DOC-3386: Fix dependency vulnerabilities via http-server upgrade and minimal resolutions#4028
Open
kemister85 wants to merge 2 commits intomainfrom
Open
DOC-3386: Fix dependency vulnerabilities via http-server upgrade and minimal resolutions#4028kemister85 wants to merge 2 commits intomainfrom
kemister85 wants to merge 2 commits intomainfrom
Conversation
Add resolutions for brace-expansion, sha.js, lodash, js-yaml, qs, minimatch, ecstatic, liquidjs, yauzl. yarn audit: 0 vulnerabilities.
kemister85
requested review from
a team,
MitchC1999,
TheSpyder,
kimwoodfield,
lincolndennis and
shanmen-tiny
and removed request for
a team
TheSpyder
reviewed
Mar 19, 2026
Comment on lines
+30
to
+40
| "resolutions": { | ||
| "brace-expansion": ">=1.1.12", | ||
| "sha.js": ">=2.4.12", | ||
| "lodash": ">=4.17.23", | ||
| "js-yaml": ">=4.1.1", | ||
| "qs": ">=6.14.2", | ||
| "minimatch": ">=3.1.4", | ||
| "ecstatic": ">=4.1.3", | ||
| "liquidjs": ">=10.25.0", | ||
| "yauzl": ">=3.2.1" | ||
| }, |
Member
There was a problem hiding this comment.
Wouldn't it be better to upgrade the direct dependencies so the transitive ones are correct?
This approach can lead to bugs when transitive dependencies are upgraded to new major versions.
Contributor
Author
There was a problem hiding this comment.
Good point. I’ve switched to upgrading the direct dependency instead of using resolutions where possible.
Changes:
- Upgraded http-server from ^0.12.3 to ^14.1.1 – v14 no longer uses ecstatic, so the ecstatic resolution and direct devDep are removed.
- Removed the other resolutions (brace-expansion, sha.js, lodash, js-yaml, qs, minimatch, yauzl) – they’re no longer needed; upstream fixes cover them.
- Kept the liquidjs resolution – @tinymce/antora-extension-livedemos still pins liquidjs ^9.37.0. Fixing that would require updating that package and publishing a new version.
Result from local testing:
Build and serve both work, and yarn audit reports 0 vulnerabilities.
- Upgrade http-server ^0.12.3 to ^14.1.1 (removes ecstatic dependency) - Remove ecstatic resolution and direct devDep - Remove brace-expansion, sha.js, lodash, js-yaml, qs, minimatch, yauzl resolutions (no longer needed; upstream fixes) - Keep liquidjs resolution (antora-extension-livedemos pins ^9.37.0) Addresses review: prefer direct dependency upgrades over resolutions.
kemister85
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ticket: DOC-3386
Changes: