Skip to content

chore: resolve open dependabot security alerts#91

Merged
JamieSinn merged 2 commits into
mainfrom
chore/dependabot-alerts
Jun 19, 2026
Merged

chore: resolve open dependabot security alerts#91
JamieSinn merged 2 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

@jonathannorris jonathannorris commented Jun 19, 2026

Copy link
Copy Markdown
Member

Summary

  • Added yarn resolutions to force patched versions for transitive dependencies flagged by Dependabot

Dependabot Alerts Resolved

Package Fix
handlebars Added resolution ^4.7.9 (prototype pollution)
picomatch Added resolution ^2.3.2 (ReDoS)
flatted Added resolution ^3.4.2 (prototype pollution)
minimatch Added resolution ^9.0.7 (ReDoS)
fast-uri Narrowed resolution to ^3.1.2 (prevent unexpected major bumps)

All alerts are now resolved (0 open alerts remaining).

Copilot AI review requested due to automatic review settings June 19, 2026 14:03
@jonathannorris jonathannorris requested a review from a team as a code owner June 19, 2026 14:03
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Yarn dependency pinning to address remaining Dependabot security alerts by forcing a patched fast-uri version via Yarn resolutions and reflecting that change in the lockfile.

Changes:

  • Add fast-uri to package.json resolutions at ^3.1.2.
  • Update yarn.lock so fast-uri@^3.0.1 resolves to 3.1.2 (and records the new ^3.1.2 selector).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds a Yarn resolutions entry to force fast-uri to a patched version.
yarn.lock Updates the locked fast-uri tarball/version to 3.1.2 consistent with the new resolution.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment on lines 26 to 33
"resolutions": {
"cross-spawn": "^7.0.6",
"handlebars": "^4.7.9",
"picomatch": "^2.3.2",
"flatted": "^3.4.2",
"minimatch": "^9.0.7"
"minimatch": "^9.0.7",
"fast-uri": "^3.1.2"
}
@JamieSinn JamieSinn merged commit 8fd44f6 into main Jun 19, 2026
12 checks passed
@JamieSinn JamieSinn deleted the chore/dependabot-alerts branch June 19, 2026 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JamieSinn JamieSinn JamieSinn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @JamieSinn