Skip to content

fix: patch vulnerabilities and bump outdated dependencies#7448

Draft
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-weekly-deps-bump
Draft

fix: patch vulnerabilities and bump outdated dependencies#7448
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-weekly-deps-bump

Conversation

@waldekmastykarz

Copy link
Copy Markdown
Member

Summary

Patches all npm vulnerabilities and bumps outdated dependencies.

Vulnerabilities fixed

  • @opentelemetry/core <2.8.0 (moderate) — Unbounded memory allocation in W3C Baggage propagation
  • protobufjs <=7.6.2 (high) — Schema-derived names can shadow runtime-significant properties; DoS via unbounded Any expansion
  • form-data (high) — fixed via npm audit fix
  • js-yaml (moderate) — fixed via npm audit fix
  • undici (high) — HTTP header injection, WebSocket DoS, response queue poisoning, Set-Cookie SameSite downgrade

Direct dependency bumps

Package From To
@inquirer/confirm ^6.1.0 ^6.1.1
@inquirer/input ^5.1.0 ^5.1.2
@inquirer/select ^5.2.0 ^5.2.1
adm-zip ^0.5.17 ^0.5.18
applicationinsights ^3.14.0 ^3.15.1
axios ^1.16.1 ^1.18.1
csv-stringify ^6.7.0 ^6.8.1
semver ^7.8.1 ^7.8.5
uuid ^14.0.0 ^14.0.1
@types/node ^24.12.4 ^24.13.3
@typescript-eslint/eslint-plugin ^8.60.0 ^8.63.0
@typescript-eslint/parser ^8.58.0 ^8.63.0
eslint ^10.4.0 ^10.7.0
globals ^17.6.0 ^17.7.0
tsc-watch ^7.2.0 ^7.2.1

Override updates

  • protobufjs: 7.6.0 → 7.6.5
  • @opentelemetry/sdk-node: 0.217.0 → 0.219.0
  • @opentelemetry/exporter-prometheus: 0.217.0 → 0.219.0
  • Added global overrides for @opentelemetry/core, sdk-logs, sdk-metrics, sdk-trace-base, resources, otlp-transformer, otlp-exporter-base, and exporter-*-otlp-http/proto to resolve the transitive @opentelemetry/core <2.8.0 vulnerability chain

Verification

  • npm audit: 0 vulnerabilities
  • npm run build: ✅
  • npm run lint: ✅

Supersedes #7437 (includes all its changes plus additional updates).

- Update overrides: protobufjs 7.6.0→7.6.5, @opentelemetry/sdk-node 0.217.0→0.219.0,
  @opentelemetry/exporter-prometheus 0.217.0→0.219.0
- Add global overrides for @opentelemetry/core, sdk-logs, sdk-metrics,
  sdk-trace-base, resources, otlp-transformer, otlp-exporter-base,
  exporter-*-otlp-http/proto to fix transitive @opentelemetry/core <2.8.0 vulnerability
- Bump direct deps: @inquirer/confirm, @inquirer/input, @inquirer/select,
  axios, adm-zip, csv-stringify, semver, uuid, globals,
  @typescript-eslint/eslint-plugin, @typescript-eslint/parser, tsc-watch
- Fix form-data, js-yaml, undici, and protobufjs vulnerabilities via npm audit fix

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@milanholemans

Copy link
Copy Markdown
Contributor

@waldekmastykarz can you rebase the PR to fix the merge conflicts?

@milanholemans
milanholemans marked this pull request as draft July 16, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants