Skip to content

Pin all dependency versions and fix transitive vulnerabilities#535

Merged
pethers merged 2 commits intomainfrom
copilot/fix-package-json-dependencies
Mar 27, 2026
Merged

Pin all dependency versions and fix transitive vulnerabilities#535
pethers merged 2 commits intomainfrom
copilot/fix-package-json-dependencies

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 27, 2026
edited
Loading

All deps/devDeps used ^ ranges; transitive vulnerabilities in mocha's dependency chain were unaddressed.

Version pinning

  • Removed ^ from all dependencies and devDependencies for reproducible installs

Updates

  • vitest: 4.0.6 → 4.1.2
  • @vitest/ui: 4.0.3 → 4.1.2

Security overrides

Added overrides to fix 6 transitive vulnerabilities (2 high, 3 moderate, 1 low) via cypress-junit-reporter → mocha:

"overrides": {
  "diff": "8.0.4",
  "serialize-javascript": "7.0.5",
  "brace-expansion": "5.0.5"
}

Not upgraded

  • TypeScript stays at 5.9.3 — @typescript-eslint 8.x requires <6.0.0

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

@pethers
Pin all dependency versions and update to latest supported versions
9df416c 
- Pin all dependencies and devDependencies to exact versions (remove ^ prefixes)
- Update @vitest/ui from 4.0.3 to 4.1.2
- Update vitest from 4.0.6 to 4.1.2
- Add overrides for vulnerable transitive deps: diff@8.0.4, serialize-javascript@7.0.5, brace-expansion@5.0.5
- Keep TypeScript at 5.9.3 (required by @typescript-eslint 8.x which needs <6.0.0)
- Regenerate package-lock.json with 0 vulnerabilities

Agent-Logs-Url: https://github.com/Hack23/game/sessions/302dae6c-6b44-4462-9df4-e4d8b71a4593

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
@github-actions github-actions bot added dependencies Dependency updates infrastructure CI/CD and build infrastructure labels Mar 27, 2026
Copilot AI changed the title [WIP] Fix all versions in package.json dependencies and devDependencies Pin all dependency versions and fix transitive vulnerabilities Mar 27, 2026
Copilot AI requested a review from pethers March 27, 2026 12:04
@pethers pethers marked this pull request as ready for review March 27, 2026 12:10
@pethers pethers merged commit f201918 into main Mar 27, 2026
20 checks passed
@pethers pethers deleted the copilot/fix-package-json-dependencies branch March 27, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pethers pethers Awaiting requested review from pethers

Assignees

@pethers pethers

Copilot code review Copilot

Labels

dependencies Dependency updates infrastructure CI/CD and build infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pethers