fix: remediate high & critical Dependabot vulnerabilities#163
Conversation
- Upgrade axios from ^1.12.0 to ^1.17.0 (fixes SSRF, prototype pollution, credential leak, ReDoS) - Upgrade lodash from ^4.17.23 to ^4.18.0 (fixes code injection via _.template) - Upgrade mocha from 10.2.0 to 10.8.2 (fixes transitive minimatch/serialize-javascript vulns) - Add yarn resolutions for transitive dependencies: braces, picomatch, fast-uri, flatted, handlebars, serialize-javascript, @xmldom/xmldom, form-data - Update lockfile minimatch entries (3.x→3.1.5, 5.x→5.1.9, 9.x→9.0.7) Remaining unfixable: glob (needs 10.x, pinned at 7/8.x by parent devDeps) and tar (needs 7.x, pinned at 6.x by node-gyp in fantasticon). Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![semgrep-code-launchdarkly[bot]](https://avatars.githubusercontent.com/u/8039656?s=60&v=4){kind=small}
| argparse "^1.0.7" | ||
| esprima "^4.0.0" | ||
|
|
||
| js-yaml@^4.1.0: |
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 3932 lists a dependency (js-yaml) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.
To resolve this comment:
Check if you are using js-yaml on the CLI.
- If you're affected, upgrade this dependency to at least version 4.1.1 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
minimatch 9.0.6+ requires brace-expansion ^5.0.2 which breaks the ESM/CJS interop in @vscode/test-cli. Keeping 9.0.5 for now. Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
2 participants
Summary
Upgrades vulnerable dependencies to resolve high and critical Dependabot alerts.
Direct dependency upgrades:
axios^1.12.0 → ^1.17.0 (SSRF, prototype pollution, credential leak, ReDoS)lodash^4.17.23 → ^4.18.0 (code injection via_.template)mocha10.2.0 → 10.8.2 (fixes transitive minimatch/serialize-javascript vulns)Yarn resolutions added for transitive deps pinned to vulnerable versions by parent packages:
braces,picomatch,fast-uri,flatted,handlebars,serialize-javascript,@xmldom/xmldom,request/form-dataLockfile updates for minimatch (3.1.2→3.1.5, 5.1.6→5.1.9).
Remaining (unfixable without major version bumps of intermediate devDeps):
glob(needs 10.x, pinned at 7/8.x by@twbs/fantasticon,@vscode/test-cli)tar(needs 7.x, pinned at 6.x bynode-gypin@twbs/fantasticon)minimatch9.x (9.0.6+ requiresbrace-expansion5.x which breaks ESM/CJS interop in@vscode/test-cli)"Link to Devin session: https://app.devin.ai/sessions/1e6ae06a2bc34abe9a8d6671f567fef8
Requested by: @pkaeding