Skip to content

chore: upgrade 11 transitive dependencies to fix security vulnerabilities#126

Merged
jonaslagoni merged 2 commits into
mainfrom
chore/upgrade-all-dependencies-2026-02-20
Feb 23, 2026
Merged

chore: upgrade 11 transitive dependencies to fix security vulnerabilities#126
jonaslagoni merged 2 commits into
mainfrom
chore/upgrade-all-dependencies-2026-02-20

Conversation

@jonaslagoni

Copy link
Copy Markdown
Contributor

Summary

Consolidates 11 open Dependabot PRs into a single upgrade by adding yarn resolutions to force transitive dependency version upgrades. All upgrades are lockfile-only (no direct dependency changes).

Production transitive deps (3)

  • lodash 4.17.21 → 4.17.23 — CVE-2025-13465 (medium, prototype pollution)
  • lodash-es 4.17.21 → 4.17.23 — CVE-2025-13465 (medium, prototype pollution)
  • @babel/runtime 7.16.7 → 7.28.6 — CVE-2025-27789 (medium, ReDoS)

Dev transitive deps (8)

Stale PR (close without merging)

Uncovered alerts (43) — out of scope

Most trace to storybook (next channel) and tsdx using webpack 4. Key items requiring major toolchain upgrades:

  • jsonpath (high) — no fix version, needs upstream @apideck/wayfinder fix
  • minimatch (high) — fix requires v10.x, blocked by tsdx/eslint
  • tar (4 high CVEs) — fix requires v7.x
  • webpack (4 CVEs) — fix requires v5.x

Test plan

  • yarn install — lockfile regenerated successfully
  • tsdx build — build passes
  • tsdx test --ci — 5 suites, 15 tests all passing
  • yarn why verified all 11 packages at target versions or higher
  • Manual review of resolution side effects

Closes #121, Closes #120, Closes #109, Closes #124, Closes #119, Closes #117, Closes #115, Closes #114, Closes #113, Closes #108, Closes #107

🤖 Generated with Claude Code

…ties

Add yarn resolutions to force upgrades of transitive dependencies,
addressing 5 critical, 4 medium, and 2 low severity CVEs across
11 packages.

Production transitive deps:
- lodash 4.17.21 → 4.17.23 (CVE-2025-13465)
- lodash-es 4.17.21 → 4.17.23 (CVE-2025-13465)
- @babel/runtime 7.16.7 → 7.28.6 (CVE-2025-27789)

Dev transitive deps:
- pbkdf2 3.1.2 → 3.1.5 (CVE-2025-6547, CVE-2025-6545)
- cipher-base 1.0.4 → 1.0.7 (CVE-2025-9287)
- sha.js 2.4.11 → 2.4.12 (CVE-2025-9288)
- elliptic 6.5.4 → 6.6.1 (7 CVEs incl. critical)
- form-data 3.0.1 → 4.0.5 (CVE-2025-7783)
- js-yaml 3.14.1 → 4.1.1 (CVE-2025-64718)
- min-document 2.19.0 → 2.19.2 (CVE-2025-57352)
- store2 2.13.1 → 2.14.4 (CVE-2024-57556)

Ref #121, Ref #120, Ref #109, Ref #124, Ref #119, Ref #117,
Ref #115, Ref #114, Ref #113, Ref #108, Ref #107

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions

github-actions Bot commented Feb 20, 2026

Copy link
Copy Markdown

size-limit report 📦

Path Size
dist/react-vault.cjs.production.min.js 271.44 KB (+0.26% 🔺)
dist/react-vault.esm.js 240.14 KB (+0.23% 🔺)

@jonaslagoni
jonaslagoni merged commit 6e2349f into main Feb 23, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants