Skip to content

fix(deps): resolve 18 Dependabot alerts#64

Merged
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts
Jul 15, 2026
Merged

fix(deps): resolve 18 Dependabot alerts#64
phil-davis merged 1 commit into
masterfrom
fix/dependabot-alerts

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

Resolves all 18 open Dependabot alerts. Every alert is a transitive devDependency in package-lock.json; fixed with npm audit fix (no --force, no direct-dependency major bumps). package.json is unchanged.

Fixed (18 alerts → resolved version ≥ first patched)

Package Alert(s) Resolved Needed ≥ Severity
body-parser #44 1.20.6 1.20.3 high
braces #40 3.0.3 3.0.3 high
cookie #45 0.7.2 0.7.0 low
flatted #62 3.4.2 3.4.2 high
follow-redirects #69, #39, #38 1.16.0 1.16.0 medium
lodash #68, #67, #52 4.18.1 4.18.0 high
minimatch #59 3.1.5 3.1.3 high
picomatch #64 2.3.2 2.3.2 medium
qs #55, #49 6.15.3 6.14.2 medium
tmp #71, #47 0.2.7 0.2.6 high
ws #72, #41 8.21.1 8.21.0 high

npm audit reports 0 vulnerabilities after the change.

No fix available

None — all alerts had an upstream patched version reachable transitively.

Note

lockfileVersion was bumped 1 → 3 because npm 10 regenerated the lockfile on install. CI runs npm ci on Node 20, which supports lockfile v3.

Test plan

  • npm install / npm audit → 0 vulnerabilities
  • Test suite (Karma, 21 tests) passes locally (run under ChromeHeadless; CI uses FirefoxHeadless on Node 20)

🤖 Generated with Claude Code

All alerts are transitive devDependencies; resolved via `npm audit fix`
(no --force, no direct-dependency major bumps). package.json unchanged.

- body-parser -> 1.20.6 (GHSA, needs >= 1.20.3) #44
- braces -> 3.0.3 (needs >= 3.0.3) #40
- cookie -> 0.7.2 (needs >= 0.7.0) #45
- flatted -> 3.4.2 (prototype pollution, needs >= 3.4.2) #62
- follow-redirects -> 1.16.0 (needs >= 1.16.0/1.15.6/1.15.4) #69 #39 #38
- lodash -> 4.18.1 (code injection + prototype pollution, needs >= 4.18.0/4.17.23) #68 #67 #52
- minimatch -> 3.1.5 (ReDoS, needs >= 3.1.3) #59
- picomatch -> 2.3.2 (needs >= 2.3.2) #64
- qs -> 6.15.3 (DoS, needs >= 6.14.2/6.14.1) #55 #49
- tmp -> 0.2.7 (path traversal, needs >= 0.2.6/0.2.4) #71 #47
- ws -> 8.21.1 (DoS, needs >= 8.21.0/8.17.1) #72 #41

npm audit reports 0 vulnerabilities. Test suite (Karma, 21 tests)
passes. Note: lockfileVersion bumped 1 -> 3 as npm 10 regenerated the
lockfile; CI runs `npm ci` on Node 20 which supports v3.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 15, 2026 14:30
@phil-davis phil-davis merged commit 98564a6 into master Jul 15, 2026
2 checks passed
@phil-davis phil-davis deleted the fix/dependabot-alerts branch July 15, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants