Skip to content

fix(deps): resolve dependabot security alerts#541

Merged
lwshang merged 6 commits intomainfrom
lwshang/fix_dependencies
May 1, 2026
Merged

fix(deps): resolve dependabot security alerts#541
lwshang merged 6 commits intomainfrom
lwshang/fix_dependencies

Conversation

@lwshang
Copy link
Copy Markdown
Contributor

@lwshang lwshang commented May 1, 2026
edited
Loading

Summary

  • wasmtime: bump to 43.0.2
  • frontend dependencies: fix security vulnerabilities in the React example (vite bump to 6.4.2)
  • Cargo.lock: run cargo update to pull in latest compatible versions
  • Dismiss gix-date alert: alert feat: initial skeleton for build command #7 (CVE-2026-0810) is dismissed as tolerable risk — cargo-generate (the only consumer) pins gix-config ~0.48 which transitively requires gix-date ^0.11.1; no fix is available until cargo-generate updates its gix dependency chain
  • postcss: bump to 8.5.13 in docs-site — fixes GHSA-qx2v-qp2m-jg93 (XSS via unescaped </style>); supersedes Dependabot PR chore(deps): bump postcss from 8.5.6 to 8.5.13 in /docs-site #540
  • yaml: bump top-level to 2.8.3 in docs-site — partially fixes GHSA-48c2-rrv3-qjmp (stack overflow via deeply nested collections)

Why the yaml fix is incomplete

The remaining vulnerable instance is node_modules/yaml-language-server/node_modules/yaml@2.7.1, a nested install scoped to yaml-language-server. The dependency chain is:

@astrojs/check >=0.9.3
  → @astrojs/language-server >=2.14.0
    → volar-service-yaml@0.0.70  (latest release)
      → yaml-language-server@~1.20.0
        → yaml@2.7.1  (exact pin)

volar-service-yaml@0.0.70 is the latest available version and still pins yaml-language-server@~1.20.0, which pins yaml at exactly 2.7.1. There is no non-breaking upstream fix: npm audit fix --force would downgrade @astrojs/check to 0.9.2, which is the wrong direction. The nested install will resolve once volar-service-yaml ships a release that adopts a newer yaml-language-server.

Why example lock files are excluded from git

examples/ contains standalone frontend projects that each have their own package-lock.json (or equivalent). Committing these lock files causes Dependabot to open security alerts for every transitive JS dependency across all examples — but since the examples are templates/demos rather than deployed applications, pinning their transitive deps in git provides little value and creates significant noise.

The .gitignore rules added in this PR exclude:

  • examples/**/package-lock.json
  • examples/**/yarn.lock
  • examples/**/pnpm-lock.yaml

The example package.json files (which specify direct dependencies) are still tracked, so the examples remain usable and reproducible for their intended purpose.

Test plan

  • cargo build --bin icp succeeds
  • cargo test passes
  • cargo clippy clean

lwshang and others added 6 commits May 1, 2026 09:07
@lwshang
chore: wasmtime 43.0.2
b8ba999
@lwshang @claude
fix(deps): update frontend lockfile to fix security vulnerabilities
4036e88 
Addresses Dependabot alert #22 (CVE-2026-27606, GHSA-mw96-cpmx-2vgc):
- rollup: 4.52.5 -> 4.60.2 (arbitrary file write via path traversal)

Additional vulnerabilities fixed via npm audit fix:
- ajv: 6.12.6 -> 6.15.0 (ReDoS with $data option)
- brace-expansion: 1.1.12 -> 1.1.14 (ReDoS zero-step sequence)
- minimatch: 3.1.2 -> 3.1.5 (ReDoS repeated wildcards)
- picomatch: 2.3.1 -> 2.3.2 (method injection / ReDoS)
- postcss: 8.5.6 -> 8.5.13 (XSS via unescaped </style>)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@lwshang @claude
fix(deps): bump vite to 6.4.2 in react example
44d2c22 
Addresses Dependabot alert #63 (CVE-2026-39365, GHSA-4w7w-66w2-5vf9):
path traversal in optimized deps .map handling. All 5.x versions fall
within the vulnerable range (<= 6.4.1); 6.4.2 is the patched version.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@lwshang @claude
chore: exclude example lock files from git to reduce dependabot noise
79fd768 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@lwshang @claude
fix(deps): update Cargo.lock with latest dependency versions
868e587 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@lwshang @claude
fix(deps): bump postcss to 8.5.13 and yaml to 2.8.3 in docs-site
b431e06 
Fixes GHSA-qx2v-qp2m-jg93 (postcss XSS via unescaped </style>) and
partially fixes GHSA-48c2-rrv3-qjmp (yaml stack overflow via deeply
nested collections).

The top-level yaml is now 2.8.3. The nested
node_modules/yaml-language-server/node_modules/yaml remains at 2.7.1
because volar-service-yaml@0.0.70 (the latest release) pins
yaml-language-server@~1.20.0, which in turn pins yaml@2.7.1 exactly.
There is no non-breaking fix available upstream; the chain will resolve
once volar-service-yaml ships a release that adopts a newer
yaml-language-server.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@lwshang lwshang marked this pull request as ready for review May 1, 2026 15:16
@lwshang lwshang requested a review from a team as a code owner May 1, 2026 15:16
@lwshang lwshang enabled auto-merge (squash) May 1, 2026 15:16
@lwshang lwshang merged commit c062d8b into main May 1, 2026
94 checks passed
@lwshang lwshang deleted the lwshang/fix_dependencies branch May 1, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamspofford-dfinity adamspofford-dfinity adamspofford-dfinity approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lwshang @adamspofford-dfinity