Skip to content

Commit c6d21f7

Browse files
mmckyclaude
andauthored
security: resolve npm Dependabot alerts and add npm ecosystem to Dependabot config (#399)
npm audit fix (all semver-compatible, devDependencies only): - webpack-dev-server 5.2.2 -> 5.2.4 (GHSA-79cf-xcqc-c78w) - shell-quote 1.8.1 -> 1.8.4 (GHSA-w7jw-789q-3m8p, critical) - qs 6.14.2 -> 6.15.2 (GHSA-q8mj-m7cp-5q26) - ws 8.18.0 -> 8.21.0 (GHSA-58qx-3vcg-4xpx) The uuid alert (GHSA-w5hq-g745-h8pq) is dismissed rather than patched: sockjs pins uuid@^8 and only calls uuid.v4(); the advisory affects v3/v5/v6 with a caller-provided buf, so the vulnerable code is unused. Also adds an npm package-ecosystem entry to dependabot.yml (monthly, grouped) so future npm advisories get automatic fix PRs. Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
1 parent 4e9f7a2 commit c6d21f7

3 files changed

Lines changed: 327 additions & 58 deletions

File tree

.github/dependabot.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,13 @@ updates:
1111
prefix: ⬆️
1212
schedule:
1313
interval: weekly
14+
- package-ecosystem: npm
15+
directory: /
16+
commit-message:
17+
prefix: ⬆️
18+
schedule:
19+
interval: monthly
20+
groups:
21+
npm-dependencies:
22+
patterns:
23+
- "*"

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
### CI
11+
- **Cleared open Dependabot security alerts via `npm audit fix`**`webpack-dev-server` 5.2.2→5.2.4 (GHSA-79cf-xcqc-c78w), `shell-quote` 1.8.1→1.8.4 (GHSA-w7jw-789q-3m8p, critical), `qs` 6.14.2→6.15.2 (GHSA-q8mj-m7cp-5q26), `ws` 8.18.0→8.21.0 (GHSA-58qx-3vcg-4xpx). All transitive dev/build-time only; built theme assets unchanged. The remaining `uuid` alert (GHSA-w5hq-g745-h8pq) was dismissed as not exploitable — `sockjs` only calls `uuid.v4()`, the advisory affects `v3`/`v5`/`v6` with a caller-provided `buf`.
12+
- **Dependabot now watches npm** — added an `npm` ecosystem entry to `dependabot.yml` (monthly, grouped into a single PR) alongside the existing `github-actions` config.
13+
1014
## [0.21.0] - 2026-06-05
1115

1216
### Changed

0 commit comments

Comments
 (0)