chore(deps): clear Dependabot backlog via resolution bumps#12
Merged
Conversation
Bump/add Yarn resolutions to remediate 29 of 30 open Dependabot alerts (14 high / 13 medium / 3 low), then re-resolve the lockfile: - axios >=1.16.0 (→1.17.0) — clears 21 alerts (the bulk) - esbuild >=0.28.1, ws >=8.20.1, brace-expansion >=5.0.6 (existing resolutions raised) - postcss >=8.5.10, ip-address >=10.1.1, fast-uri >=3.1.2 (→4.0.0, major; verified) — new elliptic@6.6.1 (LOW, no upstream patch) remains the only open alert — accepted, documented in DECISIONS.md. All affected packages are transitive build/dev tooling (not in the shipped extension bundle). Verified: all workspaces build, 395 core + 375 extension tests pass, biome clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Lykhoyda
added a commit
that referenced
this pull request
Jun 14, 2026
The Synpress e2e-docker gate passed on 298cabb (the trust-boundary work), so integrating the cleanup PRs (#9-#12) now merged to main. Conflicts resolved: - .gitignore — kept BOTH the screenshots/ (from #9) and store-assets/*.zip (from #8) ignore entries. - docs/DECISIONS.md (git-crypt) — kept the #12 Dependabot Remediation entry AND the #8 ADR-016 / off-mainnet-fail-secure entries. Verified merged tree: build clean, 398 core + 382 extension tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clears the open Dependabot backlog — 29 of 30 alerts (14 high / 13 medium / 3 low) — by bumping/adding Yarn
resolutionsand re-resolving the lockfile.>=1.15.0→>=1.16.0>=0.25.0→>=0.28.1>=8.18.3→>=8.20.1>=5.0.5→>=5.0.6>=8.5.10>=10.1.1>=3.1.2Remaining open:
elliptic@6.6.1(LOW) — no upstream patch exists; accepted & documented inDECISIONS.md.Context
All affected packages are transitive build/dev tooling — the shipped extension bundle uses
fetch, not axios, and esbuild/postcss/vite/fast-uri/ws are build-time. So real-world exploitability against users was low, but the bumps are cheap and keep the alert surface clean.Verification
After re-resolution: ✅ all workspaces build · ✅ 395 core + 375 extension unit tests pass · ✅ biome clean. The
fast-uri3→4 major bump caused no breakage.🤖 Generated with Claude Code