Skip to content

fix: resolve 8 dependabot security alerts + automated dependency management#76

Merged
vuon9 merged 7 commits into
mainfrom
fix/dependabot-alerts
May 9, 2026
Merged

fix: resolve 8 dependabot security alerts + automated dependency management#76
vuon9 merged 7 commits into
mainfrom
fix/dependabot-alerts

Conversation

@vuon9
Copy link
Copy Markdown
Owner

@vuon9 vuon9 commented May 9, 2026

Summary

  • Resolves all 8 open Dependabot security alerts
  • Adds automated dependency management infrastructure
  • Removes stale package-lock.json (Bun uses bun.lockb)

Fixed Alerts

Go (5 alerts on 2 packages)

Alert Package CVE Severity Fix
#36 gomarkdown/markdown CVE-2026-40890 HIGH Upgraded to latest pseudo-version (2026-04-17)
#37 go-git/go-git/v5 CVE-2026-41506 MEDIUM Upgraded v5.16.4v5.18.0
#33 go-git/go-git/v5 CVE-2026-34165 MEDIUM Same upgrade
#32 go-git/go-git/v5 CVE-2026-33762 LOW Same upgrade
#22 go-git/go-git/v5 CVE-2026-25934 MEDIUM Same upgrade

NPM (1 alert — postcss transitive dep)

Alert Package CVE Severity Fix
#38 postcss CVE-2026-41305 MEDIUM Added overrides to force >=8.5.10

Manually Dismissed (2 stale alerts)

Alert Package Reason
#2 esbuild Already at 0.27.4 > patched 0.25.0. Scanned stale package-lock.json.
#35 vite CVE-2026-39365 targets vite 6.x optimized deps .map feature. Project uses vite 5.x.

New Infrastructure

.github/dependabot.yml

Weekly automated updates for:

  • Go modules (with vendor support)
  • npm (frontend directory)
  • GitHub Actions

.github/workflows/govulncheck (in CI)

  • Runs govulncheck on every push/PR
  • Uploads SARIF results to Security tab

.github/workflows/dependency-review.yml

  • Uses actions/dependency-review-action to block PRs introducing known-vulnerable packages

.github/workflows/dependabot-auto-merge.yml

  • Auto-merges Dependabot PRs that are semver-patch or semver-minor (not major)

Stale package-lock.json removed

  • Bun is the canonical package manager (bun.lockb)
  • The npm lockfile was causing false Dependabot alerts

Verification

  • Go tests: go test ./internal/... — all pass (7 packages)
  • Frontend tests: bun run test — 31/31 pass
  • Go build: go build . succeeds

Remaining Open Alerts

After merge and Dependabot rescan, all 6 remaining open alerts should auto-resolve:

  • GitHub already reports 6 vulnerabilities on default branch (1 high, 4 moderate, 1 low)
  • All are addressed by the Go/NPM upgrades in this PR

vuon9 added 5 commits May 9, 2026 23:20
@vuon9
docs: add theme system design spec
2cd7418
@vuon9
docs: review fixes — single themeMode key, full token list, all-tools…
24c5d7e 
… CM migration, Carbon rebuild details
@vuon9
docs: add E2E test plan for theme system (15 scenarios)
0b950e5
@vuon9
docs: add theme system implementation plan (33 tasks)
b9e9a61
@vuon9
fix: resolve 8 dependabot security alerts + add automated dep mgmt
534a08e 
- go: upgrade gomarkdown/markdown (HIGH CVE-2026-40890)
- go: upgrade go-git/go-git/v5 v5.16.4 -> v5.18.0 (4 CVEs: #37/#33/#32/#22)
- npm: add postcss >=8.5.10 override (MEDIUM CVE-2026-41305)
- ci: add govulncheck job + sarif upload to security tab
- ci: add dependency-review workflow (blocks PRs with known vulns)
- ci: add dependabot-auto-merge for semver-patch/minor bumps
- chore: enable weekly dependabot for gomod, npm, github-actions
- chore: remove stale package-lock.json (bun.lockb is canonical)
@vuon9 vuon9 force-pushed the fix/dependabot-alerts branch from 37a392d to 534a08e Compare May 9, 2026 16:23
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 9, 2026

Code Coverage

Package Line Rate Health
devtoolbox/internal/barcode 90%
devtoolbox/internal/codeformatter 75%
devtoolbox/internal/converter 60%
devtoolbox/internal/datagenerator 79%
devtoolbox/internal/datetimeconverter 73%
devtoolbox/internal/jwt 42%
devtoolbox/internal/numberconverter 0%
devtoolbox/internal/settings 0%
devtoolbox/internal/themes 0%
Summary 64% (3406 / 5294)

Minimum allowed line rate is 60%

@vuon9 vuon9 merged commit 5fa0d43 into main May 9, 2026
6 checks passed
@vuon9 vuon9 deleted the fix/dependabot-alerts branch May 9, 2026 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vuon9