Skip to content

chore: resolve open dependabot security alerts#603

Merged
jonathannorris merged 1 commit into
mainfrom
chore/dependabot-alerts
Jun 10, 2026
Merged

chore: resolve open dependabot security alerts#603
jonathannorris merged 1 commit into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

@jonathannorris jonathannorris commented Jun 10, 2026

Copy link
Copy Markdown
Member

Summary

  • Resolved 9 open Dependabot security alerts by bumping vulnerable dependencies across npm and rubygems manifests.

Dependabot Alerts Resolved

Alert Package Severity Fix
#284, #282, #276 axios high / low Bumped direct dep 1.15.2 -> 1.16.0 in package.json
#285, #283, #277 axios high / low Resolved via lockfile (yarn.lock) to 1.16.0
#275 tmp high Added resolution tmp@^0.2.3 -> ^0.2.6 (resolves to 0.2.7)
#286, #287 puma high Bumped 6.6.0 -> 7.2.1 in proxies/ruby/Gemfile.lock

Verification

  • yarn install regenerated the lockfile; confirmed axios@npm:1.16.0 and tmp@npm:0.2.7 resolve.
  • yarn test:unit passes (5/5).
  • puma 7.2.1 keeps the same single runtime dep (nio4r ~> 2.0); the Ruby proxy Docker image uses Ruby 3.4, which satisfies puma 7.x.

@jonathannorris
chore: resolve open dependabot security alerts
3b43c10 
- axios 1.15.2 -> 1.16.0 (high/low, alerts #282 #283 #284 #285 #276 #277)
- tmp -> 0.2.6+ via resolution (high, alert #275)
- puma 6.6.0 -> 7.2.1 (high, alerts #286 #287)
Copilot AI review requested due to automatic review settings June 10, 2026 13:35
@jonathannorris jonathannorris requested a review from a team as a code owner June 10, 2026 13:35
Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves a set of Dependabot security alerts by upgrading vulnerable dependencies in the Node.js (Yarn) and Ruby (Bundler) manifests/lockfiles used by the test harness and its proxies.

Changes:

  • Bumped axios to 1.16.0 in package.json and updated yarn.lock accordingly.
  • Added a Yarn resolutions override to force tmp to a non-vulnerable range (locking to 0.2.7).
  • Upgraded Ruby proxy server dependency puma to 7.2.1 in proxies/ruby/Gemfile.lock.

Reviewed changes

Copilot reviewed 1 out of 3 changed files in this pull request and generated no comments.

File Description
package.json Updates axios and adds a tmp resolution to address security alerts.
yarn.lock Regenerates lock entries to resolve axios@1.16.0 and tmp@0.2.7.
proxies/ruby/Gemfile.lock Bumps puma to 7.2.1 to remediate Ruby-side alerts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jonathannorris jonathannorris enabled auto-merge (squash) June 10, 2026 13:39
@jonathannorris jonathannorris merged commit 5303a52 into main Jun 10, 2026
9 checks passed
@jonathannorris jonathannorris deleted the chore/dependabot-alerts branch June 10, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@JamieSinn JamieSinn JamieSinn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathannorris @JamieSinn