Skip to content

fix: resolve open dependabot security alerts#1375

Merged
jonathannorris merged 4 commits intomainfrom
fix/dependabot-alerts
Apr 27, 2026
Merged

fix: resolve open dependabot security alerts#1375
jonathannorris merged 4 commits intomainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 27, 2026
edited
Loading

Summary

  • Bumps @docusaurus/* to 3.10.0 and sass to 1.99.0, which naturally pull in patched transitive versions (node-forge dropped entirely via webpack-dev-server@5.2.3selfsigned@5.5.0, on-headers@1.1.0 via compression@1.8.1, immutable@5.1.5 via sass@1.99.0)
  • Adds resolutions entries in package.json for 21 remaining vulnerable transitive packages whose upstream parents haven't released fixes
  • Alert 80 (tsup DOM Clobbering) has no patched version available upstream and is left unresolved

Notes

  • Alert 80 (tsup DOM Clobbering, <=8.3.4) has no patched version available upstream.
  • js-yaml and ajv each have two independently vulnerable major version lines; blanket resolutions broke gray-matter (uses js-yaml@^3) and @eslint/eslintrc (uses ajv@^6). Both are resolved by letting Yarn install the patched versions of each major line side by side.

@jonathannorris
fix: resolve open dependabot security alerts
63756b7 
Bumps @docusaurus/* to 3.10.0 and sass to 1.99.0, which naturally pull
in patched versions of node-forge (dropped entirely), on-headers, and
immutable without explicit resolutions. Adds yarn resolutions for the
remaining 23 vulnerable transitive packages whose upstream parents
haven't released updates yet.

Note: tsup alert 80 (DOM Clobbering) has no patched version upstream
and is left unresolved.

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris requested review from a team as code owners April 27, 2026 15:55
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 27, 2026
edited
Loading

Deploy Preview for openfeature ready!

Name Link
🔨 Latest commit 0ed8dab
🔍 Latest deploy log https://app.netlify.com/projects/openfeature/deploys/69ef89c0f2eb0d0008aad062
😎 Deploy Preview https://deploy-preview-1375--openfeature.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several Docusaurus and Sass dependencies and introduces a resolutions block in package.json. The review feedback indicates that many of the specified versions do not exist on the public npm registry, which would result in failed dependency resolution and installation. Specifically, the versions for Docusaurus, Sass, and numerous packages within the new resolutions block need to be corrected to valid, existing versions.

Comment thread package.json
Comment thread package.json
Comment thread package.json
Comment thread package.json
@jonathannorris
fix: drop js-yaml resolution to allow gray-matter to keep using v3
6507cd9 
The blanket js-yaml resolution to ^4.1.1 broke gray-matter@4.0.3, which
calls yaml.safeLoad (a js-yaml v3 API removed in v4). Without the
resolution, Yarn naturally installs both js-yaml@3.14.2 (for gray-matter,
covering alert 114) and js-yaml@4.1.1 (for everything else, covering
alert 113).

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
fix: drop ajv resolution to allow eslint@8 to keep using v6
60aaf56 
The blanket ajv resolution to ^8.18.0 broke @eslint/eslintrc@2.1.4,
which uses internal ajv v6 APIs that don't exist in v8. Without the
resolution, Yarn naturally installs both ajv@6.15.0 (for eslint, covering
alert 140) and ajv@8.20.0 (for schema-utils@4, covering alert 141).

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
fix: decode numeric XML entities in gofeatureflag.svg
0ed8dab 
svgo@3.3.3 (the security-patched version) added a limit of 512 entity
references to mitigate Billion Laughs attacks. The SVG had 1052 entity
references, all of which were unnecessary &#9; (tab) and &#10; (newline)
characters encoded as XML numeric entities. Replacing them with their
literal equivalents brings the count to 2 and unblocks the build.

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
jonathannorris
jonathannorris commented Apr 27, 2026
View reviewed changes
Comment thread static/img/vendors/gofeatureflag.svg
@jonathannorris jonathannorris added this pull request to the merge queue Apr 27, 2026
Merged via the queue into main with commit 4807dfa Apr 27, 2026
9 checks passed
@jonathannorris jonathannorris deleted the fix/dependabot-alerts branch April 27, 2026 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beeme1mr beeme1mr beeme1mr approved these changes

@askpt askpt Awaiting requested review from askpt

@toddbaert toddbaert Awaiting requested review from toddbaert

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris @beeme1mr