Skip to content

chore: resolve open dependabot security alerts#371

Merged
jonathannorris merged 3 commits into
mainfrom
chore/dependabot-alerts
May 19, 2026
Merged

chore: resolve open dependabot security alerts#371
jonathannorris merged 3 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

@jonathannorris jonathannorris commented May 13, 2026

Copy link
Copy Markdown
Member

Summary

Resolved 3 open Dependabot security alerts by bumping vulnerable transitive dependencies.

Dependabot Alerts Resolved

Alert Package Severity Fix
#103 brace-expansion medium Bumped to 5.0.6 via yarn resolution (large numeric range defeats documented max DoS protection)
#102 fast-uri high Bumped to 3.1.2 via yarn resolution (host confusion via percent-encoded authority delimiters)
#101 fast-uri high Bumped to 3.1.2 via yarn resolution (path traversal via percent-encoded dot segments)

Both fast-uri and brace-expansion are transitive dependencies. resolutions entries in package.json force the patched versions.

- fast-uri 3.0.1 -> 3.1.2 (high, alerts #101 #102)
Copilot AI review requested due to automatic review settings May 13, 2026 13:33
@jonathannorris jonathannorris requested a review from a team as a code owner May 13, 2026 13:33

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves Dependabot security alerts by pinning the transitive fast-uri dependency to a patched version (≥3.1.2) via a Yarn resolutions entry.

Changes:

  • Added fast-uri: ">=3.1.2" to resolutions in package.json.
  • Updated yarn.lock so fast-uri resolves to 3.1.2.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds Yarn resolution forcing fast-uri to ≥3.1.2 to address the security advisories.
yarn.lock Reflects the new resolved fast-uri version 3.1.2 with updated checksum.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jonathannorris jonathannorris enabled auto-merge (squash) May 13, 2026 13:34
Copilot AI review requested due to automatic review settings May 19, 2026 15:01

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

@jonathannorris jonathannorris merged commit 2fe3aa2 into main May 19, 2026
6 checks passed
@jonathannorris jonathannorris deleted the chore/dependabot-alerts branch May 19, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants