Commit c6d21f7
security: resolve npm Dependabot alerts and add npm ecosystem to Dependabot config (#399)
npm audit fix (all semver-compatible, devDependencies only):
- webpack-dev-server 5.2.2 -> 5.2.4 (GHSA-79cf-xcqc-c78w)
- shell-quote 1.8.1 -> 1.8.4 (GHSA-w7jw-789q-3m8p, critical)
- qs 6.14.2 -> 6.15.2 (GHSA-q8mj-m7cp-5q26)
- ws 8.18.0 -> 8.21.0 (GHSA-58qx-3vcg-4xpx)
The uuid alert (GHSA-w5hq-g745-h8pq) is dismissed rather than patched:
sockjs pins uuid@^8 and only calls uuid.v4(); the advisory affects
v3/v5/v6 with a caller-provided buf, so the vulnerable code is unused.
Also adds an npm package-ecosystem entry to dependabot.yml (monthly,
grouped) so future npm advisories get automatic fix PRs.
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>1 parent 4e9f7a2 commit c6d21f7
3 files changed
Lines changed: 327 additions & 58 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
10 | 14 | | |
11 | 15 | | |
12 | 16 | | |
| |||
0 commit comments