Skip to content

fix(deps): resolve all 26 open Dependabot security alerts + enable automation#734

Closed
MaanavD wants to merge 3 commits into
mainfrom
agents/dependabot-fix-all-issues-automation
Closed

fix(deps): resolve all 26 open Dependabot security alerts + enable automation#734
MaanavD wants to merge 3 commits into
mainfrom
agents/dependabot-fix-all-issues-automation

Conversation

@MaanavD

@MaanavD MaanavD commented May 27, 2026

Copy link
Copy Markdown
Collaborator

Resolves all 26 open Dependabot security alerts and adds ongoing automation.

Fixes

  • electron bump ^34->^39.8.5 (15 CVEs in electron-chat-application)
  • postcss override ^8.5.10, vite ^6.4.2, defu ^6.1.5, picomatch ^4.0.4 (sdk_legacy/js transitive deps)
  • picomatch ^4.0.4, cookie ^0.7.0 (www transitive deps)
  • @langchain/core pinned ^0.3.80 (langchain-integration-example)

Automation added

  • .github/dependabot.yml\ — weekly version updates for npm, pip, NuGet, Cargo, GitHub Actions
  • .github/workflows/dependabot-auto-merge.yml\ — auto-approve + auto-merge Dependabot patch/minor/security PRs after CI passes; major bumps require human merge

@MaanavD
fix(deps): resolve all 26 open Dependabot security alerts
ee5c97a 
- sdk_legacy/js: add npm overrides for postcss ^8.5.10, vite ^6.4.2,
  defu ^6.1.5, picomatch ^4.0.4; refresh lockfile
- www: add npm overrides for picomatch ^4.0.4, cookie ^0.7.0;
  refresh lockfile
- samples/js/electron-chat-application: bump electron ^34 -> ^39.8.5
  (resolves 15 CVEs: use-after-free, injection, and other issues)
- samples/js/langchain-integration-example: pin @langchain/core
  to ^0.3.80 (serialization injection CVE)
- .github/dependabot.yml: enable weekly version updates for npm,
  pip, nuget, cargo, and github-actions ecosystems
- .github/workflows/dependabot-auto-merge.yml: auto-approve and
  auto-merge Dependabot patch/minor/security PRs once CI passes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 27, 2026 23:37
@vercel

vercel Bot commented May 27, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
foundry-local Ready Ready Preview, Comment May 28, 2026 12:08am

Request Review

@MaanavD MaanavD enabled auto-merge (squash) May 27, 2026 23:38
@MaanavD
fix(merge): keep full dependabot.yml, discard stub from main
5b3401a 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI reviewed May 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a set of Dependabot-reported security alerts by updating vulnerable JavaScript dependencies (via direct bumps and npm overrides) and adds repository-level Dependabot automation (config + auto-merge workflow) to keep dependencies updated going forward.

Changes:

  • Adds npm overrides and lockfile updates to remediate vulnerable transitive dependencies in www/ and sdk_legacy/js/.
  • Pins/bumps sample app dependencies to resolve known advisories (Electron + LangChain core).
  • Introduces .github/dependabot.yml plus a GitHub Actions workflow to auto-approve and enable auto-merge for eligible Dependabot PRs.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
www/package.json Adds npm overrides for picomatch and cookie to address transitive vulnerabilities.
www/package-lock.json Updates resolved versions for overridden vulnerable packages.
sdk_legacy/js/package.json Adds npm overrides for vulnerable transitive deps (postcss, vite, defu, picomatch).
sdk_legacy/js/package-lock.json Updates lockfile to reflect overridden/transitively updated packages.
samples/js/langchain-integration-example/package.json Pins @langchain/core to a non-latest version to avoid vulnerable/unstable resolutions.
samples/js/electron-chat-application/package.json Bumps Electron to a newer major release to address multiple CVEs.
.github/workflows/dependabot-auto-merge.yml Adds automation to auto-approve and conditionally enable auto-merge for Dependabot PRs.
.github/dependabot.yml Adds weekly Dependabot version update configuration across multiple ecosystems and directories.
Files not reviewed (2)
  • sdk_legacy/js/package-lock.json: Language not supported
  • www/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/dependabot-auto-merge.yml
Comment thread .github/workflows/dependabot-auto-merge.yml Outdated
Comment thread www/package.json
Comment on lines +55 to +58
"overrides": {
"picomatch": "^4.0.4",
"cookie": "^0.7.0"
},

@MaanavD MaanavD May 28, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked: the latest @sveltejs/kit (v2.61.1, released today) still declares cookie: ^0.6.0, so there is no upstream version that natively requires ^0.7.x — upgrading @sveltejs/kit won't resolve the alert.

There is also no patched 0.6.x release; 0.6.0 is the last and only 0.6.x version, so pinning to a safe 0.6.x isn't possible either.

The override stays as ^0.7.0. The breaking change in cookie@0.7 is stricter validation of cookie names/paths/domains on creation (throws on out-of-bounds characters); SvelteKit only uses cookie for parsing request/response headers and for its cookies.set() API with well-formed cookie names, so the behavioral change doesn't apply here. This is the only viable path to close the Dependabot alert.

Comment thread sdk_legacy/js/package.json Outdated
@MaanavD
fix(review): address Copilot code review comments
1320772 
- dependabot-auto-merge.yml: merge two auto-merge steps into one;
  explicitly exclude major semver bumps from auto-merge even when
  the update is security-related, matching stated policy
- sdk_legacy/js: replace global picomatch override with scoped ones
  so micromatch keeps picomatch@2.x (^2.3.2) and rollup/tinyglobby
  keep picomatch@4.x (^4.0.4), preventing cross-major contamination

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@MaanavD

MaanavD commented May 29, 2026

Copy link
Copy Markdown
Collaborator Author

Re-triggering CI — foundry-local-core 1.2.0 should now be published.

@MaanavD

MaanavD commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator Author

Closing this PR.

The individual Dependabot security updates have since been merged separately, so this consolidated "fix-all" PR is now redundant and conflicts with main.

The remaining net-new pieces here were the expanded dependabot.yml (multi-ecosystem weekly version updates) and the dependabot-auto-merge.yml workflow. Those are better redone fresh against current main and reviewed as a standalone automation/policy change (the auto-merge workflow in particular needs the major-bump exclusion finalized and maintainer sign-off).

Recommend a quick follow-up check that no open security alerts remain uncovered by the individually-merged PRs. Thanks!

@MaanavD MaanavD closed this Jun 8, 2026
auto-merge was automatically disabled June 8, 2026 19:19

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MaanavD