Skip to content

chore(deps): Weekly Dependency + Security Sweep (Wk 3) — 8 Dependabot alerts (tar ×7 + esbuild) + docs pass #158

Description

@PAMulligan

Weekly Dependency + Security Sweep (Wk 3)

Part of the recurring PMDS repos dependency + security maintenance. Highest-priority repo this week — 6 High-severity alerts. For a coding agent to remediate and open a PR.

Workflow (per repo standard)

  • Review Dependabot / pnpm audit alerts
  • Bump outdated + vulnerable deps with pnpm (regenerate pnpm-lock.yaml via pnpm — do NOT hand-edit the lockfile)
  • Run the test suite and confirm CI is green
  • Honor the minimumReleaseAge guard (do not pull versions newer than the configured cooldown)
  • README/docs accuracy pass (see below)
  • Open one PR with a Conventional Commits title/message

Open Dependabot alerts (8)

tar — 7 alerts (6 High, 1 Moderate), all in pnpm-lock.yaml

⚠️ Requires a major-version bump. Currently installable max is tar 6.2.1; affected range is <= 7.5.3 and the earliest fully-fixed version across this cluster is 7.5.16. Going 6.x → 7.5.16 is a breaking change — check tar's v7 API changes and any code/CLI usage before landing. If tar is transitive, use a pnpm.overrides entry pinning tar to >=7.5.16 and re-run the full test suite.

  • Interim mitigation if the upgrade can't land immediately: filter out SymbolicLink/hardlink entries when extracting untrusted tarballs.

esbuild — 1 Moderate alert

  • ci: Add PHPCS workflow with inline PR annotations #31 — Moderate — GHSA-67mh-4wv8-2f99 (CWE-346) — dev server CORS Access-Control-Allow-Origin: * lets any site read responses
  • Location: pnpm-lock.yaml
  • Affected <= 0.24.2; earliest fixed 0.28.1 (installable max currently 0.21.5)
  • Needs a pnpm.overrides bump of esbuild to >=0.28.1, or bumping the parent that pulls it.

README / docs accuracy pass

  • Verify any counts stated in the README (tools/agents/features) match the actual repo
  • Verify version badges (shields) reflect current versions / build status
  • Verify install steps run cleanly on a fresh clone (Docker + wp-cli + pnpm quickstart)

PR

  • Conventional Commits, e.g.: chore(deps): bump tar to >=7.5.16 and esbuild to >=0.28.1; docs accuracy pass

⚠️ Note: after landing, please enable Dependabot / Dependency graph if it ever gets disabled — it is currently active here and surfacing these alerts.


Filed as part of the weekly PMDS repos Dependency + Security Sweep.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filesecuritySecurity vulnerabilityseverity:highHigh severity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions