Skip to content

fix: resolve high severity dependabot vulnerabilities IN-1189#2004

Merged
gaspergrom merged 3 commits into
mainfrom
fix/dependabot-high-severity-vulns
Jul 10, 2026
Merged

fix: resolve high severity dependabot vulnerabilities IN-1189#2004
gaspergrom merged 3 commits into
mainfrom
fix/dependabot-high-severity-vulns

Conversation

@gaspergrom

Copy link
Copy Markdown
Collaborator

Summary

  • Fixes 4 high-severity Dependabot vulnerabilities via pnpm-workspace.yaml overrides: minimatch (9.x line → 9.0.7+, GHSA-23c5/3ppc/7r86), lodash (→ 4.18.1, corrected from Dependabot's own deprecated 4.18.0 target), storybook (8.4.7 instance → 8.6.17), and serialize-javascript (→ 7.0.7, CVE-2026-34043)
  • Each fix required proving the update is safe: consumer-range checks, changelog/API-surface diffs, and reachability analysis before applying
  • 4 additional items (nuxt, rollup, fast-xml-parser, vite) were investigated and found blocked by a pre-existing pnpm peer-resolution issue unrelated to this diff — deferred as needs-human, not included here
  • Includes two unrelated pending changes folded in per prior agreement: .gitignore (+.playwright-mcp) and frontend/setup/nitro.ts (Nitro trace-ignore config to fix Nuxt server bundle size)

Changes

  • pnpm-workspace.yaml — added/updated 4 overrides entries with GHSA references in comments
  • pnpm-lock.yaml — regenerated to resolve the patched versions
  • frontend/package.json — cosmetic dependency re-sort from pnpm install (no version changes)
  • .gitignore — ignore .playwright-mcp artifacts
  • frontend/setup/nitro.ts — new Nitro trace-ignore config (unrelated, pre-existing work)

Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
@gaspergrom gaspergrom self-assigned this Jul 10, 2026
Copilot AI review requested due to automatic review settings July 10, 2026 09:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates transitive dependencies to remediate high-severity vulnerabilities and includes ancillary configuration changes.

Changes:

  • Adds dependency security overrides and regenerates the lockfile.
  • Adds Nitro tracing exclusions and ignores Playwright MCP artifacts.
  • Reorders frontend development dependencies.

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pnpm-workspace.yaml Adds security overrides.
pnpm-lock.yaml Resolves patched dependency versions.
frontend/setup/nitro.ts Adds currently unwired trace exclusions.
frontend/package.json Reorders dependencies.
.gitignore Ignores Playwright MCP artifacts.
Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread frontend/setup/nitro.ts Outdated
setup/nitro.ts was never imported by nuxt.config.ts, so its
traceOptions.ignore externals (meant to keep @resvg platform
binaries out of the server bundle) had no effect. Merged the
externals config into setup/caching.ts's nitro object, which is
already spread into nuxt.config.ts, and removed the now-redundant
setup/nitro.ts file.

Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
Copilot AI review requested due to automatic review settings July 10, 2026 10:07

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 5 changed files in this pull request and generated 2 comments.

Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

Comment thread frontend/setup/caching.ts
const shortCache = 3600; // 1 hour in seconds

// Production runs on node:24-slim (Debian, glibc) — only the linux-x64-gnu native
// binary is ever loaded at runtime. Nitro's dependency tracer (nitropack >=2.13)
Comment thread frontend/setup/caching.ts
: {}),
},
nitro: {
externals,
@gaspergrom gaspergrom requested a review from joanagmaia July 10, 2026 10:21
@gaspergrom gaspergrom merged commit 0b87b84 into main Jul 10, 2026
11 checks passed
@gaspergrom gaspergrom deleted the fix/dependabot-high-severity-vulns branch July 10, 2026 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants