Skip to content

chore(security): patch 12 Dependabot alerts#326

Merged
nbouliol merged 1 commit into
mainfrom
security/2026-07-03
Jul 3, 2026
Merged

chore(security): patch 12 Dependabot alerts#326
nbouliol merged 1 commit into
mainfrom
security/2026-07-03

Conversation

@PMerlet

@PMerlet PMerlet commented Jul 3, 2026

Copy link
Copy Markdown
Member

👋 First-level support: see Handling automated security PRs for how to triage and merge this PR.

Summary

12 fixed, 0 ignored, 4 deferred, 0 resolutions added, 0 resolutions removed. | label: 🔒 security applied

All fixes are lockfile-only re-resolutions in yarn.lock: the patched versions already satisfy the semver ranges declared by the parent packages (semantic-release tooling), so no package.json change was needed.

Fixed

Done Alert Package Ecosystem From → To Severity What was bumped
- [ ] #73 tar npm 7.5.15 → 7.5.19 medium lockfile re-resolution (transitive via semantic-release > @semantic-release/npm > npm)
- [ ] #74 undici npm 7.25.0 → 7.28.0 high lockfile re-resolution (transitive via semantic-release > @semantic-release/github)
- [ ] #75 undici npm 7.25.0 → 7.28.0 medium lockfile re-resolution (same chain as #74)
- [ ] #76 undici npm 7.25.0 → 7.28.0 high lockfile re-resolution (same chain as #74)
- [ ] #77 undici npm 7.25.0 → 7.28.0 low lockfile re-resolution (same chain as #74)
- [ ] #78 undici npm 7.25.0 → 7.28.0 high lockfile re-resolution (same chain as #74)
- [ ] #79 undici npm 7.25.0 → 7.28.0 medium lockfile re-resolution (same chain as #74)
- [ ] #80 undici npm 7.25.0 → 7.28.0 low lockfile re-resolution (same chain as #74)
- [ ] #81 undici npm 6.25.0 → 6.27.0 high lockfile re-resolution (transitive via semantic-release > @semantic-release/npm > npm > node-gyp and @actions/http-client)
- [ ] #82 undici npm 6.25.0 → 6.27.0 medium lockfile re-resolution (same chain as #81)
- [ ] #83 undici npm 6.25.0 → 6.27.0 low lockfile re-resolution (same chain as #81)
- [ ] #84 undici npm 6.25.0 → 6.27.0 low lockfile re-resolution (same chain as #81)

Ignored

None.

Deferred

Skipped by the 7-day age gate — will be handled by the next run:

  • #85 — @sigstore/core ≤ 3.2.0 (medium, opened 2026-06-30)
  • #86 — @sigstore/verify = 3.1.0 (medium, opened 2026-07-02)
  • #87 — sigstore ≤ 4.1.0 (high, opened 2026-07-02)
  • #88 — js-yaml ≥ 4.0.0, ≤ 4.1.1 (medium, opened 2026-07-02)

Resolutions added

None — every patched version satisfies the semver range already declared by its parent, so plain lockfile re-resolution was sufficient.

Resolutions removed

None — the root package.json resolutions block is empty; no other package.json exists in the repo.

Risks

  • undici 6.25.0 → 6.27.0 / 7.25.0 → 7.28.0: minor/patch releases within the ranges declared by @semantic-release/github, @actions/http-client, node-gyp. undici is only used by release tooling in CI; no source code in this repo imports it. No breaking changes in these ranges per upstream changelog.
  • tar 7.5.15 → 7.5.19: patch releases (parser hardening fixes). Only consumed by the bundled npm/pacote/node-gyp chain inside release tooling. No behavior change beyond the patched vulnerabilities.
  • All three packages are devDependencies-scope transitives of semantic-release; the shipped Ruby gems are unaffected.

Manual testing

Covered by CI.

Validation

✅ CI green

Re-resolve transitive dev dependencies in yarn.lock:
- undici 6.25.0 -> 6.27.0 (alerts 81-84)
- undici 7.25.0 -> 7.28.0 (alerts 74-80)
- tar 7.5.15 -> 7.5.19 (alert 73)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@nbouliol nbouliol force-pushed the security/2026-07-03 branch from a8e6090 to 204272a Compare July 3, 2026 12:19
@nbouliol nbouliol merged commit ed22a3c into main Jul 3, 2026
48 checks passed
@nbouliol nbouliol deleted the security/2026-07-03 branch July 3, 2026 12:24
@forest-bot

Copy link
Copy Markdown
Member

🎉 This PR is included in version 1.35.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants