fix(deps): resolve 22 npm security vulnerabilities in website and telemetry/ui#773
fix(deps): resolve 22 npm security vulnerabilities in website and telemetry/ui#773skrawcz wants to merge 3 commits into
Conversation
…try/ui Run npm audit fix in both website/ and telemetry/ui/ to address Dependabot security alerts. website/ (16 alerts → 2 remaining): - hono 4.12.8 → 4.12.18 (11 alerts) - @hono/node-server → 1.19.14 - fast-uri → 3.1.2 (2 HIGH) - path-to-regexp → 8.4.2 (2 alerts) - ip-address removed - postcss inside next cannot be fixed without breaking next downgrade telemetry/ui/ (8 alerts → 4 remaining): - fast-uri → 3.1.2 (2 HIGH) - @babel/plugin-transform-modules-systemjs → 7.29.4 (1 HIGH) - lodash, postcss, vite remain unfixed (locked by react-scripts/CRA) Resolves 22 of 26 open Dependabot alerts. The remaining 4 require migrating telemetry/ui from Create React App to a modern bundler.
github-actions
Bot
added
area/ui
There was a problem hiding this comment.
Pull request overview
This PR updates the website’s npm lockfile as the result of running npm audit fix, aiming to reduce known security vulnerabilities by upgrading affected transitive dependencies.
Changes:
- Upgraded several
website/dependencies inpackage-lock.json(notablynext,hono,@hono/node-server,fast-uri,path-to-regexp,postcss, etc.). - Refreshed resolved tarballs / integrity hashes to match the upgraded versions.
Files not reviewed (1)
- website/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "node_modules/next": { | ||
| "version": "15.5.12", | ||
| "resolved": "https://registry.npmjs.org/next/-/next-15.5.12.tgz", | ||
| "integrity": "sha512-Fi/wQ4Etlrn60rz78bebG1i1SR20QxvV8tVp6iJspjLUSHcZoeUXCt+vmWoEcza85ElZzExK/jJ/F6SvtGktjA==", | ||
| "version": "15.5.18", | ||
| "resolved": "https://registry.npmjs.org/next/-/next-15.5.18.tgz", | ||
| "integrity": "sha512-eKL8zUJkX9Y5lE+RX/2YJoItVdGlIscyVyboeD9wSpp0PaGqjoA4tTpT2qPqz9ax+5IzGESyLSeZ/RCwbSZ2uQ==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "@next/env": "15.5.12", | ||
| "@next/env": "15.5.18", |
| "node_modules/next": { | ||
| "version": "15.5.12", | ||
| "resolved": "https://registry.npmjs.org/next/-/next-15.5.12.tgz", | ||
| "integrity": "sha512-Fi/wQ4Etlrn60rz78bebG1i1SR20QxvV8tVp6iJspjLUSHcZoeUXCt+vmWoEcza85ElZzExK/jJ/F6SvtGktjA==", | ||
| "version": "15.5.18", | ||
| "resolved": "https://registry.npmjs.org/next/-/next-15.5.18.tgz", | ||
| "integrity": "sha512-eKL8zUJkX9Y5lE+RX/2YJoItVdGlIscyVyboeD9wSpp0PaGqjoA4tTpT2qPqz9ax+5IzGESyLSeZ/RCwbSZ2uQ==", | ||
| "license": "MIT", |
andreahlert
left a comment
andreahlert
left a comment
There was a problem hiding this comment.
diff in burr/core/graph.py:107-111 looks like it slipped in via pre-commit, outside the deps scope. mind reverting or calling it out in the body?
next major bump (14 → 15) on the website is lockfile-only, but worth confirming npm run build and a local smoke of the site. CI has no build job for website/.
other than that, 22/26 alerts cleared with an honest table on the 4 stuck behind CRA. lgtm after those two.
|
Thanks for the review! graph.py change: Yes, that's a pre-commit black formatting fix that slipped in. The Website build: Confirmed |
Runs npm audit fix in both website/ and telemetry/ui/ to resolve Dependabot security alerts.
website/ (16 alerts fixed, 2 remaining)
Remaining: postcss (#165) bundled inside next, cannot fix without breaking downgrade to next 9.x.
telemetry/ui/ (4 alerts fixed, 4 remaining)
Remaining: lodash (#151 #150), postcss (#164), vite (#158) all locked behind react-scripts 5.x (Create React App). Fixing these requires migrating to a modern bundler.
Other
burr/core/graph.py: black formatting fix. The format to fmt rename from #759 left a line that black wants collapsed. Included here since it causes pre-commit failures on every new PR branched off main.
Summary