Skip to content

security(deps): remediate 6 high Dependabot alerts — safe bumps (AVO-3258, PR 1 of 2)#1729

Merged
logason merged 1 commit into
mainfrom
claude/exciting-planck-wcx2qq
Jul 6, 2026
Merged

security(deps): remediate 6 high Dependabot alerts — safe bumps (AVO-3258, PR 1 of 2)#1729
logason merged 1 commit into
mainfrom
claude/exciting-planck-wcx2qq

Conversation

@ada-avo

@ada-avo ada-avo commented Jul 6, 2026

Copy link
Copy Markdown

What & why

PR 1 of the two-phase docs dependency remediation for AVO-3258. This PR contains only the clean, single-version bumps that require no code changes. The next 14 → 15 major upgrade is a separate follow-up (PR 2), and picomatch/minimatch are deferred pending a maintainer decision (see below).

Every version was verified against the registry per the mandatory supply-chain protocol: publish age > 7 days, no preinstall/install/postinstall scripts, not deprecated, and no unexpected transitive additions.

Changes

Package From To How Clears
next (direct) ^14.2.32 14.2.35 dependencies GHSA-mwv6-3258-q52c, GHSA-5j59-xgg2-r9c4
js-cookie 3.0.1 3.0.8 resolutions CVE-2026-46625
tmp 0.0.33 0.2.6 resolutions CVE-2026-44705
lodash 4.17.23 4.18.1 resolutions CVE-2026-4800
lodash-es 4.17.21 4.18.1 resolutions CVE-2026-4800
flatted 3.3.3 3.4.2 resolutions CVE-2026-33228

next@14.2.35 also brings its own @next/env@14.2.35 and @next/swc-*@14.2.33 (the swc pin is what next@14.2.35 itself declares — @next/swc@14.2.35 is not published). tmp@0.2.6 drops the now-unused os-tmpdir transitive.

Deviation from the brief (protocol-mandated)

The brief named lodash/lodash-es 4.18.0, but 4.18.0 is deprecated upstream ("Bad release. Please use lodash@4.17.21 instead."). Per the deprecation-check step, the minimal non-deprecated patched version is 4.18.1 (published 2026-04-01, clean), adopted here.

Deferred — needs a maintainer decision (raised on the Linear ticket)

  • minimatch 9.x → 9.0.7 pulls a suspicious transitive chain: brace-expansion@^5.0.2 → balanced-match@^4.0.2 → jackspeak. balanced-match has been a zero-dependency utility across its entire history; its 4.x line suddenly injecting an unrelated CLI-args parser is a supply-chain red flag (protocol step 6). Held for review.
  • picomatch 2.x and minimatch 3.x/5.x/7.x need per-major scoped pins (both packages coexist across multiple majors in the tree). Yarn 1 cannot express version-scoped resolutions cleanly, and this work is entangled with the minimatch 9.x decision, so all picomatch/minimatch pins are grouped into the follow-up.

All deferred consumers are dev/build-time tooling (eslint, glob, micromatch, avo CLI, ignore-walk), not shipped to docs-site users.

Verification

  • Post-install lockfile audit: only the intended packages changed; every resolved URL on registry.yarnpkg.com/registry.npmjs.org; integrity hashes intact on all 1124 entries; zero packages added; the brace-expansion@5 / balanced-match@4 / jackspeak chain is confirmed absent.
  • yarn build ✅ (production build)
  • yarn lint ✅ · yarn spellcheck ✅ (via pre-commit hook)

🤖 Generated with Claude Code


Generated by Claude Code

Summary by CodeRabbit

  • Chores
    • Updated the app’s Next.js version to a newer release.
    • Added dependency version pinning for several packages to help keep installs more consistent and stable.

…umps (AVO-3258)

PR 1 of the two-phase docs dependency remediation. Only clean, single-version
bumps that require no code changes are included here. Each version was verified
against the registry per the supply-chain protocol: publish age > 7 days, no
install scripts, not deprecated, and no unexpected transitive additions.

Changes:
- next            ^14.2.32 -> 14.2.35  (direct dep; patch within 14.x)
                  clears GHSA-mwv6-3258-q52c, GHSA-5j59-xgg2-r9c4
- js-cookie       3.0.1    -> 3.0.8    (resolution)  clears CVE-2026-46625
- tmp             0.0.33   -> 0.2.6    (resolution)  clears CVE-2026-44705
                  (drops the now-unused os-tmpdir transitive)
- lodash          4.17.23  -> 4.18.1   (resolution)  clears CVE-2026-4800
- lodash-es       4.17.21  -> 4.18.1   (resolution)  clears CVE-2026-4800
- flatted         3.3.3    -> 3.4.2    (resolution)  clears CVE-2026-33228

Deviation from the brief (protocol-mandated): the brief named lodash/lodash-es
4.18.0, but 4.18.0 is deprecated upstream ("Bad release"). The minimal
non-deprecated patched version is 4.18.1, adopted here instead.

Deferred to a follow-up (needs a maintainer decision): picomatch and minimatch.
Both require per-major scoped pins that Yarn 1 cannot express cleanly, and the
minimatch 9.x fix (9.0.7) pulls a suspicious transitive chain
(brace-expansion@5 -> balanced-match@4 -> jackspeak) that trips the supply-chain
red-flag rule. Raised on the Linear ticket for a decision.

Post-install lockfile audit: only the intended packages changed; every resolved
URL is on registry.yarnpkg.com/registry.npmjs.org; integrity hashes intact; zero
packages added. Build and lint green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JiGFwb1xiFAEro3uVyahiD
@linear-code

linear-code Bot commented Jul 6, 2026

Copy link
Copy Markdown

AVO-3258

@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 6, 2026 11:33am

Request Review

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The next dependency version was pinned from ^14.2.32 to 14.2.35, and a new resolutions block was added to package.json to pin transitive dependency versions for js-cookie, tmp, lodash, lodash-es, and flatted.

Changes

Dependency Updates

Layer / File(s) Summary
Version pins and resolutions
package.json
Bumped next to 14.2.35 and added a resolutions block pinning js-cookie, tmp, lodash, lodash-es, and flatted.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Poem

Hop, hop, versions locked in place,
No more drift in dependency space,
A pin here, a bump there,
Tidy packages beyond compare,
This rabbit thumps with joyful grace! 🐇📦

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes a security dependency remediation with safe bumps and matches the package.json dependency updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/exciting-planck-wcx2qq

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 20: The current next pin is still on the 14.x line, which is end-of-life,
so the dependency should be moved off the deprecated major rather than left at
the last 14.x patch. Update the next version in package.json to a supported
major release that includes the newer security fixes, and keep the existing
14.2.35 pin only if you explicitly document it as a temporary stopgap in this
PR. Use the next dependency entry as the anchor for the change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 27f4ad1e-ebee-4a20-9270-c68e4df0f29e

📥 Commits

Reviewing files that changed from the base of the PR and between 19bff45 and e57e196.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • package.json

Comment thread package.json
@logason logason merged commit 5e95043 into main Jul 6, 2026
4 checks passed
@logason logason deleted the claude/exciting-planck-wcx2qq branch July 6, 2026 14:01
ada-avo pushed a commit that referenced this pull request Jul 6, 2026
…58, PR 3 of 3)

Clears the picomatch/minimatch alerts deferred from PR 1 (#1729). All affected
consumers are dev/build-time tooling (eslint, glob, avo CLI, ignore-walk,
@typescript-eslint/typescript-estree, micromatch), none shipped to docs users.

Scoped yarn resolutions, per-major:
- picomatch  2.3.1 -> 2.3.2  (micromatch)                        CVE-2026-33671
- minimatch  3.1.2 -> 3.1.4  (eslint tree + glob)               CVE-2026-27903/-27904
- minimatch  5.1.6 -> 5.1.8  (ignore-walk)                      CVE-2026-27903/-27904
- minimatch  7.4.6 -> 7.4.8  (avo)                              CVE-2026-27903/-27904
- minimatch  9.0.5 -> 9.0.9  (@typescript-eslint/typescript-estree)  CVE-2026-27903/-27904

minimatch 9.x pinned to 9.0.9 (not 9.0.7/9.0.8): 9.0.7/9.0.8 depend on
brace-expansion@^5 -> balanced-match@^4 -> jackspeak, the suspicious chain
flagged in review. 9.0.9 reverts to brace-expansion@^2.0.2, so that chain is
absent. Verified against the registry (published 2026-02-26, not deprecated,
no install scripts, brace-expansion@^2.0.2 only).

Mechanism note: these pins use the `**/<parent>/<pkg>` rooted-glob form.
Yarn 1's bare-name resolutions collapse all majors to one version, plain
parent-scoped keys do not bind nested consumers, and range-qualified keys are
unsupported; only the `**/` rooted form binds each vulnerable major to its patch
without disturbing the safe picomatch 4.0.x copies.

Lockfile audit: only minimatch, picomatch, and brace-expansion changed. The new
brace-expansion@2.1.1 (pulled by minimatch 7.4.8/9.0.9's ^2.0.2) stays on the
clean 2.x -> balanced-match@^1.0.0 chain (published 2026-05-25, no install
scripts). Every resolved URL is on registry.yarnpkg.com/registry.npmjs.org;
integrity hashes intact; zero new packages; jackspeak / balanced-match@4 /
brace-expansion@5 confirmed absent. Build + lint + spellcheck green.

Note: the mandated live alert re-pull (gh api dependabot/alerts) was not
available in this session (GitHub REST not enabled); relied on the brief's
alert list (verified 2026-07-06) plus per-package registry verification.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
ada-avo pushed a commit that referenced this pull request Jul 6, 2026
… of 3)

Completes the docs Dependabot remediation. PR 1 (#1729) could not clear 4 of the
6 `next` advisories (fixed only in 15.5.15/15.5.16), so full Vanta clearance
requires the 14 -> 15 major upgrade.

Clears: GHSA-h25m-26qc-wcjf, GHSA-q4gf-8mx6-v5v3, CVE-2026-44573, CVE-2026-44578,
GHSA-8h8q-6873-q5fj.

- next             ^14.2.32 -> 15.5.16  (minimal for clearance; not 16.x latest)
- react            ^18.3.1  -> 19.2.7   (required by Next 15)
- react-dom        ^18.3.1  -> 19.2.7
- @types/react     ^18.3.12 -> ^19.2.17
- @types/react-dom ^18.3.1  -> ^19.2.3
- react-medium-image-zoom 5.2.5 -> 5.4.8  (official React 19 support; it is used
                   on the landing page; clears its runtime peer warning)

Code change: pages/_document.tsx now imports the `JSX` type from 'react'
(@types/react 19 removed the global JSX namespace). This is a Pages-router
Nextra 3 site, so the app-router async request API changes
(cookies()/headers()/params) do not apply -- _document's getInitialProps is
unaffected. next.config.mjs uses no Next-15-removed options. next-env.d.ts was
regenerated by Next 15 (typed-routes reference).

Verification (production build + `next start` + browser spot-check, per the brief):
- yarn build / tsc --noEmit / yarn lint / yarn spellcheck all green
- Chromium spot-check of landing, content pages, search and navigation under
  React 19: pages render, flexsearch returns results, sidebar nav works, the
  image-zoom modal opens, mermaid/SVG render. ZERO uncaught errors and ZERO
  hydration warnings across all pages. (The only console errors are external
  analytics CDNs blocked by the sandbox network egress -- environmental, not code.)

Every bumped package verified against the registry (age > 7d, no install scripts,
not deprecated, dependency-delta clean). The one remaining peer warning is a
Nextra build-time transitive (@theguild/remark-mermaid wants react ^18.2.0) -- a
remark plugin, not runtime React; mermaid renders correctly.

Note: the mandated live alert re-pull (gh api dependabot/alerts) was not
available in this session (GitHub REST not enabled); relied on the brief's alert
list (verified 2026-07-06) plus per-package registry verification.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants