Skip to content

fix(security): bump vulnerable dependencies to patched versions#568

Open
laileni-aws wants to merge 1 commit into
aws:mainfrom
laileni-aws:fix/dependabot-security-alerts
Open

fix(security): bump vulnerable dependencies to patched versions#568
laileni-aws wants to merge 1 commit into
aws:mainfrom
laileni-aws:fix/dependabot-security-alerts

Conversation

@laileni-aws

Copy link
Copy Markdown
Contributor

Summary

Resolves open Dependabot security alerts across the npm and Maven manifests by bumping vulnerable dependencies to their patched versions. This is a combined dependency-only security fix off main.

npm (plugin/webview)

Direct deps (package.json):

Transitive deps pinned via overrides and regenerated package-lock.json:

Maven

Verification

  • npm run webpack build passes with the upgraded dependencies (webpack 5.108.4).
  • Resolved lockfile versions confirmed for every bumped package.
  • Both POMs are XML well-formed; target versions confirmed present on Maven Central. Dependabot independently proposed nimbus-jose-jwt 10.0.2, corroborating compatibility.
  • Note: a full Maven/Tycho build was not run in this environment (no local Maven + Eclipse p2 target platform). CI is expected to validate the Maven modules.

Notes

  • The remaining npm audit moderates (ajv, brace-expansion, micromatch) correspond to alerts Dependabot auto-dismissed (not open), so they are intentionally out of scope.

Opened as a draft for review.

Resolve open Dependabot alerts across npm and maven manifests.

npm (plugin/webview):
- uuid ^8.3.2 -> ^11.1.1 (alert 42)
- webpack ^5.61.0 -> ^5.104.1; resolves to 5.108.4 (alerts 19, 20)
- overrides for transitive deps:
  - js-yaml ^4.2.0 (alerts 13, 49)
  - serialize-javascript ^7.0.5 (alerts 28, 41)
  - postcss ^8.5.10 (alert 38)
  - picomatch ^2.3.2 (alert 35)
  - flatted ^3.4.2 (alert 32)
  - immutable ^4.3.8 (alert 30)
  - minimatch 3.1.4 (alert 26)
  - diff ^4.0.4 (alert 17)

maven:
- telemetry: jackson-databind 2.17.1 -> 2.18.9 (alerts 45, 46, 47, 48)
- plugin: nimbus-jose-jwt 9.41.2 -> 10.0.2 (alert 11)

Verified: webview webpack build passes; package-lock resolved versions
confirmed; pom XML well-formed and target versions present on Maven Central.
@laileni-aws
laileni-aws marked this pull request as ready for review July 16, 2026 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants