.js versions with new engine requirements introduced by updated release tooling.

Changes:

  • Updated package.json overrides to pull patched versions of fast-uri, ip-address, and @semantic-release/npm, plus a targeted tinyglobby -> picomatch override.
  • Regenerated package-lock.json to reflect the overrides and updated transitive dependency graph (notably @semantic-release/npm and bundled npm).
  • Pinned GitHub Actions workflows to Node 22.14.x, and ignored .worktrees/ in git and prettier configs.

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
package.json Adds/adjusts npm overrides for vulnerable transitive dependencies (and introduces a targeted tinyglobby override).
package-lock.json Lockfile update reflecting new override resolutions and dependency tree changes.
.prettierignore Ignores .worktrees/ from prettier checks.
.gitignore Ignores .worktrees/ from git.
.github/workflows/test.yml Pins CI test job Node version to 22.14.x.
.github/workflows/release.yml Pins release workflow Node version to 22.14.x.
.github/workflows/benchmark.yml Pins benchmark workflow Node version to 22.14.x.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment on lines 31 to +36
"overrides": {
"handlebars": "^4.7.9",
"picomatch": "^2.3.2",
"tinyglobby": {
"picomatch": "4.0.4"
},
Comment thread package.json
@@ -31,9 +31,15 @@
"overrides": {
@jonathannorris jonathannorris merged commit 08ffd02 into main Jun 19, 2026
8 checks passed
@jonathannorris jonathannorris deleted the chore/dependabot-alerts branch June 19, 2026 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@JamieSinn JamieSinn JamieSinn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @JamieSinn