Skip to content

chore: resolve open dependabot security alerts#23

Open
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#23
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented May 13, 2026

Summary

Resolved 4 open Dependabot security alerts by bumping vulnerable transitive dependencies.

Dependabot Alerts Resolved

Alert Package Severity Fix
#116 fast-uri high Bumped to 3.1.2 via npm override
#115 fast-uri high Bumped to 3.1.2 via npm override
#114 ip-address medium Bumped to 10.1.1 via @semantic-release/npm upgrade to 13.x (pulls in npm@11 with patched bundled deps)
#113 picomatch medium Bumped to 4.0.4 via nested tinyglobby override and @semantic-release/npm upgrade

The ip-address and picomatch@4.x vulnerabilities were in npm's bundled internal deps (node_modules/npm/node_modules/). These can only be fixed by upgrading @semantic-release/npm from 12.x to 13.x, which pulls in npm@11 with patched versions of those bundled packages.

@jonathannorris
chore: resolve open dependabot security alerts
40d72ce 
- fast-uri 3.1.0 -> 3.1.2 (high, alerts #115 #116)
- ip-address 10.1.0 -> 10.1.1 (medium, alert #114)
- picomatch 4.0.3 -> 4.0.4 (medium, alert #113)
- @semantic-release/npm bumped to >=13.0.0 to pull in npm@11 with patched bundled deps
Copilot AI review requested due to automatic review settings May 13, 2026 13:37
@jonathannorris jonathannorris requested a review from a team as a code owner May 13, 2026 13:37
@jonathannorris jonathannorris enabled auto-merge (squash) May 13, 2026 13:40
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot security alerts by bumping vulnerable transitive dependencies using npm overrides, including pulling in patched versions via an @semantic-release/npm upgrade.

Changes:

  • Added/adjusted overrides in package.json for fast-uri, ip-address, @semantic-release/npm, and nested tinyglobby -> picomatch.
  • Updated package-lock.json to reflect the new resolved dependency graph (notably npm 11.x via @semantic-release/npm@13.x, plus patched fast-uri / ip-address).
  • Extended .gitignore to ignore .worktrees/.

Reviewed changes

Copilot reviewed 1 out of 3 changed files in this pull request and generated 2 comments.

File Description
package.json Adds npm overrides intended to force patched transitive dependency versions.
package-lock.json Updates the lockfile to reflect dependency upgrades (including @semantic-release/npm@13.1.5 and npm 11.x).
.gitignore Adds .worktrees/ to ignored paths.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
Comment thread package.json Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris