fix(security): raise esbuild, js-yaml, and dompurify override floors across JS workspaces#671
fix(security): raise esbuild, js-yaml, and dompurify override floors across JS workspaces#671langwatch-agent wants to merge 2 commits into
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (4)
📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughUpdates dependency override ranges in the docs workspace, JavaScript package manifests, and the Python lovable_clone template, including new esbuild floor rules and revised js-yaml and dompurify mappings. ChangesDependency override updates
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
CI is fully green. The first run was red only on a pre-existing, unrelated voice BDD contract failure (a scenario tagged only |
3063900 to
c3acfc6
Compare
|
Rebased onto current main (resolved the overlap with the merged #684). esbuild resolves to 0.28.1 across docs/javascript/template; the javascript library lock diff is esbuild-only, doc/example-dir locks refreshed via the override fresh-resolve. CI fully green, MERGEABLE. Ready for human review and merge. |
c3acfc6 to
0600ba6
Compare
|
Rebased onto main to clear the conflicts that appeared after the vite 8.x security PR (#709) merged into the same override blocks and locks. Kept both override sets; regenerated all four locks so esbuild resolves to 0.28.1 across docs, javascript (pnpm + npm), and the lovable_clone template (pnpm + npm). While here, also closed the javascript npm-lock esbuild alert (#437): javascript/package.json had esbuild only under pnpm.overrides, so the npm package-lock stayed on 0.27.7. Added a top-level npm overrides entry and regenerated, so this PR now resolves both esbuild alerts (#411 pnpm-lock and #437 package-lock). CI is green and the PR is mergeable again. |
Adds js-yaml floors (3.x line to >=3.15.0 capped <4, 4.x line to >=4.2.0 capped <5 to avoid the 5.x major) across docs, javascript (pnpm + npm), and the lovable_clone template (pnpm + npm), and raises the docs dompurify floor to >=3.4.11. Regenerated locks resolve js-yaml to 3.15.0 / 4.2.0 / 4.3.0 and dompurify to 3.4.11. Clears MODERATE alerts js-yaml #477/#478/#479/#480 and dompurify #473 (also covers the earlier dompurify #425), alongside the esbuild floors already in this PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Folded in the js-yaml and dompurify MODERATE floors, since they live in the same override blocks and locks this PR already edits (docs, javascript pnpm+npm, template pnpm+npm):
Now closes esbuild #411/#437, js-yaml #477/#478/#479/#480, and dompurify #473 (also covers the older dompurify #425). Dogfooded: javascript frozen install + typecheck clean + 853 unit tests pass. |
|
CI is green on re-run. The earlier ci-checks failure was a flaky |
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.
This PR requires a manual review before merging. |
What
Forces
esbuildto>=0.28.1across every scenario workspace via overrides, and regenerates each lockfile so both direct and transitive esbuild resolve to 0.28.1.docs/pnpm-workspace.yamloverridesjavascript/package.jsonpnpm overridespython/examples/lovable_clone/template/package.json(both npmoverridesandpnpm.overrides)Why
esbuild
>=0.17.0 <0.28.1is affected by two advisories, both patched in 0.28.1:NPM_CONFIG_REGISTRY.Resolves Dependabot alerts #411, #412, #413, #414, #415.
Verification
javascript:tsc --noEmitpasses,tsupbuild succeeds with esbuild 0.28.1.docs:vocs build(vite + esbuild 0.28.1) completes and prerenders all pages.<0.28.1remains in any lock.Notes
The
docsandtemplatelockfiles show a large diff: a pnpm override only takes effect on a full re-resolution, so those locks were regenerated from scratch, which also refreshes other transitive deps to the latest within their existing semver ranges. Thejavascriptlock moved incrementally and stays small. All builds pass on the refreshed locks.