Skip to content

Fix Dependabot alerts: upgrade electron-builder and patch vulnerable transitive deps#40

Merged
cold-logic merged 2 commits into
mainfrom
copilot/resolve-dependabot-alerts
Mar 7, 2026
Merged

Fix Dependabot alerts: upgrade electron-builder and patch vulnerable transitive deps#40
cold-logic merged 2 commits into
mainfrom
copilot/resolve-dependabot-alerts

Conversation

Copilot AI commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

Multiple vulnerabilities in transitive dev dependencies via electron-builder: tar (5 path traversal/hardlink CVEs), minimatch (ReDoS across several major versions), and @isaacs/brace-expansion (uncontrolled resource consumption).

Changes

  • electron-builder 26.3.626.8.2 — new version pulls tar@^7.5.7 (resolves to patched 7.5.10), eliminating the tar@6.2.1 usage that had no in-range fix
  • Added electron-builder-squirrel-windows@26.8.2 explicitly as a dev dep — now a required peer of app-builder-lib@26.8.2
  • Added pnpm.overrides to pin vulnerable transitive minimatch and @isaacs/brace-expansion versions that can't be addressed via direct dependency updates:
"pnpm": {
  "overrides": {
    "@isaacs/brace-expansion@<=5.0.0": "5.0.1",
    "minimatch@<3.1.4": "3.1.5",
    "minimatch@>=5.0.0 <5.1.8": "5.1.9",
    "minimatch@>=9.0.0 <9.0.7": "9.0.9",
    "minimatch@>=10.0.0 <10.2.3": "10.2.4"
  }
}

All affected packages are dev-only (build tooling); no production runtime exposure.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/cold-logic/heos-controller/dependabot/alerts
    • Triggering command: /usr/bin/gh gh api /repos/cold-logic/heos-controller/dependabot/alerts (http block)

If you need me to access, download, or install something from one of these locations, you can either:


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

…nsitive deps

Co-authored-by: cold-logic <1334924+cold-logic@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix Dependabot alerts in project dependencies Fix Dependabot alerts: upgrade electron-builder and patch vulnerable transitive deps Mar 6, 2026
@cold-logic
cold-logic marked this pull request as ready for review March 7, 2026 01:30
Copilot AI review requested due to automatic review settings March 7, 2026 01:30
@cold-logic
cold-logic merged commit 3e4d247 into main Mar 7, 2026
5 checks passed
@cold-logic
cold-logic deleted the copilot/resolve-dependabot-alerts branch March 7, 2026 01:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses multiple Dependabot security alerts by upgrading electron-builder and patching vulnerable transitive dependencies. All affected packages are dev-only (build tooling), with no production runtime exposure.

Changes:

  • Upgrades electron-builder from 26.3.6 to 26.8.2 (exact pin), eliminating tar@6.2.1 (path traversal/hardlink CVEs) in favor of tar@7.5.10
  • Adds electron-builder-squirrel-windows@26.8.2 as an explicit dev dependency, now required as a peer by app-builder-lib@26.8.2
  • Adds pnpm.overrides in package.json to pin vulnerable transitive versions of minimatch (ReDoS) and @isaacs/brace-expansion (uncontrolled resource consumption)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
package.json Pins electron-builder to 26.8.2, adds electron-builder-squirrel-windows@26.8.2 as a dev dep, and adds pnpm.overrides for minimatch and @isaacs/brace-expansion
pnpm-lock.yaml Reflects the upgraded dependency tree: replaces tar@6.2.1 (and several other older package versions) with patched equivalents; all minimatch instances are now pinned to patched versions

Two nit-level findings were noted:

  1. Dead override (package.json line 62): The @isaacs/brace-expansion@<=5.0.0 override is never exercised because electron-builder@26.8.2 no longer uses @isaacs/brace-expansion at all — minimatch@10.2.4 switched to the unscoped brace-expansion@5.0.2. This is harmless but can be removed to avoid confusion.

  2. Version pin style change (package.json lines 56–57): Both electron-builder and electron-builder-squirrel-windows are now exact-pinned (26.8.2 without a caret), which is inconsistent with other dev deps (e.g. electron: ^39.2.7) and means future security fixes won't be automatically picked up.

Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
},
"pnpm": {
"overrides": {
"@isaacs/brace-expansion@<=5.0.0": "5.0.1",

Copilot AI Mar 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The @isaacs/brace-expansion@<=5.0.0 override resolves to 5.0.1, but after the upgrade to electron-builder@26.8.2, the @isaacs/brace-expansion scoped package is no longer present anywhere in the resolved dependency tree. The new minimatch@10.2.4 switched to the unscoped brace-expansion@5.0.2 package instead. This override is a no-op in the current lockfile and can be safely removed to keep the overrides section lean and accurate. Keeping dead overrides may cause confusion for future maintainers about which vulnerabilities are actually still being mitigated.

Suggested change
"@isaacs/brace-expansion@<=5.0.0": "5.0.1",

Copilot uses AI. Check for mistakes.
Comment thread package.json
Comment on lines +56 to +57
"electron-builder": "26.8.2",
"electron-builder-squirrel-windows": "26.8.2",

Copilot AI Mar 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The electron-builder version specifier was changed from ^26.3.6 (a caret range allowing any compatible minor/patch update) to the exact pin 26.8.2. While pinning is intentional here to ensure the exact patched version is used, this means future pnpm update runs will never automatically pick up new electron-builder releases, which could cause security fixes in future versions to be missed. Consider using a range like >=26.8.2 <27.0.0 or adding a note in the README to periodically review this pin. This is also now inconsistent with electron which still uses ^39.2.7.

Suggested change
"electron-builder": "26.8.2",
"electron-builder-squirrel-windows": "26.8.2",
"electron-builder": ">=26.8.2 <27.0.0",
"electron-builder-squirrel-windows": ">=26.8.2 <27.0.0",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants