Skip to content

fix: remediate Dependabot security alerts (2026-07-18)#2700

Merged
robgruen merged 2 commits into
mainfrom
automated/fix-dependabot-alerts-20260718-119
Jul 18, 2026
Merged

fix: remediate Dependabot security alerts (2026-07-18)#2700
robgruen merged 2 commits into
mainfrom
automated/fix-dependabot-alerts-20260718-119

Conversation

@typeagent-bot

@typeagent-bot typeagent-bot Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Automated Dependabot Alert Remediation

This PR was automatically generated by the fix-dependabot-alerts workflow.
Each fix was applied individually and build-verified before inclusion.

Summary

  • Applied (13): diff esbuild ip-address js-yaml linkify-it nodemailer qs underscore undici uuid vite ws xml2js
  • **Blocked (1):**js-yaml
  • No patch available (0): (none)
  • Deferred — fix not yet 7 days old (0): (none)
  • Rolled back (1): (none)
  • Skipped (recent rollback, 0): (none)
  • Workspaces with analysis failures: (none)
  • Build: ✅ Passed
  • Shell packaging: ✅ Passed

Note: the analysis source (fix-dependabot-alerts.mjs) is broader than the GitHub Dependabot REST API — it also audits the lockfile directly. Some packages listed above may not have a corresponding open Dependabot alert, and vice versa.

Why blocked packages couldn't be auto-fixed

Dependency chains (`--show-chains` output)

===== docs =====

══════════════════════════════════════════════════════════════════════
  Fetching open Dependabot alerts from GitHub
══════════════════════════════════════════════════════════════════════
  Repository: microsoft/TypeAgent
  Found 3 alert(s) across 2 package(s)

══════════════════════════════════════════════════════════════════════
  Analyzing vulnerabilities
══════════════════════════════════════════════════════════════════════

  [1/2] 📦 ws (high) — ✗ 8.18.2 → need ≥8.21.0
     Fix: pnpm update ws -r
     → @11ty/eleventy-dev-server@2.0.8
       → @11ty/eleventy@3.1.2
         → typeagent-docs
  ⚠  Could not resolve shell production deps — shell packaging post-check will still validate

  [2/2] 📦 js-yaml (medium) — ✗ 3.14.2, ✗ 4.1.1 → need ≥4.2.0
     ↳ used by: typeagent-docs
     Actions: (requires --auto-fix)
       [override] gray-matter@4.0.3 pins js-yaml ^3.13.1, already at latest — no update available
     Risk: ▲ high — major version bump 3.14.2 → 4.2.0, 1 parent(s) may break
     → @11ty/eleventy@3.1.2
       → typeagent-docs
     → gray-matter@4.0.3
       → @11ty/eleventy@3.1.2 (see above)

══════════════════════════════════════════════════════════════════════
  Resolution plan (dry run)
══════════════════════════════════════════════════════════════════════
  ✓  [dry-run] pnpm update ws -r → >=8.21.0

══════════════════════════════════════════════════════════════════════
  Summary
══════════════════════════════════════════════════════════════════════

  1 to resolve | 1 blocked

  Fixed packages:
     ✓  [update] ws 8.18.2 → >=8.21.0

  Risk assessment:
     ▲ high  [override] js-yaml >=4.2.0: major version bump 3.14.2 → 4.2.0, 1 parent(s) may break

  Run with --auto-fix to fix: js-yaml
    (or --apply-overrides for: js-yaml)

  ⚠  DRY RUN — no changes were made. Run without --dry-run to apply.

How this works

  1. Analyses all open Dependabot alerts
  2. Applies each fix individually with build verification
  3. Rolls back any fix that breaks the build
  4. Only passing fixes are included in this PR

Review checklist

  • Check that no breaking changes were introduced
  • Verify rolled-back packages are investigated separately
  • Run tests locally if concerned about specific packages

Automated by fix-dependabot-alerts workflow.

Applied: diff esbuild ip-address js-yaml linkify-it nodemailer qs underscore undici uuid vite ws xml2js
Rolled back: (none)
Blocked: 1 package(s)
Deferred (min release age): 0 package(s)
Shell packaging: passed

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@typeagent-bot typeagent-bot Bot added dependencies Pull requests that update a dependency file security labels Jul 18, 2026
@robgruen

Copy link
Copy Markdown
Collaborator

@copilot resolve the merge conflicts in this pull request

Copilot AI commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Resolved the merge conflict in ts/pnpm-lock.yaml. The conflict arose because both our security fix branch and main (Streamline electron package, #2688) modified the lockfile. After verifying that main's lockfile already contains all the same security package versions (undici, vite, ws, uuid, xml2js, qs, etc.), I accepted main's lockfile which correctly reflects both the security fixes and the updated shell package dependencies. Merged in commit b6798d3.

Copilot AI requested a review from robgruen July 18, 2026 16:28
@robgruen
robgruen enabled auto-merge July 18, 2026 16:30
@robgruen
robgruen added this pull request to the merge queue Jul 18, 2026
Merged via the queue into main with commit 0e074f0 Jul 18, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants