Bump JS deps to resolve all 29 open Dependabot alerts#17381
Draft
IEvangelist wants to merge 4 commits into
Draft
Bump JS deps to resolve all 29 open Dependabot alerts#17381IEvangelist wants to merge 4 commits into
IEvangelist wants to merge 4 commits into
Conversation
Patches 8 Dependabot alerts on the VS Code extension by bumping: - ws 8.20.0 -> 8.20.1 (GHSA-58qx-3vcg-4xpx, alerts microsoft#1154, microsoft#1155) - fast-uri ^3.0.1 (was 3.1.0) -> 3.1.2 via overrides + resolutions (GHSA-q3j6-qgpj-74h6 alerts microsoft#1019, microsoft#1020; GHSA-v39h-62p7-jpjc alerts microsoft#1021, microsoft#1022) - @nevware21/ts-utils 0.13.0 -> 0.14.0 via overrides + resolutions (GHSA-x7j8-49r8-mr43, alerts microsoft#1160, microsoft#1161) ws is a direct dependency so its version is bumped in package.json. The two transitive packages are pinned via the existing overrides (npm) and resolutions (yarn) blocks. Both package-lock.json and yarn.lock are regenerated to keep the lockfiles in sync. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…server alerts Patches 4 Dependabot alerts on the Angular playground by pinning three transitive packages in the existing overrides block: - fast-uri 3.1.0 -> 3.1.2 (GHSA-q3j6-qgpj-74h6 alert microsoft#1018; GHSA-v39h-62p7-jpjc alert microsoft#1023) - @babel/plugin-transform-modules-systemjs 7.28.5 -> 7.29.4 (GHSA-fv7c-fp4j-7gwp, alert microsoft#1024) - webpack-dev-server 5.2.3 -> 5.2.4 (GHSA-79cf-xcqc-c78w, alert microsoft#1152) All three are transitive (none appear in dependencies / devDependencies), so npm 'overrides' is the right tool. package-lock.json is regenerated with npm install --package-lock-only. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…rver alerts Patches 4 Dependabot alerts on the React playground: - webpack-dev-server is a direct devDependency, so its range is bumped from ^5.2.2 to ^5.2.4. npm rejects 'overrides' entries that conflict with a direct dependency, so the range itself must move. (GHSA-79cf-xcqc-c78w, alert microsoft#1153) - fast-uri 3.1.0 -> 3.1.2 via overrides (GHSA-q3j6-qgpj-74h6 alert microsoft#1017; GHSA-v39h-62p7-jpjc alert microsoft#1025) - @babel/plugin-transform-modules-systemjs 7.28.5 -> 7.29.4 via overrides (GHSA-fv7c-fp4j-7gwp, alert microsoft#1026) The larger lockfile diff is from webpack-dev-server 5.2.4 swapping its TLS cert generator from node-forge to @peculiar/x509 upstream; both deps are dev-only and only exercised by 'npm start' in this playground. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Patches all 13 open Dependabot alerts on the next.js test fixture used by Aspire.Cli.EndToEnd.Tests by bumping 'next' from 15.5.15 to 15.5.18. 15.5.18 is the first version patched against every listed GHSA, including the latest cache-confusion alert which requires >= 15.5.18. High severity (alerts microsoft#1043-1045, microsoft#1047-1050, microsoft#1055): - GHSA-8h8q-6873-q5fj (microsoft#1043) - GHSA-36qx-fr4f-26g5 (microsoft#1044) - GHSA-267c-6grr-h53f (microsoft#1045) - GHSA-492v-c6pp-mqqv (microsoft#1047) - GHSA-c4j6-fc7j-m34r (microsoft#1048) - GHSA-mg66-mrh9-m8jx (microsoft#1050) - GHSA-26hh-7cqf-hhc6 (microsoft#1055) Medium (alerts microsoft#1046, microsoft#1049, microsoft#1051, microsoft#1053): - GHSA-wfc6-r584-vfw7 (microsoft#1046) - GHSA-h64f-5h5j-jqjh (microsoft#1049) - GHSA-gx5p-jg67-6x7h (microsoft#1051) - GHSA-ffhc-5mcf-pf4q (microsoft#1053) Low (alerts microsoft#1052, microsoft#1054): - GHSA-vfv6-92ff-j949 (microsoft#1052) - GHSA-3g8h-86w9-wvmq (microsoft#1054) This fixture is the JsPublish scenario in the CLI e2e tests; the project is published via 'aspire publish' but is not built by the .NET solution. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17381Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17381" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bump JS deps to resolve all 29 open Dependabot alerts
Summary
Closes the remaining 29 open Dependabot alerts on this repo by bumping the four JavaScript lockfile-based manifests. The Dependabot grouped PR #17377 covers 25 of these alerts but leaves four behind —
