Skip to content

fix: update yarn resolutions to patch open Dependabot alerts#968

Merged
jonathannorris merged 1 commit intomainfrom
fix-dependabot-alerts
Mar 31, 2026
Merged

fix: update yarn resolutions to patch open Dependabot alerts#968
jonathannorris merged 1 commit intomainfrom
fix-dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Mar 31, 2026

Summary

  • Adds resolutions entries in package.json to force patched versions of all 10 open Dependabot alerts
  • Regenerates yarn.lock with the fixed versions

Packages updated:

Package From To Severity
path-to-regexp 0.1.12 0.1.13 High
serialize-javascript 7.0.3 7.0.5 Medium
brace-expansion (1.x) 1.1.12 1.1.13 Medium
brace-expansion (2.x) 2.0.2 2.0.3 Medium
yaml (1.x) 1.10.2 1.10.3 Medium
yaml (2.x) 2.8.1 2.8.3 Medium
picomatch (2.x) 2.3.1 2.3.2 High/Medium
picomatch (4.x) 4.0.3 4.0.4 High/Medium

Copilot AI review requested due to automatic review settings March 31, 2026 19:31
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Mar 31, 2026

Deploying devcycle-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6c01230
Status: ✅  Deploy successful!
Preview URL: https://9f29b5c0.devcycle-docs.pages.dev
Branch Preview URL: https://fix-dependabot-alerts.devcycle-docs.pages.dev

View logs

Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to address Dependabot security alerts in the docs site by forcing patched transitive dependency versions via Yarn resolutions, and then regenerating the lockfile to reflect those overrides.

Changes:

  • Add/update package.json resolutions to pin patched versions for several vulnerable transitive dependencies.
  • Regenerate yarn.lock to apply the new resolution results.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds new resolutions overrides (and bumps serialize-javascript) to force patched versions.
yarn.lock Updated lockfile entries reflecting the new resolution/pinning outcomes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"ajv@^8.0.0": "8.18.0",
"fast-xml-parser": "^5.5.7"
"fast-xml-parser": "^5.5.7",
"path-to-regexp": "0.1.13",
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The resolutions entry for path-to-regexp is currently global (no range selector), which forces all consumers onto 0.1.13. In this lockfile, react-router@5.3.4 requests path-to-regexp@^1.7.0 and serve-handler@6.1.7 requests path-to-regexp@3.3.0; pinning both to 0.1.x is very likely to be a breaking change at runtime. Please scope this resolution to only the vulnerable 0.1.12 line (e.g., match ~0.1.12) so that 1.x/3.x consumers keep their compatible major versions.

Suggested change
"path-to-regexp": "0.1.13",
"path-to-regexp@~0.1.12": "0.1.13",

Copilot uses AI. Check for mistakes.
@jonathannorris jonathannorris merged commit 29c19a6 into main Mar 31, 2026
9 checks passed
@jonathannorris jonathannorris deleted the fix-dependabot-alerts branch March 31, 2026 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@suthar26 suthar26 suthar26 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @suthar26