chore: resolve open dependabot security alerts#1967
Conversation
✅ Deploy Preview for polite-licorice-3db33c canceled.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including an upgrade of js-cookie to version 3.0.7 in the playground app and minor version bumps for containerd and compress in the integration tests. A review comment suggests refining the js-cookie version override from a loose >=3.0.7 range to a safer ^3.0.7 caret range to avoid potential breaking changes from future major releases.
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
jonathannorris
force-pushed
the
chore/dependabot-alerts-2
branch
from
d43ece7 to
75051b3
Compare
dosubot
Bot
added
the
size:XS
| "overrides": { | ||
| "js-cookie": "^3.0.7" | ||
| }, |
There was a problem hiding this comment.
Can this override be avoided? Is there a transitive dep we can update?
There was a problem hiding this comment.
react-use is the only dep pulling in js-cookie, and it's a production dependency. The latest version (17.6.0) still requires js-cookie: ^2.2.1, so there's nothing to bump. That said, I don't think we're actually affected: the vulnerability only triggers when a JSON-derived object is passed as the attributes argument to Cookies.set or similar, and the playground only imports useMedia and useObservable from react-use. No cookie APIs are used. I'd lean toward dismissing the alert.
|
There was a problem hiding this comment.
Pull request overview
Resolves two Dependabot security alerts by updating vulnerable transitive dependencies in the integration test Go module and the playground app’s npm dependency graph, while documenting that remaining Docker/Moby advisories have no upstream fixes yet.
Changes:
- Bump
github.com/containerd/containerd/v2tov2.2.4intest/integration/go.mod(with correspondinggo.sumupdates). - Update Go transitive deps in the integration test module (
klauspost/compress,hcsshim) as a result of the bump/tidy. - Add an npm
overridesrule to forcejs-cookieto^3.0.7and updatepackage-lock.jsonaccordingly.
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
test/integration/go.mod |
Bumps containerd/containerd/v2 (and klauspost/compress) to address security alerts in the integration test dependency graph. |
test/integration/go.sum |
Syncs module checksums for the updated Go dependencies. |
playground-app/package.json |
Adds an npm override to force js-cookie to a patched version. |
playground-app/package-lock.json |
Locks js-cookie to 3.0.7 and records its metadata after applying the override. |
Files not reviewed (1)
- playground-app/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "overrides": { | ||
| "js-cookie": "^3.0.7" | ||
| }, |
|
Superseded by #1980 (on the canonical |
Summary
Resolved 2 of 7 open Dependabot security alerts. The remaining 5 alerts are for
github.com/docker/dockerand currently have no patched version available upstream.Dependabot Alerts Resolved
js-cookie>=3.0.7inplayground-app/package.json(transitive viareact-use)github.com/containerd/containerd/v2v2.2.4viago get+go mod tidyintest/integration/go.modUnresolvable Alerts
These Docker-related alerts in
test/integration/go.mod(transitive viatestcontainers-go) have no upstream patched version yet:PUT /containers/{id}/archiveexecutes container binary on the hostdocker cpallows creation of arbitrary empty filesdocker cpallows bind mount redirection29.3.1but no such release exists yet