Fix dependency security vulnerabilities#2306
Conversation
|
There was a problem hiding this comment.
Pull request overview
Updates JavaScript dependencies to address reported security vulnerabilities (OPS-4380) by bumping several direct deps, removing the npm package dependency, and enforcing patched versions of select transitive packages via npm overrides.
Changes:
- Bumped direct dependencies:
uuid,@playwright/test(andplaywright), andpostcss-url. - Removed the
npmpackage dependency frompackage.json/package-lock.json. - Added npm
overridesto force patched transitive versions (js-cookie,ws) and align transitiveaxios/uuidwith root versions.
Reviewed changes
Copilot reviewed 1 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Removes npm, bumps direct deps, and adds overrides for vulnerable transitive packages. |
| package-lock.json | Regenerates lockfile to reflect removed npm, upgraded direct deps, and applied override resolutions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "rollup": "npm:@rollup/wasm-node" | ||
| } | ||
| }, | ||
| "js-cookie": "3.0.7", |
There was a problem hiding this comment.
Our codebase never uses useCookie from react-use. It only imports:
- useEffectOnce
- useDeepCompareEffect
- usePrevious
- useMeasure
- useUpdateEffect
None of these touch js-cookie. The js-cookie dependency in react-use is only used by its useCookie hook, which we don't import.
| "node-cron": "3.0.3", | ||
| "node-emoji": "2.2.0", | ||
| "nodemailer": "8.0.5", | ||
| "npm": "10.9.8", | ||
| "nx-cloud": "19.1.3", |
There was a problem hiding this comment.
I will handle it in another PR
Fixes OPS-4380
Direct dependency updates:
Removed unnecessary dependency:
Added npm overrides for transitive vulnerabilities: