Skip to content

security(deps): resolve js-yaml and @babel/core alerts #1328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BYK merged 1 commit into from
Jun 23, 2026
+181 −228
Merged

security(deps): resolve js-yaml and @babel/core alerts #1328

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .lore.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,13 @@
<!-- lore:019ed0b6-c2c6-7197-9cec-2026914ec51d -->
* **esbuild override cap in getsentry/spotlight — resolved at 0.28.1**: The pnpm override \`"esbuild": ">=0.25.0 <0.28.0"\` was a deliberate cap to avoid esbuild#4436 (erroring on destructuring for old targets). Trap: bumping to \`>=0.28.1\` looks risky because 0.28.x retained that behavior. Fix: the regression did NOT reappear in practice — website build succeeded without adding \`target: "es2020"\`. Override is now \`"esbuild": ">=0.28.1"\`, resolving Dependabot alerts #279 and #280. These alerts were merged via PR #1323 on 2026-06-16 and will auto-close without further action.

<!-- lore:019ef50a-80f4-736b-b2ec-4b8b7fb04d66 -->
* **getsentry/spotlight E2E: body.textContent() races React hydration — use web-first nav selector instead**: Trap: \`body.waitFor()\` then \`body.textContent() !== ''\` looks like a safe readiness check because the body element exists immediately. Fix: the body element is present in the SPA HTML shell before React hydrates, so a one-shot read races React's first render. Other tests pass incidentally due to \`sendTestEnvelope\` 500ms settle delay or explicit \`waitForTimeout(1000)\`. Stable readiness selector: \`nav\[aria-label="Navigation"]\` in \`TelemetrySidebar.tsx\` — renders unconditionally once React mounts, independent of event data. Use a \`waitForAppReady(page, timeout)\` helper in \`fixtures.ts\` that asserts this nav locator is visible with Playwright's built-in auto-retry.

<!-- lore:019e2b7e-99e1-7402-8c4f-9699919d7e69 -->
* **plist override breaks electron-builder osx-sign**: Forcing \`plist>=3.1.1\` via pnpm overrides bumps it to v5.x, which breaks \`@electron/osx-sign@1.0.5\` (used by \`electron-builder@24.13.3\`) due to incompatible CJS \`require()\` and new \`exports\` map. Fix: remove the \`plist\` override and instead override \`@xmldom/xmldom\` directly to \`>=0.8.13\` (first patched 0.8.x version). This keeps \`plist@3.1.0\` for osx-sign compatibility while eliminating the \`@xmldom/xmldom\` vulnerability.

### Pattern

<!-- lore:019ed0b6-c2ce-7193-9376-5e711e5d5441 -->
* **Security dep-bump workflow in getsentry/spotlight**: Pattern for resolving Dependabot alerts in getsentry/spotlight: (1) fetch alerts via \`gh api /repos/{owner}/{repo}/dependabot/alerts\`; (2) plan fix in \`.opencode/plans/\`; (3) bump pnpm overrides in root \`package.json\` AND bump direct deps in affected \`packages/\*/package.json\` where needed (e.g. astro direct dep); (4) run \`pnpm install\`, verify lockfile, run full \`pnpm build\` + \`vitest run\`; (5) create branch \`security/deps-\<descriptor>\` off main, commit, push, open PR. Vite major-version overrides must be bounded (e.g. \`<8\`) to prevent accidental major jumps. Untracked \`.opencode/\` and \`packages/website/content.config.ts\` are intentionally excluded from security commits. E2E UI test flakes are known — rerun before investigating.
* **Security dep-bump workflow in getsentry/spotlight**: Pattern for resolving Dependabot alerts in getsentry/spotlight: (1) fetch alerts via \`gh api /repos/{owner}/{repo}/dependabot/alerts\`; (2) plan fix in \`.opencode/plans/\`; (3) bump pnpm overrides in root \`package.json\` AND bump direct deps in affected \`packages/\*/package.json\` where needed; (4) run \`pnpm install\`, verify lockfile, run full \`pnpm build\` + \`vitest run\`; (5) create branch \`security/deps-\<descriptor>\` off main, commit, push, open PR. Vite major-version overrides must be bounded (e.g. \`<8\`) to prevent accidental major jumps. Untracked \`.opencode/\` and \`packages/website/content.config.ts\` are intentionally excluded from security commits. E2E UI test flakes are known — rerun before investigating. Playwright Chromium binary download/extraction can hang indefinitely in this environment; use CI to verify E2E fixes rather than local Playwright runs.
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
"esbuild": ">=0.28.1",
"brace-expansion": ">=2.1.0 <3",
"tmp": ">=0.2.6",
"js-yaml": ">=4.1.1",
"js-yaml": ">=4.2.0 <5",
"body-parser": ">=2.2.1",
"mdast-util-to-hast": ">=13.2.1",
"defu": ">=6.1.5",
Expand All @@ -55,6 +55,7 @@
"lodash": ">=4.18.0",
"@xmldom/xmldom": ">=0.8.13",
"@opentelemetry/core": ">=2.8.0",
"@babel/core": ">=7.29.6 <8",
"postcss": ">=8.5.10",
"qs": ">=6.15.2",
"svelte": ">=5.55.7",
Expand Down
Loading
Loading