chore: resolve open dependabot security alerts#421
Conversation
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including upgrading serialize-javascript to version 7.0.5 and @tootallnate/once to version 3.0.1, while adding minimatch and removing randombytes. Feedback highlights that the serialize-javascript upgrade introduces a breaking requirement for Node.js 20.0.0, which may impact environments on older LTS versions. Additionally, it is recommended to use caret ranges instead of the >= operator in the dependency overrides to ensure stability and prevent unintended major version upgrades.
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
jonathannorris
requested review from
askpt,
beeme1mr,
Copilot,
toddbaert and
z4kn4fein
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds npm overrides to mitigate several Dependabot security alerts by forcing patched versions of vulnerable transitive dependencies.
Changes:
- Added overrides for
serialize-javascript,@tootallnate/once,fast-uri, and@babel/plugin-transform-modules-systemjs. - Kept existing
test-excludeoverride (withminimatch) and extended the override list.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Bump @opentelemetry/sdk-node to ^0.217.0 (alert #165, high) - Bump @opentelemetry/auto-instrumentations-node to ^0.75.0 (alert #164, high) - Bump related @opentelemetry/* packages to OTel 2.x for compatibility - Update scripts/tracing.js to use Resource API from OTel 2.x - Add webpack-dev-server ^5.2.4 override (alerts #69, #70, #166, medium) Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
- Remove fast-uri override (ajv ^3.0.1 range already covers patched 3.1.2) - Remove @babel/plugin-transform-modules-systemjs override (@babel/preset-env ^7.29.0 already covers patched 7.29.4) - Downgrade @tootallnate/once override from ^3.0.1 to ^2.0.1 (http-proxy-agent requires major-2; patched 2.0.1 is in range) - Remove protobufjs override; update @opentelemetry packages to 0.218.0 which drops the protobufjs dependency entirely Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Summary
Adds and updates overrides in
package.jsonto require at least the patched version of transitive dependencies (within the current major) for all open Dependabot security alerts. The alerts will auto-close once Dependabot re-scans against the resolved lockfile.Dependabot Alerts Resolved
serialize-javascript^7.0.5(RCE via RegExp/Date)serialize-javascript^7.0.5(CPU exhaustion DoS)@tootallnate/once^3.0.1fast-uri^3.1.2(path traversal)fast-uri^3.1.2(host confusion)@babel/plugin-transform-modules-systemjs^7.29.4@opentelemetry/auto-instrumentations-node0.75.0@opentelemetry/sdk-node0.217.0protobufjs^7.5.8(lockfile resolves to7.6.0)uuid^11.1.1(buffer bounds check fix)qs^6.15.2(DoS via comma-format arrays)webpack-dev-server^5.2.4Notes
npm installrequires--legacy-peer-depsdue to a pre-existing@nestjs/schematics/prettierpeer dependency conflict that is unrelated to this change.