Skip to content

chore: resolve open dependabot security alerts#6

Merged
jonathannorris merged 7 commits into
mainfrom
chore/dependabot-alerts
Jun 17, 2026
Merged

chore: resolve open dependabot security alerts#6
jonathannorris merged 7 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

@jonathannorris jonathannorris commented Jun 15, 2026

Copy link
Copy Markdown
Member

Summary

Resolved 7 open Dependabot security alerts by bumping vulnerable transitive dependencies in the lockfile.

Dependabot Alerts Resolved

Alert Package Severity Fix
#106 esbuild high Bumped to 0.28.1 via overrides (pinned by @angular/build & vite)
#105 esbuild low Bumped to 0.28.1 via overrides
#104 hono medium Bumped to 4.12.25 via npm update
#103 hono medium Bumped to 4.12.25 via npm update
#102 hono medium Bumped to 4.12.25 via npm update
#101 hono medium Bumped to 4.12.25 via npm update
#100 tmp high Bumped to 0.2.7 via npm update

All packages are transitive dependencies. hono and tmp were resolved via a plain lockfile update; esbuild required a scoped override since it is pinned by @angular/build and vite. Production build verified passing.

@jonathannorris
chore: resolve open dependabot security alerts
27e129a 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: remove overrides; update lockfile to get express-rate-limit 8.…
16f3e0c 
…5.1 and fast-uri 3.1.2

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: resolve open dependabot security alerts
9dbb63d 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: remove overrides; update lockfile to get express-rate-limit 8.…
37d9699 
…5.1 and fast-uri 3.1.2

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: resolve open dependabot security alerts
4d2bc01 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
Merge remote chore/dependabot-alerts
a91d6b7 
# Conflicts:
#	package-lock.json
@jonathannorris jonathannorris marked this pull request as draft June 15, 2026 14:16
@jonathannorris jonathannorris requested a review from Copilot June 15, 2026 14:17
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 15, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies, notably upgrading esbuild to 0.28.1, hono to 4.12.25, and tmp to 0.2.7, and adds an esbuild override in package.json. The feedback recommends restricting the esbuild override to ^0.28.1 instead of >=0.28.1 to prevent potential breaking changes from future minor version updates in the 0.x range.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread package.json Outdated
@jonathannorris jonathannorris mentioned this pull request Jun 15, 2026
Closed
@jonathannorris
chore: pin esbuild override to ^0.28.1 to avoid breaking minor bumps
f060130 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot security alerts by updating vulnerable transitive dependencies, primarily via a lockfile refresh and an overrides entry to force a non-vulnerable esbuild version.

Changes:

  • Added an overrides rule for esbuild in package.json.
  • Updated package-lock.json to bump esbuild (and platform-specific @esbuild/* packages) to 0.28.1.
  • Updated package-lock.json to bump hono to 4.12.25 and tmp to 0.2.7.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds an overrides entry intended to ensure a secure esbuild version is used.
package-lock.json Updates resolved transitive dependency versions to remediate the referenced security alerts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
@jonathannorris jonathannorris requested a review from Copilot June 15, 2026 14:21
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

@jonathannorris jonathannorris marked this pull request as ready for review June 15, 2026 20:38
@jonathannorris jonathannorris merged commit 55769e4 into main Jun 17, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@askpt askpt askpt approved these changes

@beeme1mr beeme1mr Awaiting requested review from beeme1mr

@toddbaert toddbaert Awaiting requested review from toddbaert

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @askpt