Update dependencies for security and compatibility#2296
Update dependencies for security and compatibility#2296the-hercules wants to merge 6 commits intodevelopfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates transitive Node dependencies to address security/compatibility concerns, primarily by bumping versions in the e2e Playwright workspace and refreshing lockfiles.
Changes:
- Add npm
overridesintests/wp-e2e-playwright/package.jsonforwebpack-dev-server,minimatch,fast-xml-parser, andajv. - Refresh
tests/wp-e2e-playwright/package-lock.jsonto pick upaxios,qs,fast-xml-parser,ajv, and related dependency tree updates. - Refresh root
package-lock.json, including aqsupdate.
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
tests/wp-e2e-playwright/package.json |
Adds overrides to force specific dependency versions. |
tests/wp-e2e-playwright/package-lock.json |
Lockfile refresh reflecting the new overrides and dependency upgrades. |
package-lock.json |
Root lockfile refresh including a qs bump. |
Files not reviewed (1)
- tests/wp-e2e-playwright/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "fast-xml-parser": "5.3.7", | ||
| "ajv": "8.18.0" |
There was a problem hiding this comment.
Overriding ajv to 8.18.0 forces it outside some dependents’ declared ranges (e.g. npm-package-json-lint in the lockfile depends on ajv@^6.12.6). This can lead to runtime failures due to Ajv v6→v8 breaking API changes. Consider scoping the override to packages that already require Ajv v8, or upgrading/replacing the Ajv-v6 consumers so the dependency graph stays semver-compatible.
| "fast-xml-parser": "5.3.7", | |
| "ajv": "8.18.0" | |
| "fast-xml-parser": "5.3.7" |
| "overrides": { | ||
| "webpack-dev-server": "^5.2.1" | ||
| }, | ||
| "webpack-dev-server": "^5.2.1", |
There was a problem hiding this comment.
overrides.webpack-dev-server is a range (^5.2.1). For security/compatibility overrides, pinning an exact version makes installs reproducible and prevents pulling in a future vulnerable minor/patch unintentionally.
| "webpack-dev-server": "^5.2.1", | |
| "webpack-dev-server": "5.2.1", |
| "webpack-dev-server": "^5.2.1" | ||
| }, | ||
| "webpack-dev-server": "^5.2.1", | ||
| "minimatch": "10.2.1", |
There was a problem hiding this comment.
The override forces minimatch@10.2.1, which requires Node 20 || >=22 (per the resolved package metadata). This conflicts with this package’s declared engine (>=12) and will break installs on Node 12–19. Either bump the engines.node constraint (and any documented Node requirement) or use a minimatch version compatible with the supported Node range.
| "minimatch": "10.2.1", | |
| "minimatch": "5.1.6", |
1 participant
Address security vulnerabilities by updating
qs,axios, andfast-xml-parser. Add necessary overrides inpackage.jsonto ensure compatibility with specific versions. Updateajvto enhance functionality.