fix(security): bump vulnerable dependencies to patched versions#568
Open
laileni-aws wants to merge 1 commit into
Open
fix(security): bump vulnerable dependencies to patched versions#568laileni-aws wants to merge 1 commit into
laileni-aws wants to merge 1 commit into
Conversation
Resolve open Dependabot alerts across npm and maven manifests. npm (plugin/webview): - uuid ^8.3.2 -> ^11.1.1 (alert 42) - webpack ^5.61.0 -> ^5.104.1; resolves to 5.108.4 (alerts 19, 20) - overrides for transitive deps: - js-yaml ^4.2.0 (alerts 13, 49) - serialize-javascript ^7.0.5 (alerts 28, 41) - postcss ^8.5.10 (alert 38) - picomatch ^2.3.2 (alert 35) - flatted ^3.4.2 (alert 32) - immutable ^4.3.8 (alert 30) - minimatch 3.1.4 (alert 26) - diff ^4.0.4 (alert 17) maven: - telemetry: jackson-databind 2.17.1 -> 2.18.9 (alerts 45, 46, 47, 48) - plugin: nimbus-jose-jwt 9.41.2 -> 10.0.2 (alert 11) Verified: webview webpack build passes; package-lock resolved versions confirmed; pom XML well-formed and target versions present on Maven Central.
laileni-aws
marked this pull request as ready for review
July 16, 2026 17:12
chungjac
approved these changes
Jul 16, 2026
kmmcclai
approved these changes
Jul 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves open Dependabot security alerts across the npm and Maven manifests by bumping vulnerable dependencies to their patched versions. This is a combined dependency-only security fix off
main.npm (
plugin/webview)Direct deps (
package.json):uuid^8.3.2→^11.1.1(alert Account for Windows and MSFT Edge limitations when loading WebViews #42) — not referenced in sourcewebpack^5.61.0→^5.104.1(resolves to 5.108.4; alerts Display chat default message and prompt #19, Adds step to upload and download build artifacts #20)Transitive deps pinned via
overridesand regeneratedpackage-lock.json:js-yaml→ 4.3.0 (alerts Toggle suggestions #13, Deserialization support for AWS LSP extended InitializeResult #49)serialize-javascript→ 7.0.7 (alerts Render Chat response in the webview #28, Adds line param to unsetVerticalIndent #41)postcss→ 8.5.19 (alert Implement telemetry types generator #38)picomatch→ 2.3.2 (alert Make command handling in Q chat webview async #35)flatted→ 3.4.2 (alert Fix to allow only one radio button to be selected #32)immutable→ 4.3.9 (alert Use project local Node and NPM for build #30)minimatch→ 3.1.4 (alert Send chat prompt message to lsp #26)diff→ 4.0.4 (alert Update CI Maven action #17)Maven
telemetry/pom.xml:jackson-databind2.17.1 → 2.18.9 (alerts Update dependency manifest #45, Fix Chat webview rendering #46, Remove duplicate JavaPoet dependency #47, Trigger customization notifications on ide, stacking multiple notifications vertically and refactor/add support for more methods in PluginStore #48)plugin/pom.xml:nimbus-jose-jwt9.41.2 → 10.0.2 (alert Refactored to add AmazonQView parent class containing common setup #11)Verification
npm run webpackbuild passes with the upgraded dependencies (webpack 5.108.4).nimbus-jose-jwt10.0.2, corroborating compatibility.Notes
npm auditmoderates (ajv, brace-expansion, micromatch) correspond to alerts Dependabot auto-dismissed (not open), so they are intentionally out of scope.Opened as a draft for review.