Skip to content

Commit 9d42bde

Browse files
Shubhangi-MicrosoftShubhangi-Microsoft
committed
fix: resolve 17 high/critical Dependabot security alerts
- Update semantic-kernel[azure] from 1.28.0 to 1.40.0 (CVE: InMemoryVectorStore RCE, Arbitrary File Write) - Add npm overrides to fix transitive dependency vulnerabilities: - serialize-javascript >=7.0.3 (RCE via RegExp.flags) - bfj >=9.1.3 (removes vulnerable jsonpath dependency) - underscore >=1.13.8 (DoS via unlimited recursion) - svgo >=3.3.3 (DoS via Billion Laughs) - d3-color and nth-check pinned to top-level safe versions - Remove duplicate d3-color and lodash-es entries in package.json - Regenerate package-lock.json with all overrides applied
1 parent 88ee0c8 commit 9d42bde

File tree

3 files changed

+921
-1258
lines changed

3 files changed

+921
-1258
lines changed

docs/workshop/docs/workshop/requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
azure-identity==1.21.0
33
azure-ai-evaluation==1.5.0
44
# Additional utilities
5-
semantic-kernel[azure]==1.28.0
5+
semantic-kernel[azure]==1.40.0
66
azure-ai-projects==1.0.0b8
77
openai==1.74.0
88
pyodbc==5.2.0

0 commit comments

Comments
 (0)