fix(deps): patch fast-uri, qs, uuid to close 7 Dependabot alerts#76
Merged
Merged
Conversation
Transitive dependency vulnerabilities flagged in both lockfiles. Remediated with npm overrides for fast-uri and qs in the root and editors/vscode manifests; the uuid alert is closed by a parent bump and needs no override. - fast-uri: 3.1.0 -> 3.1.2 (GHSA-q3j6-qgpj-74h6 path traversal, High; GHSA-v39h-62p7-jpjc host confusion, High). Pulled by ajv in both trees. ajv depends on fast-uri ^3.x, so ^3.1.2 stays in range; override. - qs: 6.15.1 -> 6.15.2 (GHSA-q8mj-m7cp-5q26 stringify DoS, Moderate). Pulled by express (root) and typed-rest-client (vscode); both want ^6.x, override. - uuid: 8.3.2 -> removed (GHSA-w5hq-g745-h8pq buffer bounds, Moderate). The clean reinstall bumped @azure/msal-node 5.1.3 -> 5.2.2, which dropped its uuid dependency entirely. No uuid remains in the vscode lockfile, so no override is needed. Both lockfiles regenerated. npm audit clean (0 vulnerabilities) in root and editors/vscode. build:core, full build, 473 tests, typecheck, and the 29 conformance fixtures all green; lint unchanged from baseline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds dependency version overrides to both the root and VS Code extension package manifests, pinning ChangesDependency Version Pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the 7 open Dependabot alerts (4 High, 3 Moderate) for transitive dependencies appearing in both
package-lock.json(root) andeditors/vscode/package-lock.json. Alerts auto-close once the vulnerable versions are gone from the lockfiles on main.Alert to fix mapping
That is 4 High (fast-uri, 2 advisories across 2 manifests) plus 3 Moderate (qs across 2 manifests, uuid in vscode).
Override vs bump, and why
ajvin both trees (@logic-md/core-> ajv at root;@vscode/vsce-> @secretlint -> ajv in vscode). ajv depends onfast-uri@^3.x, so pinning^3.1.2stays inside its range. No direct parent bump removes it cleanly, so anoverridesentry is the least invasive fix.express(root, via@modelcontextprotocol/sdk) andtyped-rest-client(vscode, via@vscode/vsce). Both acceptqs@^6.x, so^6.15.2is in range. Override.@azure/msal-node@5.1.3(vscode, via@vscode/vsce->@azure/identity). The fixed line is11.1.1, a major jump from 8.x. Regenerating the lockfile resolved@azure/msal-nodeto5.2.2, which drops the uuid dependency entirely. No uuid remains in the vscode lockfile, so no override is warranted. msal-node only imports{ v4 }from uuid (verified), so nothing downstream relies on the old buffer API.Overrides live in
package.json(root: fast-uri, qs) andeditors/vscode/package.json(fast-uri, qs). Both lockfiles were regenerated from a clean install.Verification
npm audit: 0 vulnerabilities in root and ineditors/vscode;npm audit --audit-level=highclean in both.3.1.2, qs6.15.2in both trees; zero uuid in the vscode lockfile.npm run build:coreand fullnpm run build(core, cli, mcp): success.npm test: 473 passed, 0 failed.npm run typecheck: clean.npm run lint: unchanged from baseline (5 errors / 22 warnings, all in untouched vscode/cli/executor files; the two changedpackage.jsonfiles lint clean).node spec/fixtures/run-fixtures.mjs: 29 passed, 0 failed.The clean reinstall also incidentally resolved a
brace-expansionModerate advisory in the vscode tree that was not among the 7 Dependabot alerts.Summary by cubic
Patches transitive dependencies to close 7 Dependabot alerts by overriding
fast-uriandqs, and removing vulnerableuuidvia a parent update. Both lockfiles were regenerated; security advisories are cleared without code changes.Dependencies
overridesforfast-uri@^3.1.2andqs@^6.15.2in root andeditors/vscode/package.json.@azure/msal-noderesolved to5.2.2in the VS Code tree, which dropsuuid; nouuidoverride needed.editors/vscodelockfiles.Verification
npm audit: 0 vulnerabilities in root andeditors/vscode.Written for commit 83efed8. Summary will update on new commits. Review in cubic
Summary by CodeRabbit