Skip to content

Bump transitive deps postcss, fast-xml-parser, uuid to patched versions#752

Merged
IEvangelist merged 1 commit intomainfrom
dapine/bump-transitive-deps
Apr 24, 2026
Merged

Bump transitive deps postcss, fast-xml-parser, uuid to patched versions#752
IEvangelist merged 1 commit intomainfrom
dapine/bump-transitive-deps

Conversation

@IEvangelist
Copy link
Copy Markdown
Member

@IEvangelist IEvangelist commented Apr 24, 2026
edited
Loading

Addresses Dependabot alerts #68, #71, and #72 by adding/updating pnpm overrides in src/frontend/package.json to force patched versions of these transitive dependencies, and regenerating pnpm-lock.yaml.

Alert Package Vulnerable range First patched Resolved to Advisory
#68 fast-xml-parser < 5.7.0 5.7.0 5.7.1 XML Comment / CDATA injection via unescaped delimiters
#71 uuid < 14.0.0 14.0.0 14.0.0 Missing buffer bounds check in v3/v5/v6 when buf is provided
#72 postcss < 8.5.10 8.5.10 8.5.10 XSS via unescaped </style> in CSS stringify output

All three are transitive dependencies surfaced through src/frontend/pnpm-lock.yaml. No direct dependencies in package.json needed to change.

Each override lower bound matches the advisory's first_patched_version; the Resolved to column shows the actual version picked during lockfile regeneration (pnpm selects the highest compatible).

@IEvangelist
Bump transitive deps postcss, fast-xml-parser, uuid to patched versions
1052c27 
Addresses Dependabot alerts:

- #68 fast-xml-parser < 5.7.0 (XML Comment/CDATA injection) -> 5.7.1

- #71 uuid < 14.0.0 (missing buffer bounds check) -> 14.0.0

- #72 postcss < 8.5.10 (XSS via unescaped </style>) -> 8.5.10

Updated pnpm overrides in src/frontend/package.json to force patched

versions of these transitive dependencies and regenerated pnpm-lock.yaml.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@IEvangelist IEvangelist marked this pull request as ready for review April 24, 2026 20:11
Copilot AI review requested due to automatic review settings April 24, 2026 20:11
@IEvangelist IEvangelist enabled auto-merge (squash) April 24, 2026 20:12
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the frontend dependency resolution to remediate Dependabot alerts by forcing patched transitive dependency versions via pnpm overrides and lockfile regeneration.

Changes:

  • Updated pnpm.overrides in the frontend package.json to force patched versions of fast-xml-parser, postcss, and uuid.
  • Regenerated pnpm-lock.yaml to reflect the overridden resolutions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/frontend/package.json Adds/updates pnpm overrides to force patched transitive dependency versions.
src/frontend/pnpm-lock.yaml Lockfile regeneration reflecting the new override constraints and resolved package versions.
Files not reviewed (1)
  • src/frontend/pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/frontend/package.json
Comment thread src/frontend/pnpm-lock.yaml
@IEvangelist IEvangelist merged commit 8a6bea7 into main Apr 24, 2026
9 checks passed
@IEvangelist IEvangelist deleted the dapine/bump-transitive-deps branch April 24, 2026 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@radical radical radical approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IEvangelist @radical