Skip to content

MWPW-195616 cumulative dependabot PRs#902

Merged
3ch023 merged 42 commits into
mainfrom
MWPW-123456
Jun 1, 2026
Merged

MWPW-195616 cumulative dependabot PRs#902
3ch023 merged 42 commits into
mainfrom
MWPW-123456

Conversation

@npeltier
Copy link
Copy Markdown
Contributor

@npeltier npeltier commented May 26, 2026
edited
Loading

https://jira.corp.adobe.com/browse/MWPW-195616
cumulative dependabot PRs :

PR Title Files touched
#759 basic-ftp 5.2.1 → 5.2.2 package-lock.json
#783 fast-xml-parser 5.5.7 → 5.7.1 (io/www) io/www/package-lock.json
#802 fast-xml-parser + @aws-sdk/xml-builder package-lock.json
#803 uuid 8.3.2 → 14.0.0 io/studio/package.json, package-lock.json
#804 axios 1.13.5 → 1.15.2 package-lock.json
#805 postcss 8.5.6 → 8.5.12 package-lock.json
#814 axios 1.13.5 → 1.15.2 (io/www) io/www/package-lock.json
#815 uuid 8.3.2 → 14.0.0 (io/www) io/www/package.json, io/www/package-lock.json
#847 fast-xml-builder 1.1.4 → 1.2.0 (/io/www) io/www/package.json, io/www/package-lock.json
#848 fast-uri 3.0.3 → 3.1.2 (io/www) io/www/package-lock.json
#850 fast-uri 3.1.0 → 3.1.2 package-lock.json
#900 qs + express package-lock.json

dependabot Bot and others added 30 commits April 10, 2026 21:44
@dependabot
Bump basic-ftp from 5.2.1 to 5.2.2
6fe36db 
Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.2.1 to 5.2.2.
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.2.1...v5.2.2)

---
updated-dependencies:
- dependency-name: basic-ftp
  dependency-version: 5.2.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump fast-xml-parser from 5.5.7 to 5.7.1 in /io/www
98f383e 
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.5.7 to 5.7.1.
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.5.7...v5.7.1)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.7.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump fast-xml-parser and @aws-sdk/xml-builder
9cee413 
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) and [@aws-sdk/xml-builder](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages-internal/xml-builder). These dependencies needed to be updated together.

Updates `fast-xml-parser` from 5.3.4 to 5.7.2
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.4...v5.7.2)

Updates `@aws-sdk/xml-builder` from 3.972.4 to 3.972.21
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages-internal/xml-builder/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/HEAD/packages-internal/xml-builder)

---
updated-dependencies:
- dependency-name: fast-xml-parser
  dependency-version: 5.7.2
  dependency-type: indirect
- dependency-name: "@aws-sdk/xml-builder"
  dependency-version: 3.972.21
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump uuid from 8.3.2 to 14.0.0
e466571 
Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.2 to 14.0.0.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v8.3.2...v14.0.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump axios from 1.13.5 to 1.15.2
5cd76f6 
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.2.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.15.2)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump postcss from 8.5.6 to 8.5.12
97a034a 
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.12.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.12)

---
updated-dependencies:
- dependency-name: postcss
  dependency-version: 8.5.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump uuid from 8.3.2 to 14.0.0 in /io/www
d471717 
Bumps [uuid](https://github.com/uuidjs/uuid) from 8.3.2 to 14.0.0.
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v8.3.2...v14.0.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump axios from 1.13.5 to 1.15.2 in /io/www
e0837da 
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.2.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.15.2)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/basic-ftp-5.2.2
649a109
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/io/www/uuid-14.0.0
2be727c
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/io/www/axios-1.15.2
e119491
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/postcss-8.5.12
0f17fed
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/axios-1.15.2
a270105
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/uuid-14.0.0
a87c48a
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/io/www/fast-xml-pars…
6b31e72 
…er-5.7.1
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/basic-ftp-5.2.2
c9c480b
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/io/www/fast-xml-pars…
78853b9 
…er-5.7.1
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/multi-b112b4ff1d
cdbeda3
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/uuid-14.0.0
3160f5f
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/axios-1.15.2
23e7a35
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/postcss-8.5.12
f648cfc
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/io/www/axios-1.15.2
78624ca
@Axelcureno
Merge branch 'main' into dependabot/npm_and_yarn/io/www/uuid-14.0.0
274eccc
@dependabot
Bump fast-xml-builder from 1.1.4 to 1.2.0 in /io/www
bce539b 
Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.4 to 1.2.0.
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-builder@v1.1.4...v1.2.0)

---
updated-dependencies:
- dependency-name: fast-xml-builder
  dependency-version: 1.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump fast-uri from 3.0.3 to 3.1.2 in /io/www
7c2050d 
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.0.3 to 3.1.2.
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.0.3...v3.1.2)

---
updated-dependencies:
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump fast-uri from 3.1.0 to 3.1.2
662f3bd 
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2.
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

---
updated-dependencies:
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump qs and express
08c295e 
Bumps [qs](https://github.com/ljharb/qs) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together.

Updates `qs` from 6.14.2 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.2...v6.15.2)

Updates `express` from 4.22.1 to 4.22.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@v4.22.1...v4.22.2)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
- dependency-name: express
  dependency-version: 4.22.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@npeltier
merge dependabot PR #759: basic-ftp 5.2.1 → 5.2.2
e1d82cb
@npeltier
merge dependabot PR #783: fast-xml-parser 5.5.7 → 5.7.1 (io/www)
d43bee9
@npeltier
merge dependabot PR #802: fast-xml-parser + @aws-sdk/xml-builder
7f795b4
@aem-code-sync
Copy link
Copy Markdown

aem-code-sync Bot commented May 26, 2026
edited
Loading

Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch.
In case there are problems, just click the checkbox below to rerun the respective action.

  • Re-sync branch
Commits

@codecov
Copy link
Copy Markdown

codecov Bot commented May 26, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.89%. Comparing base (f15411b) to head (422b0a6).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #902      +/-   ##
==========================================
+ Coverage   88.85%   88.89%   +0.03%     
==========================================
  Files         242      242              
  Lines       71723    71723              
==========================================
+ Hits        63732    63758      +26     
+ Misses       7991     7965      -26

see 4 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f15411b...422b0a6. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@npeltier npeltier changed the title MWPW-123456 cumulative dependabot PRs MWPW-195616 cumulative dependabot PRs May 26, 2026
@afmicka afmicka added the RCP-restricted Pull request should not be merged during RCP label May 26, 2026
@afmicka afmicka mentioned this pull request May 26, 2026
Closed
4 tasks
@Axelcureno
Copy link
Copy Markdown
Member

Axelcureno commented May 26, 2026

Overlaps with #907 (MWPW-193502), which fixes the same CVE class via overrides in io/www. This PR's io/www lockfile misses some:

  • axios not bumped in io/www/package-lock.json (only root) — leaves 14 Kodiak axios CVEs open in io/www, incl. 2 Critical
  • follow-redirects, diff, fast-uri — not updated in io/www
  • uuid nested @azure/cosmos + cloudevents copies still 8.3.2

#907 also bumps CI Node 20→24 (MWPW-195210). Complementary (root vs io/www) but conflict on io/www/package.json — suggest coordinating merge order.

@Axelcureno
Copy link
Copy Markdown
Member

Axelcureno commented May 26, 2026

Full list of CVEs can be found here: https://jira.corp.adobe.com/browse/MWPW-193502?filter=-1&jql=resolution%20%3D%20Unresolved%20AND%20description%20~%20Kodiak%20AND%20assignee%20in%20(currentUser())%20order%20by%20updated%20DESC

@afmicka afmicka removed the RCP-restricted Pull request should not be merged during RCP label Jun 1, 2026
@npeltier npeltier changed the title MWPW-195616 cumulative dependabot PRs MWPW-195616 cumulative dependabot PRs + bump to node 24 Jun 1, 2026
@npeltier npeltier changed the title MWPW-195616 cumulative dependabot PRs + bump to node 24 MWPW-195616 cumulative dependabot PRs Jun 1, 2026
@3ch023 3ch023 merged commit 0a336b9 into main Jun 1, 2026
19 of 20 checks passed
@3ch023 3ch023 deleted the MWPW-123456 branch June 1, 2026 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yesil yesil yesil approved these changes

@honstar honstar honstar approved these changes

@afmicka afmicka afmicka approved these changes

Assignees

No one assigned

Labels

run nala

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@npeltier @Axelcureno @yesil @honstar @afmicka @3ch023