Bump vulnerable dependencies: ws, express, fast-xml-parser, ajv#3745
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates minimum dependency versions to address Dependabot security alerts, with a focus on ws, express, fast-xml-parser, and ajv.
Changes:
- Bumped
wsin@wp-playground/mcpto^8.21.0 - Bumped root dependencies:
expressto4.22.2,fast-xml-parserto^5.8.0,ajvto8.18.0 - Added
wsto rootdependencies
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/playground/mcp/package.json | Updates ws dependency range to a patched version. |
| package.json | Bumps vulnerable deps and adds ws at the root level. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@wojtekn @mho22 this PR breaks releases of npm packages as follows: The description lists fixed issues, but they're not actually fixed by this PR. Also:
What are other consequences of overriding this pin? |
|
@adamziel, my bad, I messed up the Dependabot links. Those were Studio numbers:
Thanks for fixing the issue caused by the
In theory, those could cause unexpected behavior, but in practice, |
Fixes Dependabot alerts by bumping the minimum required versions:
@wp-playground/mcpws^8.18.0^8.21.0express4.22.04.22.2fast-xml-parser^5.5.1^5.8.0ajv8.12.08.18.0wsis added to theoverridessection (notdependencies) in the rootpackage.jsonto force^8.21.0across all transitive consumers. This is necessary because@module-federation/dts-pluginandwebpack-dev-serverpinwsto exactly8.18.0, which would otherwise win as the hoisted version despite@wp-playground/mcprequesting^8.21.0.