Skip to content

fix(deps): update build-tools and fix npm vulnerabilities#342

Open
platex-rehor-bot wants to merge 1 commit into
RedHatInsights:masterfrom
platex-rehor-bot:bot/RHCLOUD-48034
Open

fix(deps): update build-tools and fix npm vulnerabilities#342
platex-rehor-bot wants to merge 1 commit into
RedHatInsights:masterfrom
platex-rehor-bot:bot/RHCLOUD-48034

Conversation

@platex-rehor-bot
Copy link
Copy Markdown
Contributor

@platex-rehor-bot platex-rehor-bot commented May 29, 2026
edited by atlassian Bot
Loading

Description

Update build-tools submodule and run npm audit fix to address vulnerability scan findings (33 total — 2 Critical, 16 High, 13 Medium, 2 Low).

Build-tools submodule update (a646e7b → 72c2bef):

  • Node UBI image 9.7 → 9.8 (fixes RPM CVEs: libarchive, libnghttp2, libcap)
  • caddy-ubi:latest floating tag pulls latest Go patches on rebuild (fixes Go stdlib, opentelemetry, pgx CVEs)
  • Go toolset updated to 1.25.9

npm audit fix: Resolved 13 non-breaking JS dependency vulnerabilities. Remaining 32 require semver-major bumps (out of scope for this ticket).

Supersedes Mintmaker PRs #339 and #341 (targeted older a96ba3d commit).

RHCLOUD-48034

Screenshots

N/A — infrastructure/dependency change only, no UI impact.

Checklist ☑️

  • PR only fixes one issue or story
  • Change reviewed for extraneous code
  • UI best practices adhered to
  • Commits squashed and meaningfully named
  • All PR checks pass locally (build, lint, test, E2E)

  • (Optional) QE: Needs QE attention (OUIA changed, perceived impact to tests, no test coverage)
  • (Optional) QE: Has been mentioned
  • (Optional) UX: Needs UX attention (end user UX modified, missing designs)
  • (Optional) UX: Has been mentioned

@platex-rehor-bot @claude
fix(deps): update build-tools submodule and fix npm vulnerabilities
f6001ba 
RHCLOUD-48034

Update insights-frontend-builder-common submodule from a646e7b to 72c2bef:
- Node UBI image 9.7 → 9.8 (fixes RPM CVEs: libarchive, libnghttp2, libcap)
- caddy-ubi:latest floating tag pulls latest Go patches on rebuild
- Go toolset updated to 1.25.9 (fixes stdlib CVEs)

Run npm audit fix to resolve 13 non-breaking JS dependency vulnerabilities.
Remaining 32 vulnerabilities require semver-major bumps (out of scope).

Supersedes Mintmaker PRs RedHatInsights#339 and RedHatInsights#341 (targeted older a96ba3d).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@platex-rehor-bot platex-rehor-bot requested a review from a team as a code owner May 29, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@platex-rehor-bot