Skip to content

fix(security): bump undici to 7.28.0 and js-yaml to 3.15.0 (Dependabot alerts)#139

Merged
rsaz merged 2 commits into
mainfrom
fix/dependabot-security
Jul 17, 2026
Merged

fix(security): bump undici to 7.28.0 and js-yaml to 3.15.0 (Dependabot alerts)#139
rsaz merged 2 commits into
mainfrom
fix/dependabot-security

Conversation

@rsaz

@rsaz rsaz commented Jul 16, 2026

Copy link
Copy Markdown
Member

Summary

  • Regenerates package-lock.json to patch two transitive dependencies:
    • undici 7.24.5 -> 7.28.0 (via release-it) - clears 2 high + moderate/low undici GHSA advisories.
    • js-yaml 3.14.2 -> 3.15.0 (nested via @istanbuljs/load-nyc-config) - clears the moderate quadratic-complexity DoS advisory (GHSA-h67p-54hq-rp68).
  • npm audit now reports 0 vulnerabilities.

Changes

  • package-lock.json only (no manifest / no runtime dependency changes).

Test plan

  • npm run build passes
  • npm test passes (52 suites, 522 tests)
  • npm audit reports 0 vulnerabilities
  • CI green on PR (clean npm ci install against updated lockfile)

… Dependabot alerts

Regenerates package-lock.json so transitive undici (via release-it)
moves 7.24.5 -> 7.28.0 and the nested js-yaml (via @istanbuljs/load-nyc-config)
moves 3.14.2 -> 3.15.0. Clears open Dependabot alerts (2 high undici,
1 moderate js-yaml). npm audit now reports 0 vulnerabilities. Build and
full test suite (52 suites, 522 tests) pass.
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.29%. Comparing base (35c3388) to head (f236da6).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #139   +/-   ##
=======================================
  Coverage   79.29%   79.29%           
=======================================
  Files          45       45           
  Lines        3704     3704           
  Branches     1118     1059   -59     
=======================================
  Hits         2937     2937           
  Misses        758      758           
  Partials        9        9           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

The prior lockfile was regenerated with npm 11, leaving it out of sync
for npm 10 (used in CI via Node 20.18.0) and breaking `npm ci`.
Regenerated with npm 10; undici stays 7.28.0, js-yaml 3.15.0, and
npm audit reports 0 vulnerabilities.
@rsaz
rsaz merged commit f236da6 into main Jul 17, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant