Fix Dependabot alerts: upgrade electron-builder and patch vulnerable transitive deps#40
Conversation
…nsitive deps Co-authored-by: cold-logic <1334924+cold-logic@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses multiple Dependabot security alerts by upgrading electron-builder and patching vulnerable transitive dependencies. All affected packages are dev-only (build tooling), with no production runtime exposure.
Changes:
- Upgrades
electron-builderfrom26.3.6to26.8.2(exact pin), eliminatingtar@6.2.1(path traversal/hardlink CVEs) in favor oftar@7.5.10 - Adds
electron-builder-squirrel-windows@26.8.2as an explicit dev dependency, now required as a peer byapp-builder-lib@26.8.2 - Adds
pnpm.overridesinpackage.jsonto pin vulnerable transitive versions ofminimatch(ReDoS) and@isaacs/brace-expansion(uncontrolled resource consumption)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
package.json |
Pins electron-builder to 26.8.2, adds electron-builder-squirrel-windows@26.8.2 as a dev dep, and adds pnpm.overrides for minimatch and @isaacs/brace-expansion |
pnpm-lock.yaml |
Reflects the upgraded dependency tree: replaces tar@6.2.1 (and several other older package versions) with patched equivalents; all minimatch instances are now pinned to patched versions |
Two nit-level findings were noted:
-
Dead override (
package.jsonline 62): The@isaacs/brace-expansion@<=5.0.0override is never exercised becauseelectron-builder@26.8.2no longer uses@isaacs/brace-expansionat all —minimatch@10.2.4switched to the unscopedbrace-expansion@5.0.2. This is harmless but can be removed to avoid confusion. -
Version pin style change (
package.jsonlines 56–57): Bothelectron-builderandelectron-builder-squirrel-windowsare now exact-pinned (26.8.2without a caret), which is inconsistent with other dev deps (e.g.electron: ^39.2.7) and means future security fixes won't be automatically picked up.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "pnpm": { | ||
| "overrides": { | ||
| "@isaacs/brace-expansion@<=5.0.0": "5.0.1", |
There was a problem hiding this comment.
The @isaacs/brace-expansion@<=5.0.0 override resolves to 5.0.1, but after the upgrade to electron-builder@26.8.2, the @isaacs/brace-expansion scoped package is no longer present anywhere in the resolved dependency tree. The new minimatch@10.2.4 switched to the unscoped brace-expansion@5.0.2 package instead. This override is a no-op in the current lockfile and can be safely removed to keep the overrides section lean and accurate. Keeping dead overrides may cause confusion for future maintainers about which vulnerabilities are actually still being mitigated.
| "@isaacs/brace-expansion@<=5.0.0": "5.0.1", |
| "electron-builder": "26.8.2", | ||
| "electron-builder-squirrel-windows": "26.8.2", |
There was a problem hiding this comment.
The electron-builder version specifier was changed from ^26.3.6 (a caret range allowing any compatible minor/patch update) to the exact pin 26.8.2. While pinning is intentional here to ensure the exact patched version is used, this means future pnpm update runs will never automatically pick up new electron-builder releases, which could cause security fixes in future versions to be missed. Consider using a range like >=26.8.2 <27.0.0 or adding a note in the README to periodically review this pin. This is also now inconsistent with electron which still uses ^39.2.7.
| "electron-builder": "26.8.2", | |
| "electron-builder-squirrel-windows": "26.8.2", | |
| "electron-builder": ">=26.8.2 <27.0.0", | |
| "electron-builder-squirrel-windows": ">=26.8.2 <27.0.0", |
Multiple vulnerabilities in transitive dev dependencies via
electron-builder:tar(5 path traversal/hardlink CVEs),minimatch(ReDoS across several major versions), and@isaacs/brace-expansion(uncontrolled resource consumption).Changes
electron-builder26.3.6→26.8.2— new version pullstar@^7.5.7(resolves to patched7.5.10), eliminating thetar@6.2.1usage that had no in-range fixelectron-builder-squirrel-windows@26.8.2explicitly as a dev dep — now a required peer ofapp-builder-lib@26.8.2pnpm.overridesto pin vulnerable transitiveminimatchand@isaacs/brace-expansionversions that can't be addressed via direct dependency updates:All affected packages are dev-only (build tooling); no production runtime exposure.
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/repos/cold-logic/heos-controller/dependabot/alerts/usr/bin/gh gh api /repos/cold-logic/heos-controller/dependabot/alerts(http block)If you need me to access, download, or install something from one of these locations, you can either:
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.