Skip to content

pnpm dependency update 2026-04-13#126

Merged
pviti merged 1 commit intomainfrom
chore/deps-update-202604131711
Apr 14, 2026
Merged

pnpm dependency update 2026-04-13#126
pviti merged 1 commit intomainfrom
chore/deps-update-202604131711

Conversation

@commercelayer-ci
Copy link
Copy Markdown
Contributor

@commercelayer-ci commercelayer-ci commented Apr 13, 2026

Dependency update

Related to #124
Branch: chore/deps-update-202604131711
Based on stable: v6.17.2
Prerelease tag: v6.17.3-auto-deps-202604131711.0
Node.js: 20.x
pnpm: 10.x

Automated dependency update via pnpm. Review the dependency diff and validation output before merging.

Dependency update results

  • Check: success
  • Build: success
  • Test: success

Semver bump log

No semver updates found.

Audit log

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Serialize JavaScript is Vulnerable to RCE via          │
│                     │ RegExp.flags and Date.prototype.toISOString()          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-5c6j-r48x-rmvq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Serialize JavaScript has CPU Exhaustion Denial of      │
│                     │ Service via crafted array-like objects                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <7.0.5                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qj8w-gfj5-8c6v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ jsdiff has a Denial of Service vulnerability in        │
│                     │ parsePatch and applyPatch                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ diff                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=6.0.0 <8.0.3                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>diff                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-73rr-hh4g-fpgx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
3 vulnerabilities found
Severity: 1 low | 1 moderate | 1 high

Major updates log not updated

package.json
  @biomejs/biome        2.4.8  →   2.4.11
  @commercelayer/sdk  ^6.56.0  →  ^7.10.0
  @oclif/core         ^3.27.0  →  ^4.10.5
  @oclif/test         ^3.2.15  →  ^4.1.18
  @types/inquirer     ^8.2.12  →   ^9.0.9
  inquirer             ^8.2.7  →  ^13.4.1
  json-2-csv          ^3.20.0  →  ^5.5.10
  open                 ^8.4.2  →  ^11.0.0

@commercelayer-ci commercelayer-ci added the dependencies Pull requests that update a dependency file label Apr 13, 2026
@commercelayer-ci commercelayer-ci self-assigned this Apr 13, 2026
@pfferrari pfferrari requested a review from pviti April 14, 2026 07:57
@pviti pviti merged commit d1ba287 into main Apr 14, 2026
3 checks passed
@pviti
Copy link
Copy Markdown
Member

pviti commented May 5, 2026

🎉 This PR is included in version 7.0.0-oclif4.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pviti pviti pviti approved these changes

@malessani malessani Awaiting requested review from malessani

@gciotola gciotola Awaiting requested review from gciotola

@pfferrari pfferrari Awaiting requested review from pfferrari

Assignees

@commercelayer-ci commercelayer-ci

Labels

dependencies Pull requests that update a dependency file released on @oclif4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@commercelayer-ci @pviti