Skip to content

fix: patch vulnerabilities and bump outdated dependencies#7437

Closed
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-fuzzy-winner
Closed

fix: patch vulnerabilities and bump outdated dependencies#7437
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-fuzzy-winner

Conversation

@waldekmastykarz

Copy link
Copy Markdown
Member

Summary

Patches vulnerabilities and bumps outdated dependencies.

Direct dependency updates

Package From To
@inquirer/confirm 6.1.0 6.1.1
@inquirer/input 5.1.0 5.1.2
@inquirer/select 5.2.0 5.2.1
applicationinsights 3.14.0 3.15.1
axios 1.16.1 1.18.1
csv-stringify 6.7.0 6.8.0
semver 7.8.1 7.8.5
uuid 14.0.0 14.0.1

Dev dependency updates

Package From To
@types/node 24.12.4 24.13.2
@typescript-eslint/eslint-plugin 8.60.0 8.62.0
@typescript-eslint/parser 8.58.0 8.62.0
eslint 10.4.0 10.6.0
globals 17.6.0 17.7.0
tsc-watch 7.2.0 7.2.1

Transitive vulnerability fixes (via shrinkwrap)

Package From To Severity Advisory
undici 6.24.1 6.27.0 high HTTP header injection, WebSocket DoS, response queue poisoning, SameSite downgrade
js-yaml 4.1.1 4.3.0 moderate Quadratic DoS in merge key handling
form-data 4.0.5 4.0.6 high CRLF injection
hasown 2.0.2 2.0.4 Maintenance update

Remaining vulnerabilities (no fix available without breaking changes)

  • @opentelemetry/core (moderate) — transitive via applicationinsights. Fix requires applicationinsights@2.9.8 (semver-major downgrade from 3.x to 2.x)
  • protobufjs (high) — transitive via applicationinsights@opentelemetry/otlp-transformer. Same blocker as above

In cooldown (<7 days since publish)

Package Version Eligible on
@azure/msal-common 16.11.0 ~Jul 7
@azure/msal-node 5.3.1 ~Jul 7
@typescript-eslint/eslint-plugin 8.62.1 ~Jul 6
@typescript-eslint/parser 8.62.1 ~Jul 6
adm-zip 0.5.18 ~Jul 6
csv-stringify 6.8.1 ~Jul 5

Supersedes #7429 — this PR includes all changes from #7429 plus additional updates (applicationinsights, eslint, tsc-watch, transitive vulnerability fixes).

Updates:
- @inquirer/confirm 6.1.0 → 6.1.1
- @inquirer/input 5.1.0 → 5.1.2
- @inquirer/select 5.2.0 → 5.2.1
- applicationinsights 3.14.0 → 3.15.1
- axios 1.16.1 → 1.18.1
- csv-stringify 6.7.0 → 6.8.0
- semver 7.8.1 → 7.8.5
- uuid 14.0.0 → 14.0.1
- @types/node 24.12.4 → 24.13.2
- @typescript-eslint/eslint-plugin 8.60.0 → 8.62.0
- @typescript-eslint/parser 8.58.0 → 8.62.0
- eslint 10.4.0 → 10.6.0
- globals 17.6.0 → 17.7.0
- tsc-watch 7.2.0 → 7.2.1

Transitive vulnerability fixes (via npm audit fix / shrinkwrap):
- undici 6.24.1 → 6.27.0 (high: HTTP header injection, WebSocket DoS, response queue poisoning)
- js-yaml 4.1.1 → 4.3.0 (moderate: quadratic DoS in merge key handling)
- form-data 4.0.5 → 4.0.6 (high: CRLF injection)
- hasown 2.0.2 → 2.0.4

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@waldekmastykarz

Copy link
Copy Markdown
Member Author

Closing in favor of #7448 which includes all these changes plus additional updates (newer @typescript-eslint/*, csv-stringify, eslint, @types/node versions, adm-zip bump, and global OpenTelemetry overrides to resolve all remaining vulnerabilities).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant