Skip to content

Fix Dependabot security findings for spark-template (vuln-mgmt#203091)#175

Open
legomushroom wants to merge 2 commits into
mainfrom
legomushroom/fix-dependabot-203091
Open

Fix Dependabot security findings for spark-template (vuln-mgmt#203091)#175
legomushroom wants to merge 2 commits into
mainfrom
legomushroom/fix-dependabot-203091

Conversation

@legomushroom

@legomushroom legomushroom commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Update dependencies.

@legomushroom
Bump vulnerable deps to clear Dependabot findings (vuln-mgmt#203091)
714a478 
Pin patched versions via npm `overrides` (existing repo convention) and bump
the direct `vite` devDependency; regenerate the lockfile:

- esbuild -> 0.28.1  (GHSA-gv7w-rqvm-qjhr / GHSA-g7r4-m6w7-qqqr)
- vite    -> 7.3.5   (GHSA-fx2h-pf6j-xcff)
- js-yaml -> 4.2.0   (GHSA-h67p-54hq-rp68; dev-only)
- qs      -> 6.15.2  (GHSA-q8mj-m7cp-5q26)

Verified: all four resolve to patched versions; `npm run build` passes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 17, 2026 21:06
GitHub Advanced Security started work on behalf of legomushroom June 17, 2026 21:06 View session
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment
edited by legomushroom
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates dependencies.

Changes:

  • Bump the direct vite devDependency to ^7.3.5.
  • Add npm overrides entries intended to force patched versions of esbuild, vite, js-yaml, and qs.
  • Regenerate package-lock.json so the resolved versions reflect the patched releases (e.g., esbuild@0.28.1, vite@7.3.5, js-yaml@4.2.0, qs@6.15.2).
Show a summary per file
File Description
package.json Updates vite and adds override entries meant to force patched dependency resolutions.
package-lock.json Updates the resolved dependency tree to the patched versions and refreshes integrity metadata.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 1

Comment thread package.json Outdated
GitHub Advanced Security finished work on behalf of legomushroom June 17, 2026 21:08
@legomushroom
Address review: pin overrides to exact versions
9e949c2 
Match the file's existing override convention (picomatch, postcss, lodash,
minimatch are exact-pinned) for reproducible security remediation:
- esbuild ^0.28.1 -> 0.28.1
- js-yaml ^4.2.0  -> 4.2.0
- qs ^6.15.2      -> 6.15.2

Drop the redundant `vite` override (vite is a direct devDependency at ^7.3.5
that already governs the version; an exact override conflicted with it -
npm EOVERRIDE). Resolved versions and lockfile are unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of legomushroom June 17, 2026 21:13 View session
GitHub Advanced Security finished work on behalf of legomushroom June 17, 2026 21:14
@legomushroom legomushroom requested a review from Copilot June 17, 2026 21:16
Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot's findings

  • Files reviewed: 1/2 changed files
  • Comments generated: 0 new

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@justinmcbride justinmcbride justinmcbride approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@legomushroom @justinmcbride