security: upgrade vulnerable packages and document yarn resolutions#1061
Draft
MatiasArriola wants to merge 10 commits into
Draft
security: upgrade vulnerable packages and document yarn resolutions#1061MatiasArriola wants to merge 10 commits into
MatiasArriola wants to merge 10 commits into
Conversation
- Upgrade direct deps (axios, etc.) and add scoped yarn resolutions for transitive vulnerabilities (flatted, handlebars, tar, picomatch, brace-expansion, vite/rollup) flagged by Dependency-Track. - Add RESOLUTIONS.md documenting every entry in package.json resolutions with why / fixes / drop-when fields, including pre-existing pins whose rationale was recoverable from git history. - Gitignore .claude/ (skill distributed externally) and the regenerable sca-triage-report.md.
MatiasArriola
changed the base branch from
feature/test_githubaction
to
development
BundleMonNo change in files bundle size Groups updated (1)
Final result: ✅ View report in BundleMon website ➡️ |
BOM analysis after the previous commit showed picomatch@4.0.3 still in the tree under vite@7.3.2 and vitest@3.2.4 — neither covered by the existing @rollup/pluginutils and tinyglobby parent paths. Adding vite/picomatch and vitest/picomatch resolutions at ^4.0.4 closes GHSA-c2c7-rcm5-vvqj for those subtrees.
- lodash 4.17.23 -> 4.18.1 + resolution to flush transitive 4.17.21 (clears CVE-2026-4800 critical, CVE-2021-23337 high) - minimatch per-parent pins resolve dev-tool tree to 3.1.5/7.4.9/9.0.9 (clears CVE-2026-26996/-27903/-27904 high)
…scripts fix: add "nsSeparator: false" to all i18n calls that contained warnings due to ":" usage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
RESOLUTIONS.mddocumenting every entry inpackage.jsonresolutions with why / fixes / drop-when fields. Pre-existing pins whose rationale was recoverable from git history (@types/react,qs,diff,i18next) are now documented; one (@dhis2/ui-icons) remains in a "rationale not recovered" subsection..claude/(skill distributed externally) and the regenerablesca-triage-report.md.Test plan
yarn installcleanyarn npm audit --severity highshows no remaining high-severity findings for the pinned packagesyarn why <pkg>confirms each new resolution actually fires (especially the versioned-parentbrace-expansionpins, which decay silently)yarn start)