chore(deps): resolve open Dependabot security alerts#509
Merged
Conversation
Batch-fix 29 of 32 open Dependabot alerts: - Refresh transitive deps in root yarn.lock (yarn up -R): tar, minimatch, lodash, picomatch, glob, brace-expansion, js-yaml, ajv, react-router, react-router-dom, @remix-run/router - Add resolutions for deps pinned below their patched version: qs ^6.15.2 (body-parser pins ~6.14.0), postcss ^8.5.10 (@expo/metro-config pins ~8.4.32) - Delete packages/tests/package-lock.json: stale npm lockfile unused since the Yarn 4 workspaces migration (deps resolve via root yarn.lock) - examples/next-js: add postcss ^8.5.10 resolution (next pins 8.4.31) Not fixable here: uuid (xcode pins ^7, fix only in 11.1.1), fast-xml-parser (RN CLI pins ^4, fix only in 5.7.0), elliptic (no patched version exists). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR batches dependency/lockfile updates to resolve a large set of open Dependabot security alerts across the monorepo (root Yarn 4 workspace and the examples/next-js app).
Changes:
- Updates the root
yarn.lockto pull in patched versions for multiple transitive dependencies. - Adds root-level Yarn
resolutionsforqsandpostcssto force patched versions despite upstream pins. - Updates the
examples/next-jslockfile and adds apostcssresolution to address a Next.js transitive pin.
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| yarn.lock | Refreshes transitive dependency resolutions to patched versions (but currently has descriptor-key inconsistencies for postcss/qs). |
| package.json | Adds Yarn resolutions entries for qs and postcss. |
| examples/next-js/yarn.lock | Regenerates example lockfile to resolve postcss (and related sub-deps) to patched versions. |
| examples/next-js/package.json | Adds a postcss resolution for the example app. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch-fixes 29 of the 32 open Dependabot alerts locally instead of merging ~30 individual Dependabot PRs.
Root
yarn.lock(24 alerts)yarn up -Rrefreshed transitive resolutions to patched versions: tar 7.5.16, minimatch 3.1.5/9.0.9, lodash 4.18.1, picomatch 4.0.4, glob 10.5.0, brace-expansion 2.1.1, js-yaml 4.2.0, ajv 6.15.0, react-router(-dom) 6.30.4, @remix-run/router 1.23.3resolutionsfor deps whose parents pin below the patched version:qs: ^6.15.2→ 6.15.2 (body-parser pins~6.14.0)postcss: ^8.5.10→ 8.5.15 (@expo/metro-config pins~8.4.32)packages/tests/package-lock.json(3 alerts)Deleted — stale npm lockfile, unused since the Yarn 4 workspaces migration (deps resolve via the root
yarn.lock).examples/next-js/yarn.lock(1 alert)Added
postcss: ^8.5.10resolution (next pins8.4.31exactly) → 8.5.15. Lockfile regenerated with Yarn 1; diff is just postcss + its 3 sub-dep range keys.Not fixed (3 alerts)
xcode@3.0.1— fix only exists in 11.1.1, outside the pinned^7range (dev-only RN tooling)@react-native-community/cli-*— fix only exists in 5.7.0, outside^4.4.1(dev-only RN tooling)Verification
yarn buildcompiles all packages ✅yarn test: 40/40 tests pass, 3/3 snapshots ✅🤖 Generated with Claude Code