Skip to content

fix: update vulnerable transitive dependencies#1851

Merged
chagong merged 1 commit intomainfrom
fix/dependabot-security-updates
Apr 8, 2026
Merged

fix: update vulnerable transitive dependencies#1851
chagong merged 1 commit intomainfrom
fix/dependabot-security-updates

Conversation

@chagong
Copy link
Copy Markdown
Contributor

@chagong chagong commented Apr 8, 2026

Summary

Resolve open Dependabot security alerts by adding npm overrides for vulnerable transitive dependencies.

Vulnerabilities Fixed

Package Old Version New Version Severity CVE
serialize-javascript 6.0.2 7.0.5 High + Medium CVE-2026-34043, GHSA-5c6j-r48x-rmvq
glob 10.4.5 13.0.6 High CVE-2025-64756

Changes

  • Added \overrides\ section in \package.json\ to pin \serialize-javascript >= 7.0.5\
  • Added scoped override for \mocha's transitive \glob\ dependency to >= 10.5.0\
  • Regenerated \package-lock.json\

Notes

  • \serialize-javascript\ is a transitive dependency of \mocha\ and \ erser-webpack-plugin\ (via \webpack)
  • \glob\ vulnerability affects CLI only (-c/--cmd\ option), but upgrading removes the alert
  • Both are dev dependencies; no runtime impact

@chagong
fix: update vulnerable transitive dependencies
03362c3 
Add npm overrides to resolve Dependabot security alerts:
- serialize-javascript: 6.0.2 → 7.0.5 (CVE-2026-34043, GHSA-5c6j-r48x-rmvq)
- glob: 10.4.5 → 13.0.6 (CVE-2025-64756)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@chagong chagong merged commit fa5dfbf into main Apr 8, 2026
4 checks passed
@chagong chagong deleted the fix/dependabot-security-updates branch April 8, 2026 06:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wenytang-ms wenytang-ms wenytang-ms approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chagong @wenytang-ms