Skip to content

Update dependencies to fix Dependabot security alerts#9

Open
afreakk wants to merge 1 commit intowxt-and-manifest-v3from
fix/dependabot-security-alerts
Open

Update dependencies to fix Dependabot security alerts#9
afreakk wants to merge 1 commit intowxt-and-manifest-v3from
fix/dependabot-security-alerts

Conversation

@afreakk
Copy link
Copy Markdown
Owner

@afreakk afreakk commented Mar 4, 2026

Summary

  • Bump wxt 0.20.13 → 0.20.18, @biomejs/biome 2.4.2 → 2.4.5, @types/chrome 0.1.33 → 0.1.37
  • Re-resolved lockfile pulls in patched versions of all vulnerable transitive dependencies
  • Resolves all 17 open Dependabot alerts: minimatch ReDoS (×5), rollup path traversal, tar file overwrite (×3), node-forge ASN.1 (×3), cross-spawn ReDoS, lodash prototype pollution, @babel/runtime ReDoS, @isaacs/brace-expansion resource consumption, brace-expansion ReDoS
  • No overrides or forced resolutions — just clean dependency updates

Test plan

  • pnpm audit reports zero vulnerabilities
  • pnpm build succeeds
  • tsc --noEmit passes (no new type errors)
  • biome check shows only pre-existing warnings

🤖 Generated with Claude Code

@afreakk @claude
Update dependencies to resolve Dependabot security alerts
0ea8779 
Bump wxt (0.20.13 → 0.20.18), @biomejs/biome (2.4.2 → 2.4.5),
and @types/chrome (0.1.33 → 0.1.37). Re-resolved lockfile pulls in
patched transitive deps fixing all 17 open alerts (minimatch ReDoS,
rollup path traversal, tar file overwrite, node-forge ASN.1,
cross-spawn ReDoS, lodash prototype pollution, etc).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@afreakk