Skip to content

V6.4.0 all security prs#3178

Draft
zerbitx wants to merge 78 commits intomainfrom
v6.4.0-all-security-prs
Draft

V6.4.0 all security prs#3178
zerbitx wants to merge 78 commits intomainfrom
v6.4.0-all-security-prs

Conversation

@zerbitx
Copy link
Collaborator

@zerbitx zerbitx commented Mar 24, 2026

v6.4.0-alpha — Merged Security & Dependency PRs

This PR aims to consolidate all of the automated PRs (at the time this was created) to get them building together and test them for the next minor release. 🤞

Contains 38 PRs (13 dependabot + 25 Snyk).

Dependabot (13)

PR Dependency Update
#3091 react-timeago (ui) 4.4.0 → 8.3.0
#3092 whatwg-fetch (ui) 2.0.3 → 3.6.20
#3093 url-loader (ui) 2.1.0 → 4.1.1
#3094 github.com/pkg/sftp 1.13.1 → 1.13.10
#3095 terser-webpack-plugin (ui) 1.4.6 → 5.3.16
#3096 github.com/evanphx/json-patch 4.12.0 → 5.9.11+incompatible
#3097 tslint (ui) 5.20.1 → 6.1.3
#3098 sw-precache-webpack-plugin (ui) 0.11.5 → 1.0.0
#3099 github.com/joho/godotenv 1.3.0 → 1.5.1
#3100 k8s.io/apimachinery 0.29.0 → 0.35.0
#3101 github.com/go-resty/resty/v2 2.7.0 → 2.17.1
#3173 inquirer (dist/npm) 7.3.3 → 13.3.2
#3177 find-process (dist/npm) 1.4.7 → 2.1.1

Snyk (25)

PR Dependency Update
#3023 sass (docs) 1.63.4 → 1.93.2
#3024 classnames (docs) 2.3.2 → 2.5.1
#3025 docusaurus-plugin-sass (docs) 0.2.3 → 0.2.6
#3038 Fix: js-yaml vuln (ui) SNYK-JS-JSYAML-13961110
#3039 redocusaurus (docs) 1.6.3 → 2.0.0
#3055 express 4.17.3 → 4.22.0
#3058 express 4.21.2 → 4.22.0
#3071 Fix: qs vuln (ui) SNYK-JS-QS-14724253
#3089 Fix: react-router vuln (ui) SNYK-JS-REACTROUTER-14908286
#3110 mermaid (docs) 10.9.3 → 11.0.0
#3118 alpine (Docker) latest → 3.23.3
#3126 golang Docker image 1.25.4-alpine → 1.26rc3-alpine
#3129 golang Docker image 1.17-alpine → 1.26.0-alpine
#3130 golang Docker image 1.17-alpine → 1.26.0-alpine
#3131 express 4.21.1 → 4.22.0
#3132 express 4.21.0 → 4.22.0
#3133 express 4.18.1 → 4.22.0
#3134 golang Docker image 1.17-alpine → 1.26.0-alpine
#3135 golang Docker image 1.17-alpine → 1.26.0-alpine
#3136 Fix: qs vuln (ui) SNYK-JS-QS-15268416
#3140 Fix: ajv ReDoS (docs) SNYK-JS-AJV-15274295
#3141 webpack (examples/quickstart-kubectl) 4.38.0 → 5.98.0
#3148 nodemon (examples) 2.0.22 → 3.1.12
#3171 golang Docker image 1.13 → latest
#3172 @kubernetes/client-node (ui) 0.17.1 → 0.21.0

snyk-bot and others added 30 commits October 24, 2025 08:56
@snyk-bot
fix: upgrade sass from 1.63.4 to 1.93.2
5061ef8 
Snyk has created this PR to upgrade sass from 1.63.4 to 1.93.2.

See this package in yarn:
sass

See this project in Snyk:
https://app.snyk.io/org/devspace/project/432c6c4d-5f97-4566-9a1a-0ff3240f0c2d?utm_source=github&utm_medium=referral&page=upgrade-pr
@snyk-bot
fix: upgrade classnames from 2.3.2 to 2.5.1
4566700 
Snyk has created this PR to upgrade classnames from 2.3.2 to 2.5.1.

See this package in yarn:
classnames

See this project in Snyk:
https://app.snyk.io/org/devspace/project/432c6c4d-5f97-4566-9a1a-0ff3240f0c2d?utm_source=github&utm_medium=referral&page=upgrade-pr
@snyk-bot
fix: upgrade docusaurus-plugin-sass from 0.2.3 to 0.2.6
c3e619a 
Snyk has created this PR to upgrade docusaurus-plugin-sass from 0.2.3 to 0.2.6.

See this package in yarn:
docusaurus-plugin-sass

See this project in Snyk:
https://app.snyk.io/org/devspace/project/432c6c4d-5f97-4566-9a1a-0ff3240f0c2d?utm_source=github&utm_medium=referral&page=upgrade-pr
@snyk-bot
fix: ui/package.json & ui/package-lock.json to reduce vulnerabilities
0ee85da 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JSYAML-13961110
@snyk-bot
fix: docs/package.json & docs/yarn.lock to reduce vulnerabilities
fe5847b 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-JSYAML-13961110
@snyk-bot
fix: examples/kind/package.json to reduce vulnerabilities
01b5427 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-EXPRESS-14157151
@snyk-bot
fix: ui/package.json & ui/package-lock.json to reduce vulnerabilities
e250869 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-EXPRESS-14157151
@snyk-bot
fix: ui/package.json & ui/package-lock.json to reduce vulnerabilities
0c9fd2a 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-QS-14724253
@snyk-bot
fix: ui/package.json & ui/package-lock.json to reduce vulnerabilities
76faa81 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-REACTROUTER-14908286
@dependabot
chore(deps): bump react-timeago from 4.4.0 to 8.3.0 in /ui
0c73745 
Bumps [react-timeago](https://github.com/naman34/react-timeago) from 4.4.0 to 8.3.0.
- [Release notes](https://github.com/naman34/react-timeago/releases)
- [Changelog](https://github.com/nmn/react-timeago/blob/master/CHANGELOG.md)
- [Commits](https://github.com/naman34/react-timeago/commits)

---
updated-dependencies:
- dependency-name: react-timeago
  dependency-version: 8.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump whatwg-fetch from 2.0.3 to 3.6.20 in /ui
562491c 
Bumps [whatwg-fetch](https://github.com/github/fetch) from 2.0.3 to 3.6.20.
- [Release notes](https://github.com/github/fetch/releases)
- [Changelog](https://github.com/JakeChampion/fetch/blob/main/CHANGELOG.md)
- [Commits](JakeChampion/fetch@v2.0.3...v3.6.20)

---
updated-dependencies:
- dependency-name: whatwg-fetch
  dependency-version: 3.6.20
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump url-loader from 2.1.0 to 4.1.1 in /ui
8edc72e 
Bumps [url-loader](https://github.com/webpack-contrib/url-loader) from 2.1.0 to 4.1.1.
- [Release notes](https://github.com/webpack-contrib/url-loader/releases)
- [Changelog](https://github.com/webpack-contrib/url-loader/blob/master/CHANGELOG.md)
- [Commits](webpack-contrib/url-loader@v2.1.0...v4.1.1)

---
updated-dependencies:
- dependency-name: url-loader
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump github.com/pkg/sftp from 1.13.1 to 1.13.10
fa46b97 
Bumps [github.com/pkg/sftp](https://github.com/pkg/sftp) from 1.13.1 to 1.13.10.
- [Release notes](https://github.com/pkg/sftp/releases)
- [Commits](pkg/sftp@v1.13.1...v1.13.10)

---
updated-dependencies:
- dependency-name: github.com/pkg/sftp
  dependency-version: 1.13.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps-dev): bump terser-webpack-plugin from 1.4.6 to 5.3.16 in /ui
aadc341 
Bumps [terser-webpack-plugin](https://github.com/webpack/terser-webpack-plugin) from 1.4.6 to 5.3.16.
- [Release notes](https://github.com/webpack/terser-webpack-plugin/releases)
- [Changelog](https://github.com/webpack/terser-webpack-plugin/blob/main/CHANGELOG.md)
- [Commits](webpack/terser-webpack-plugin@v1.4.6...v5.3.16)

---
updated-dependencies:
- dependency-name: terser-webpack-plugin
  dependency-version: 5.3.16
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump github.com/evanphx/json-patch
2e365ca 
Bumps [github.com/evanphx/json-patch](https://github.com/evanphx/json-patch) from 4.12.0+incompatible to 5.9.11+incompatible.
- [Release notes](https://github.com/evanphx/json-patch/releases)
- [Commits](evanphx/json-patch@v4.12.0...v5.9.11)

---
updated-dependencies:
- dependency-name: github.com/evanphx/json-patch
  dependency-version: 5.9.11+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump tslint from 5.20.1 to 6.1.3 in /ui
93f4acd 
Bumps [tslint](https://github.com/palantir/tslint) from 5.20.1 to 6.1.3.
- [Release notes](https://github.com/palantir/tslint/releases)
- [Changelog](https://github.com/palantir/tslint/blob/master/CHANGELOG.md)
- [Commits](palantir/tslint@5.20.1...6.1.3)

---
updated-dependencies:
- dependency-name: tslint
  dependency-version: 6.1.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump sw-precache-webpack-plugin from 0.11.5 to 1.0.0 in /ui
3b78d9c 
Bumps [sw-precache-webpack-plugin](https://github.com/goldhand/sw-precache-webpack-plugin) from 0.11.5 to 1.0.0.
- [Changelog](https://github.com/goldhand/sw-precache-webpack-plugin/blob/master/CHANGELOG.md)
- [Commits](goldhand/sw-precache-webpack-plugin@v0.11.5...v1.0.0)

---
updated-dependencies:
- dependency-name: sw-precache-webpack-plugin
  dependency-version: 1.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump github.com/joho/godotenv from 1.3.0 to 1.5.1
6504fc8 
Bumps [github.com/joho/godotenv](https://github.com/joho/godotenv) from 1.3.0 to 1.5.1.
- [Release notes](https://github.com/joho/godotenv/releases)
- [Commits](joho/godotenv@v1.3.0...v1.5.1)

---
updated-dependencies:
- dependency-name: github.com/joho/godotenv
  dependency-version: 1.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump k8s.io/apimachinery from 0.29.0 to 0.35.0
40ca817 
Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.29.0 to 0.35.0.
- [Commits](kubernetes/apimachinery@v0.29.0...v0.35.0)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump github.com/go-resty/resty/v2 from 2.7.0 to 2.17.1
73ddbed 
Bumps [github.com/go-resty/resty/v2](https://github.com/go-resty/resty) from 2.7.0 to 2.17.1.
- [Release notes](https://github.com/go-resty/resty/releases)
- [Commits](go-resty/resty@v2.7.0...v2.17.1)

