Skip to content

[CHORE] Solve dependabot security alerts#1318

Merged
marco-saia-datadog merged 2 commits into
developfrom
sbarrio/chore/fix-dependabot-security-alerts
Jul 1, 2026
Merged

[CHORE] Solve dependabot security alerts#1318
marco-saia-datadog merged 2 commits into
developfrom
sbarrio/chore/fix-dependabot-security-alerts

Conversation

@sbarrio

@sbarrio sbarrio commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

It solves several security issues raised by dependabot on several dependencies:

Updated resolutions:

Package Before After Severity
axios 1.15.0 1.16.0 HIGH — proxy credential leaks, MitM, ReDoS (9 CVEs)
form-data 4.0.4 4.0.6 HIGH — CRLF injection in multipart
tmp 0.2.4 0.2.6 HIGH — path traversal
brace-expansion@^5.x 5.0.5 5.0.6 MEDIUM — DoS via large numeric ranges
@babel/core ^7.29.0 (→ 7.29.0) 7.29.6 (exact) LOW — arbitrary file read via sourceMappingURL

New resolutions:

Package Version Severity
shell-quote 1.8.4 CRITICAL — newline injection in CLI quoting
protobufjs 7.6.3 CRITICAL + HIGH — arbitrary code execution + 7 more
simple-git 3.36.0 CRITICAL + HIGH — RCE via case-insensitive config bypass
flatted 3.4.2 HIGH — prototype pollution + DoS
fast-uri 3.1.2 HIGH — path traversal + host confusion
@babel/plugin-transform-modules-systemjs 7.29.4 HIGH — arbitrary code gen from malicious input
path-to-regexp 0.1.13 HIGH — ReDoS via multiple route params
ws 7.5.11 HIGH — memory exhaustion DoS
picomatch 2.3.2 HIGH — ReDoS via extglob quantifiers
tar 7.5.16 HIGH→MEDIUM — multiple path traversal/symlink CVEs
follow-redirects 1.16.0 MEDIUM — auth header leak across redirects
qs 6.15.2 MEDIUM — DoS via comma-format array crash
joi 17.13.4 MEDIUM — uncaught RangeError via recursive schemas
brace-expansion@^1.1.7 1.1.13 MEDIUM — memory exhaustion via zero-step sequences
@protobufjs/utf8 1.1.1 MEDIUM — overlong UTF-8 decoding

Additional Notes

Ran against the E2E suite on this pipeline.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests
  • Make sure you discussed the feature or bugfix with the maintaining team in an Issue
  • Make sure each commit and the PR mention the Issue number (cf the CONTRIBUTING doc)
  • If this PR is auto-generated, please make sure also to manually update the code related to the change

@sbarrio sbarrio self-assigned this Jul 1, 2026
@sbarrio sbarrio marked this pull request as ready for review July 1, 2026 10:19
@sbarrio sbarrio requested a review from a team as a code owner July 1, 2026 10:19
Copilot AI review requested due to automatic review settings July 1, 2026 10:20

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot security alerts by updating Yarn resolutions (and the generated yarn.lock) for multiple Node dependencies, and updating Ruby concurrent-ruby constraints/lockfiles used by the example and benchmark projects.

Changes:

  • Updated multiple Yarn resolutions/lock entries (e.g., axios, form-data, tmp, Babel packages, protobufjs, simple-git, tar, follow-redirects, qs, joi, fast-uri, ws, picomatch).
  • Added new Yarn resolutions for several transitive dependencies flagged by Dependabot.
  • Updated concurrent-ruby constraints in example/benchmark Gemfiles and refreshed corresponding Gemfile.lock files.

Reviewed changes

Copilot reviewed 4 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
yarn.lock Regenerated lockfile reflecting updated security-driven dependency resolutions.
package.json Updated Yarn resolutions to pin/override vulnerable transitive dependencies.
example/Gemfile Relaxed concurrent-ruby constraint to >= 1.3.7.
example/Gemfile.lock Updated locked concurrent-ruby version and dependency constraint.
example-new-architecture/Gemfile Relaxed concurrent-ruby constraint to >= 1.3.7.
example-new-architecture/Gemfile.lock Updated locked concurrent-ruby version and dependency constraint.
benchmarks/Gemfile Relaxed concurrent-ruby constraint to >= 1.3.7.
benchmarks/Gemfile.lock Updated locked concurrent-ruby version and dependency constraint (plus lock metadata updates).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment thread package.json
@marco-saia-datadog marco-saia-datadog merged commit 6f38a14 into develop Jul 1, 2026
11 checks passed
@marco-saia-datadog marco-saia-datadog deleted the sbarrio/chore/fix-dependabot-security-alerts branch July 1, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants