Skip to content

fix Dependabot / npm audit vulnerabilities#151

Open
JillRegan wants to merge 3 commits intomainfrom
fix/dependabot-alerts
Open

fix Dependabot / npm audit vulnerabilities#151
JillRegan wants to merge 3 commits intomainfrom
fix/dependabot-alerts

Conversation

@JillRegan
Copy link
Contributor

@JillRegan JillRegan commented Mar 19, 2026
edited
Loading

What has changed

  • Ran npm audit fix to bump packages that allow safe updates (ajv, flatted, undici, and other resolvable minimatch instances).
  • @1password/eslint-config latest still pulls @typescript-eslint/* versions that depend on a vulnerable nested minimatch (9.0.0–9.0.6). npm audit fix can’t fix and upgrading won't either. Added an overrides entry for minimatch so the tree resolves to a patched version without waiting on a new eslint-config release.

Note: The override only affects dev tooling (ESLint / TypeScript-ESLint used for lint). It does not change the published action’s runtime bundle or end-user behavior, so there’s no impact on the action’s core execution path.

How to test

  1. Checkout this branch
  2. Run npm audit to see found 0 vulnerabilities

@JillRegan JillRegan marked this pull request as ready for review March 19, 2026 17:40
@JillRegan JillRegan requested review from bertrmz and rishiy15 March 19, 2026 17:56
bertrmz
bertrmz reviewed Mar 20, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bertrmz bertrmz bertrmz approved these changes

@rishiy15 rishiy15 Awaiting requested review from rishiy15

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JillRegan @bertrmz