@nevware21/ts-utilsinextension/(alerts #1160 / #1161) andwebpack-dev-serverin the Angular and React playgrounds (alerts #1152 / #1153). This PR is a single, manually authored replacement that covers the full set in one place.Companion to the OpenTelemetry alert fix (#17171, already merged) which patched the lockfile-less
package.json-only manifests that Dependabot can't bump on its own.Alerts addressed (29 total)
extension/{package-lock.json,yarn.lock}ws< 8.20.18.20.1extension/{package-lock.json,yarn.lock}fast-uri<= 3.1.03.1.2extension/{package-lock.json,yarn.lock}fast-uri<= 3.1.13.1.2extension/{package-lock.json,yarn.lock}@nevware21/ts-utils<= 0.13.00.14.0playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.jsonfast-uri<= 3.1.03.1.2playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.jsonfast-uri<= 3.1.13.1.2playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json@babel/plugin-transform-modules-systemjs<= 7.29.37.29.4playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.jsonwebpack-dev-server<= 5.2.35.2.4playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.jsonfast-uri<= 3.1.03.1.2playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.jsonfast-uri<= 3.1.13.1.2playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json@babel/plugin-transform-modules-systemjs<= 7.29.37.29.4playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.jsonwebpack-dev-server<= 5.2.35.2.4tests/Aspire.Cli.EndToEnd.Tests/Fixtures/JsPublish/nextjs/package-lock.jsonnext< 15.5.16(×12) and< 15.5.18(×1)15.5.18How each manifest was updated
extension/—wsis a direct dependency, so its pin moves from8.20.0to8.20.1inpackage.json.fast-uriand@nevware21/ts-utilsare transitive (telemetry chain via@vscode/extension-telemetry), so they're pinned via the existingoverrides(npm) andresolutions(yarn) blocks. Bothpackage-lock.jsonandyarn.lockare regenerated from the updatedpackage.jsonso the two lockfiles stay in sync — the repo tracks both.playground/.../Angular— all three packages are transitive, so each is added to the existingoverridesblock.package-lock.jsonis regenerated withnpm install --package-lock-only.playground/.../React—webpack-dev-serveris a directdevDependency. npm rejectsoverridesentries that conflict with a direct dependency, so the range itself moves from^5.2.2to^5.2.4.fast-uriand@babel/plugin-transform-modules-systemjsare still transitive, so they remain inoverrides. The lockfile diff is large here becausewebpack-dev-server 5.2.4swapped its TLS cert generator fromnode-forgeto@peculiar/x509upstream — the new family of@peculiar/asn1-*andpkijspackages are all dev-only and only loaded when runningnpm startagainst the playground.tests/.../JsPublish/nextjs—nextis a direct dependency. Bumped from15.5.15to15.5.18.15.5.18is the first version patched against all 13 alerts (the< 15.5.18cache-confusion alert was the gating one; the older alerts are fixed at15.5.16).Validation
For each updated manifest,
npm install --package-lock-only --no-audit --no-fundsucceeds against the dnceng mirror, and every vulnerable version is gone from the resolved tree. A scripted scan of all fourpackage-lock.jsonfiles plusextension/yarn.lockconfirms zero leftover entries in the vulnerable ranges across all 29 alerts:Risk notes for reviewers
AGENTS.mdrule: "Never changepackage.jsonorpackage-lock.jsonfiles unless explicitly asked to." This change was explicitly requested as a security-alert sweep, which is the documented exception.webpack-dev-serverin the React playground brings the largest diff because of the upstreamnode-forge→@peculiar/x509swap. The package is dev-only; nothing in the published artifacts or production code path is affected. Reviewers may want to confirm by spot-checking thestart:*scripts inplayground/AspireWithJavaScript/AspireJavaScript.React/package.json.next 15.5.15 → 15.5.18is a patch bump (no breaking changes in the test fixture). The fixture is consumed byAspire.Cli.EndToEnd.Testsvia theJsPublishscenario; the CLI publishes the project but doesn't build the Next.js app itself in CI.extension/yarn.lockandextension/package-lock.jsonare both tracked; the existing repo convention is to keep them in sync, which this PR preserves.Related