chore: regenerate lockfiles for transitive security updates#418
Open
chore: regenerate lockfiles for transitive security updates#418
Conversation
Regenerate package-lock.json for /docs, /frontend, and /cli-releases/frontend to resolve transitive dependency vulnerabilities (lodash, js-yaml, node-forge, jws, brace-expansion, base-x, qs) in a single PR instead of individual dependabot lockfile-only PRs. Made-with: Cursor
This was referenced Mar 19, 2026
Benchmark Resultsbench/1-buffer-vector-add.bench.mo
|
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Buffer | 9_557 |
5_687_594 |
525_783_888 |
| Vector | 13_525 |
4_378_612 |
417_864_498 |
Heap
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Buffer | 272 B |
272 B |
272 B |
| Vector | 272 B |
272 B |
272 B |
Garbage Collection
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Buffer | 1.09 KiB |
143.28 KiB |
12.02 MiB |
| Vector | 1.09 KiB |
45.65 KiB |
3.86 MiB |
bench/2-vector-buffer-add.bench.mo $({\color{green}-10.02\%})$
Add
Add items one-by-one
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Vector | 13_525 |
4_378_966 |
417_886_092 |
| Buffer | 9_557 |
5_686_886 |
525_781_056 |
Heap
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Vector | 272 B |
272 B |
272 B |
| Buffer | 272 B |
272 B |
272 B |
Garbage Collection
| 10 | 10000 | 1000000 | |
|---|---|---|---|
| Vector | 1.09 KiB |
45.65 KiB |
3.86 MiB |
| Buffer | 1.09 KiB |
143.28 KiB |
12.02 MiB |
bench/array.bench.mo $({\color{green}-17.47\%})$
Array
arr arr
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| 100k x1 | reset1 | 100k x3 | reset2 | 100k x4 | reset3 | |
|---|---|---|---|---|---|---|
| Array | 13_502_096 |
3_335 |
27_003_270 |
3_809 |
54_004_127 |
4_283 |
Heap
| 100k x1 | reset1 | 100k x3 | reset2 | 100k x4 | reset3 | |
|---|---|---|---|---|---|---|
| Array | 390.9 KiB |
-390.37 KiB |
390.9 KiB |
-390.37 KiB |
390.9 KiB |
-390.37 KiB |
Garbage Collection
| 100k x1 | reset1 | 100k x3 | reset2 | 100k x4 | reset3 | |
|---|---|---|---|---|---|---|
| Array | 360 B |
390.97 KiB |
391 KiB |
390.97 KiB |
1.14 MiB |
390.97 KiB |
bench/prng.bench.mo $({\color{gray}0\%})$
Prng
Benchmark N next calls for different PRNGs
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| 10 | 100 | 1000 | 10000 | |
|---|---|---|---|---|
| Seiran128 | 1_694 | 15_194 | 150_194 | 1_500_194 |
| SFC64 | 2_802 | 28_962 | 288_557 | 2_882_655 |
| SFC32 | 2_383 | 23_825 | 237_026 | 2_379_333 |
Heap
| 10 | 100 | 1000 | 10000 | |
|---|---|---|---|---|
| Seiran128 | 272 B | 272 B | 272 B | 272 B |
| SFC64 | 308 B | 272 B | 272 B | 272 B |
| SFC32 | 280 B | 280 B | 272 B | 272 B |
Garbage Collection
| 10 | 100 | 1000 | 10000 | |
|---|---|---|---|---|
| Seiran128 | 296 B | 296 B | 296 B | 296 B |
| SFC64 | 536 B | 4.98 KiB | 47.16 KiB | 469.04 KiB |
| SFC32 | 376 B | 1.78 KiB | 15.39 KiB | 156.11 KiB |
bench/removeLast.bench.mo $({\color{green}-10.90\%})$
Remove items using removeLast
Vector and buffer are initialized with 100k items and then 70k items are removed one-by-one.
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| remove 70k | |
|---|---|
| Vector | 27_707_716 |
| Buffer | 29_236_977 |
Heap
| remove 70k | |
|---|---|
| Vector | -136.8 KiB |
| Buffer | -269.76 KiB |
Garbage Collection
| remove 70k | |
|---|---|
| Vector | 139.45 KiB |
| Buffer | 540.43 KiB |
bench/stable-memory.bench.mo $({\color{green}-134.03\%})$
Stable Memory and Region
Grow Region and store blobs in it
Instructions:
Heap:
Stable Memory:
Garbage Collection:
Instructions
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 2_627_037 |
10_496_286 |
2_693 |
| 100 pages | 52_466_833 |
104_914_754 |
2_698 |
| 256 pages | 134_273_814 |
268_574_887 |
3_246 |
Heap
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 272 B |
272 B |
276 B |
| 100 pages | 272 B |
272 B |
272 B |
| 256 pages | 272 B |
272 B |
276 B |
Garbage Collection
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 208.34 KiB |
832.38 KiB |
336 B |
| 100 pages | 4.06 MiB |
8.13 MiB |
340 B |
| 256 pages | 10.4 MiB |
20.8 MiB |
340 B |
Stable Memory
| Region (fill 1/100) | Region (fill 1/50) | StableMemory | |
|---|---|---|---|
| 10 pages | 8 MiB |
8 MiB |
8 MiB |
| 100 pages | 8 MiB |
8 MiB |
0 B |
| 256 pages | 16 MiB |
16 MiB |
16 MiB |
…files Made-with: Cursor # Conflicts: # cli-releases/frontend/package-lock.json
- Update transitive deps in /docs, /frontend, /cli lockfiles to pick up security patches (lodash, js-yaml, node-forge, jws, brace-expansion, base-x, qs, undici, flatted, ajv) - Bump tar 7.5.9 -> 7.5.11 and minimatch 10.0.1 -> 10.2.4 in CLI package.json (security fixes for path traversal and ReDoS) Made-with: Cursor
The lockfile was generated before bumping tar/minimatch in package.json, causing npm ci to fail with version mismatch errors. Made-with: Cursor
The npm update with --legacy-peer-deps bumped @dfinity/agent to 1.0.1 which conflicts with @dfinity/candid@0.19.3 peer dep. CI runs npm ci without legacy-peer-deps and fails. Reverting to main's lockfile. Made-with: Cursor
rvanasa
approved these changes
Mar 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tar(7.5.9 → 7.5.11) andminimatch(10.0.1 → 10.2.4) incli/package.json— security fixes for path traversal and ReDoScli/package-lock.jsonanddocs/package-lock.jsontransitive deps in-place to pick up security patches (lodash, js-yaml, node-forge, jws, undici, flatted, ajv, etc.)cli-releases/frontendchanges come from merged PR Bump vite from 5.2.6 to 5.4.21 in /cli-releases/frontend #340 (vite 5.2.6 → 5.4.21)frontend/package-lock.jsonreverted to main —npm update --legacy-peer-depsintroduced a@dfinity/agent↔@dfinity/candidpeer dep conflict that broke CIblog/package-lock.jsonwas already up to date (no changes needed)What was NOT included and why
frontend/package-lock.json— peer dep conflict between@dfinity/agent@1.0.1and@dfinity/candid@0.19.3prevents a clean lockfile update. Needs a coordinated@dfinity/*dependency bump in a separate PR.axios(viawasm-pack→binary-install) andesbuild(viatsx) can't be updated without breaking upstream. Pre-existing on main.Closed dependabot PRs (replaced by this PR)
#368, #341, #344, #338, #345, #346, #349, #323, #328, #382, #353, #359, #357, #348, #325, #324, #421, #419, #379, #377
Test plan
Verification
Ran findings-verifier on both direct dependency bumps:
Remaining Open PRs — TODO
Review & Merge (real package.json bumps, security fixes)
/frontend/frontend/frontend/cli-releases/frontendNeed @dependabot rebase (merge conflict with main)
/cli/cliNeed Careful Review (major version bumps, risk of breakage)
/docs/frontendNon-Dependabot PRs