Fix security vulnerabilities (npm, rubygems)#265
Merged
Kristopher Johnson (kristopherjohnson) merged 2 commits intomainfrom Apr 17, 2026
Merged
Fix security vulnerabilities (npm, rubygems)#265Kristopher Johnson (kristopherjohnson) merged 2 commits intomainfrom
Kristopher Johnson (kristopherjohnson) merged 2 commits intomainfrom
Conversation
- vite → 6.4.2 (CVE-2026-39363) in javascript-web/package-lock.json - lodash → 4.18.1 (CVE-2026-4800) in javascript-tui/package-lock.json (via overrides) - @xmldom/xmldom → 0.8.12 (CVE-2026-34601) in react-native/yarn.lock - addressable → 2.9.0 (CVE-2026-35611) in react-native/Gemfile.lock Resolves: SPO-470, SPO-471, SPO-388, SPO-495
Kristopher Johnson (kristopherjohnson)
requested a review
from Nick Robinson (nickrobinson)
as a code owner
Kristopher Johnson (kristopherjohnson)
added
the
dependencies
Copilot started reviewing on behalf of
Kristopher Johnson (kristopherjohnson)
April 17, 2026 20:51
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Updates dependency lockfiles/manifests across the JS web app, JS TUI, and React Native projects to remediate reported high-severity vulnerabilities.
Changes:
- Bump
viteinjavascript-webto^6.4.2and refreshpackage-lock.jsonaccordingly. - Force
lodashupgrade injavascript-tuiviaoverrides, updating the resolved version inpackage-lock.jsonto4.18.1. - Upgrade
@xmldom/xmldominreact-native/yarn.lockandaddressableinreact-native/Gemfile.lock.
Reviewed changes
Copilot reviewed 2 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| react-native/yarn.lock | Updates @xmldom/xmldom resolution to address the referenced CVE. |
| react-native/Gemfile.lock | Bumps addressable (and adjusts its public_suffix constraint) to remediate the advisory. |
| javascript-web/package.json | Updates vite version range to ^6.4.2. |
| javascript-web/package-lock.json | Updates the resolved vite version to 6.4.2 and refreshes related lock metadata. |
| javascript-tui/package.json | Adds a lodash override to force a patched transitive version. |
| javascript-tui/package-lock.json | Updates the resolved lodash package to 4.18.1. |
Files not reviewed (2)
- javascript-tui/package-lock.json: Language not supported
- javascript-web/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Alyssa Evans (alycda)
approved these changes
Apr 17, 2026
Matches the existing pattern for other overrides (tar, undici, flatted) and prevents drift to a future lodash release.
Kristopher Johnson (kristopherjohnson)
merged commit 0602813
into
main
11 checks passed
Kristopher Johnson (kristopherjohnson)
deleted the
kj/security-batch-20260417-1e7e60
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches 4 high-severity dependency vulnerabilities across
javascript-web,javascript-tui, andreact-native.javascript-web/package-lock.jsonjavascript-tui/package-lock.json(added tooverridesto reach transitive viaink; resolved to latest 4.18.1, above the 4.18.0 target)react-native/yarn.lockreact-native/Gemfile.lockTarget versions are sourced from Linear/Dependabot and may not reflect the latest suitable release —
lodashresolved to 4.18.1 (latest ≥ 4.18.0 target) through npm's override mechanism.Test plan
javascript-webbuilds (npm run build)javascript-tuibuilds (npm run build)react-nativeinstalls (yarn install)react-nativepod install succeeds (bundle exec pod install)Resolves: SPO-470, SPO-471, SPO-388, SPO-495