chore(deps): upgrade runtime deps to clear all known security alerts#80
Merged
Conversation
Resolves 13 of 14 open Dependabot alerts by upgrading the direct deps
that pull the vulnerable transitives, plus in-range transitive bumps.
Direct dependency bumps:
- @actions/cache ^4.0.3 -> ^5.0.5
drops @azure/ms-rest-js => removes vulnerable uuid 8.3.2
(GHSA-w5hq-g745-h8pq, fixed only in 11.1.1)
uses @actions/http-client ^3.0.2 -> undici ^6.23 (6.27.0)
- @actions/core ^1.11.1 -> ^2.0.3
uses @actions/http-client ^3.0.2 -> undici 6.27.0
=> clears all undici alerts (GHSA-v9p9, -vrm6, -2mjp, -4992, -g9mf;
< 6.24.0 had no 5.x patch)
- minio ^7.1.1 -> ^8.0.7
uses fast-xml-parser ^5.3.4 => removes the vulnerable fxp 4.5.4 copy
(GHSA-gh4j needs >= 5.7.0, unreachable on the 4.x line)
minio 8 ships its own TS types, so @types/minio is removed
Chosen @actions/cache 5 (not 6) deliberately: v6 adds a restrictive
`exports` map exposing only ".", which breaks this action's required deep
imports of @actions/cache/lib/internal/{cacheUtils,tar,constants}. v5 has
no exports field, fixes the same uuid/undici alerts, and keeps those
imports resolvable (build + unit tests stay green).
In-range transitive bumps (re-resolved via yarn.lock):
- fast-xml-parser 5.5.3 -> 5.9.0 (GHSA-gh4j, -8gc5, -jp2q)
- brace-expansion 1.1.12 -> 1.1.15 (GHSA-f886-m6hf-6m8v)
- @babel/core 7.29.0 -> 7.29.7 (dev, GHSA-4x5r-pxfx-6jf8)
Dev tooling: jest ^29 -> ^30, @types/jest ^26 -> ^30, @vercel/ncc -> ^0.44.
Not fixable: js-yaml 3.14.2 (dev-only, medium GHSA-h67p-54hq-rp68).
Reached only through jest coverage tooling
(babel-plugin-istanbul -> @istanbuljs/load-nyc-config, which pins
js-yaml ^3.13.1); the advisory has no 3.x patch and load-nyc-config uses
the removed `safeLoad` API, so forcing js-yaml 4 would break coverage.
Never reachable at action runtime; not run in CI.
Verified locally: `tsc --noEmit` clean, `yarn build` succeeds, unit tests
pass (the one failing suite is the pre-existing p-retry ESM jest-config
issue present on main, unrelated to this change and not run in CI).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Eliminate all known Dependabot security alerts (14 open across 6 packages).
Result: 13/14 alerts cleared
Verified by inspecting the regenerated
yarn.lock— no vulnerable versions remain except one dev-only, unfixable case (see below).Direct dependency upgrades (these pull in the fixes)
@actions/cache@azure/ms-rest-js→ removes uuid 8.3.2 (GHSA-w5hq-g745-h8pq); bringshttp-client@3→ undici 6.27@actions/corehttp-client@3→ undici 6.27 (all 5 undici GHSAs;< 6.24.0had no 5.x patch)miniofast-xml-parser@5→ removes the vulnerable fxp 4.5.4 copy; minio 8 ships its own types so@types/miniois droppedWhy
@actions/cache5 and not 6: v6 adds a restrictiveexportsmap exposing only".", which breaks this action's required deep imports of@actions/cache/lib/internal/{cacheUtils,tar,constants}(jest's resolver rejects them; the bundle only works by accident). v5 has noexportsfield, fixes the same uuid/undici alerts, and keeps the internal imports resolvable.In-range transitive bumps (re-resolved in
yarn.lock)fast-xml-parser5.5.3 → 5.9.0 (GHSA-gh4j / -8gc5 / -jp2q)brace-expansion1.1.12 → 1.1.15 (GHSA-f886-m6hf-6m8v)@babel/core7.29.0 → 7.29.7 (dev, low — GHSA-4x5r-pxfx-6jf8)Dev tooling
jest^29 → ^30,@types/jest^26 → ^30,@vercel/ncc→ ^0.44.The one residual (cannot fix):
js-yaml3.14.2 — medium, dev-onlyGHSA-h67p-54hq-rp68 (quadratic DoS in merge keys). Reached only through jest coverage tooling (
babel-plugin-istanbul → @istanbuljs/load-nyc-config, which pinsjs-yaml ^3.13.1). The advisory has no 3.x patch, andload-nyc-configcalls thesafeLoadAPI removed in js-yaml 4, so a forced override would break coverage. Never reachable at action runtime; not executed in CI. Recommend dismissing this alert as "vulnerable code not in execution path."Verification (local)
tsc --noEmit— clean (no type breakage from minio 8 / cache 5 / core 2, or from removing @types/minio)yarn build(tsc + ncc) — succeedsp-retryESM jest-config failure that also fails onmain(unrelated; jest isn't part of CI)dist/intentionally not committed —build.yamlregenerates and commits it on merge, and the test workflows rebuild it fresh (repo convention).Risk
minio7→8 is a breaking major. Code typechecks and builds against it, but only the secret-gated S3 integration tests (which run onmainpost-merge) fully exercise real S3 behavior. Flagging for review before merge.