---
updated-dependencies:
- dependency-name: github.com/go-resty/resty/v2
  dependency-version: 2.17.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@snyk-bot
fix: docs/package.json & docs/yarn.lock to reduce vulnerabilities
fe4f52d 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-DIFF-14917201
@snyk-bot
fix: pkg/devspace/compose/testdata/depends_on_with_build/backend/Dock…
7d5e012 
…erfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE323-OPENSSL-15120869
- https://snyk.io/vuln/SNYK-ALPINE323-OPENSSL-15120870
- https://snyk.io/vuln/SNYK-ALPINE323-OPENSSL-15120871
- https://snyk.io/vuln/SNYK-ALPINE323-OPENSSL-15120872
- https://snyk.io/vuln/SNYK-ALPINE323-OPENSSL-15120873
@snyk-bot
fix: examples/kaniko/Dockerfile to reduce vulnerabilities
e24298c 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE322-OPENSSL-15121226
- https://snyk.io/vuln/SNYK-ALPINE322-OPENSSL-15121226
- https://snyk.io/vuln/SNYK-ALPINE322-OPENSSL-15120884
- https://snyk.io/vuln/SNYK-ALPINE322-OPENSSL-15120885
- https://snyk.io/vuln/SNYK-ALPINE322-OPENSSL-15120886
@snyk-bot
fix: examples/redeploy-instead-of-hot-reload/Dockerfile to reduce vul…
16aea68 
…nerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE316-ZLIB-2976176
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314624
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314641
@snyk-bot
fix: examples/dependencies/dependency1/Dockerfile to reduce vulnerabi…
2e6f296 
…lities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE316-ZLIB-2976176
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314624
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314641
@snyk-bot
fix: examples/kustomize/package.json & examples/kustomize/package-loc…
f1c98ae 
…k.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-QS-15268416
@snyk-bot
fix: examples/buildkit-in-cluster/package.json & examples/buildkit-in…
f7cdc86 
…-cluster/package-lock.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-QS-15268416
@snyk-bot
fix: examples/buildkit/package.json & examples/buildkit/package-lock.…
1a14214 
…json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-QS-15268416
@snyk-bot
fix: examples/custom-builder/custom/Dockerfile to reduce vulnerabilities
6c53413 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE316-ZLIB-2976176
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314624
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314641
@snyk-bot
fix: examples/hot-reload-container-restart/Dockerfile to reduce vulne…
20c2205 
…rabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE316-ZLIB-2976176
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-MUSL-8720632
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314624
- https://snyk.io/vuln/SNYK-ALPINE316-OPENSSL-3314641
zerbitx added 28 commits March 24, 2026 14:24
@zerbitx
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/dist/npm…
72936f4 
…/inquirer-13.3.2' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/dist/npm…
ddb349e 
…/find-process-2.1.1' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-upgrade-e56b2e1b4c8ab503bc7…
36adb80 
…b0c9ff4b05e85' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-upgrade-90dbde0732c382de42c…
bcceeca 
…9c3ef4dc97750' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-upgrade-3daa6c5103be896731a…
6887dbd 
…719dac03307b9' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-13f5a13a003909c372b7953…
091fd2c 
…a05ae420a' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-70bd757d56b357d4f47b701…
07f247b 
…beaca1345' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-492de03cdd00fae62e3888e…
21b855d 
…ca4ff5f3f' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-8f817c69e2358e7bffd9720…
c817cc8 
…cb2e26442' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-5b8dd027bd24c0a3b3ca514…
1ce3417 
…9eb1a9df5' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-64330e47ae4d2ded794241c…
67b8f39 
…bb56dd0ad' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-87a505785d38de5e2dffc53…
1a24935 
…b056f3708' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-397e614f9943ef24b8c23b3…
c4ab881 
…99e77f422' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-f98cb81cd0d3427a860e783…
d0bb5f3 
…e334be5dc' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-26afaef8eb52962e75a9343…
a42d69f 
…c111b3eba' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-c67480bda9264625f82fd70…
567be83 
…91197cc9f' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-d55dbc9b7480d6bb2b4ea55…
5d74311 
…4d2b3b303' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-5c1e69511371bb7bdff9a88…
4fe7a7f 
…090edbdab' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-0d2ba2b619da98e96bdd3bb…
0e4ee69 
…ab1c07c28' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-23504caea96e93505be0c17…
61d932b 
…ebf64cc72' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-9a73a3e99af7f055a482412…
ce9d9ab 
…e97ee2ca5' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-ec17d77d179d72403b5ec69…
69d7d76 
…696ce7c29' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-90d1fb6f01a36dd8768809a…
c0dc356 
…696d80af4' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-6790bf2f69679f6bdf1efd2…
9d41f15 
…d49366a72' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-8a9509a7ddcd66a421594b1…
060da72 
…91c80ad2c' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-d0398ad883a08dff500476a…
e7fa61d 
…605dccfef' into v6.4.0-alpha
@zerbitx
Merge remote-tracking branch 'origin/snyk-fix-7779c33986f3a38565b5e36…
a69a336 
…f851fc130' into v6.4.0-alpha
@zerbitx
go mod clean up
d26f639
@netlify
Copy link

netlify bot commented Mar 24, 2026
edited
Loading

Deploy Preview for devspace-docs failed.

Name Link
🔨 Latest commit 94376fd
🔍 Latest deploy log https://app.netlify.com/projects/devspace-docs/deploys/69c301dc20814f0008db297b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FabianKramm FabianKramm Awaiting requested review from FabianKramm FabianKramm will be requested when the pull request is marked ready for review FabianKramm is a code owner

@LukasGentele LukasGentele Awaiting requested review from LukasGentele LukasGentele will be requested when the pull request is marked ready for review LukasGentele is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zerbitx @snyk-bot