security(deps): remediate 6 high Dependabot alerts — safe bumps (AVO-3258, PR 1 of 2)#1729
Conversation
…umps (AVO-3258)
PR 1 of the two-phase docs dependency remediation. Only clean, single-version
bumps that require no code changes are included here. Each version was verified
against the registry per the supply-chain protocol: publish age > 7 days, no
install scripts, not deprecated, and no unexpected transitive additions.
Changes:
- next ^14.2.32 -> 14.2.35 (direct dep; patch within 14.x)
clears GHSA-mwv6-3258-q52c, GHSA-5j59-xgg2-r9c4
- js-cookie 3.0.1 -> 3.0.8 (resolution) clears CVE-2026-46625
- tmp 0.0.33 -> 0.2.6 (resolution) clears CVE-2026-44705
(drops the now-unused os-tmpdir transitive)
- lodash 4.17.23 -> 4.18.1 (resolution) clears CVE-2026-4800
- lodash-es 4.17.21 -> 4.18.1 (resolution) clears CVE-2026-4800
- flatted 3.3.3 -> 3.4.2 (resolution) clears CVE-2026-33228
Deviation from the brief (protocol-mandated): the brief named lodash/lodash-es
4.18.0, but 4.18.0 is deprecated upstream ("Bad release"). The minimal
non-deprecated patched version is 4.18.1, adopted here instead.
Deferred to a follow-up (needs a maintainer decision): picomatch and minimatch.
Both require per-major scoped pins that Yarn 1 cannot express cleanly, and the
minimatch 9.x fix (9.0.7) pulls a suspicious transitive chain
(brace-expansion@5 -> balanced-match@4 -> jackspeak) that trips the supply-chain
red-flag rule. Raised on the Linear ticket for a decision.
Post-install lockfile audit: only the intended packages changed; every resolved
URL is on registry.yarnpkg.com/registry.npmjs.org; integrity hashes intact; zero
packages added. Build and lint green.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JiGFwb1xiFAEro3uVyahiD
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
📝 WalkthroughWalkthroughThe ChangesDependency Updates
Estimated code review effort: 1 (Trivial) | ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 20: The current next pin is still on the 14.x line, which is end-of-life,
so the dependency should be moved off the deprecated major rather than left at
the last 14.x patch. Update the next version in package.json to a supported
major release that includes the newer security fixes, and keep the existing
14.2.35 pin only if you explicitly document it as a temporary stopgap in this
PR. Use the next dependency entry as the anchor for the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 27f4ad1e-ebee-4a20-9270-c68e4df0f29e
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
package.json
…58, PR 3 of 3) Clears the picomatch/minimatch alerts deferred from PR 1 (#1729). All affected consumers are dev/build-time tooling (eslint, glob, avo CLI, ignore-walk, @typescript-eslint/typescript-estree, micromatch), none shipped to docs users. Scoped yarn resolutions, per-major: - picomatch 2.3.1 -> 2.3.2 (micromatch) CVE-2026-33671 - minimatch 3.1.2 -> 3.1.4 (eslint tree + glob) CVE-2026-27903/-27904 - minimatch 5.1.6 -> 5.1.8 (ignore-walk) CVE-2026-27903/-27904 - minimatch 7.4.6 -> 7.4.8 (avo) CVE-2026-27903/-27904 - minimatch 9.0.5 -> 9.0.9 (@typescript-eslint/typescript-estree) CVE-2026-27903/-27904 minimatch 9.x pinned to 9.0.9 (not 9.0.7/9.0.8): 9.0.7/9.0.8 depend on brace-expansion@^5 -> balanced-match@^4 -> jackspeak, the suspicious chain flagged in review. 9.0.9 reverts to brace-expansion@^2.0.2, so that chain is absent. Verified against the registry (published 2026-02-26, not deprecated, no install scripts, brace-expansion@^2.0.2 only). Mechanism note: these pins use the `**/<parent>/<pkg>` rooted-glob form. Yarn 1's bare-name resolutions collapse all majors to one version, plain parent-scoped keys do not bind nested consumers, and range-qualified keys are unsupported; only the `**/` rooted form binds each vulnerable major to its patch without disturbing the safe picomatch 4.0.x copies. Lockfile audit: only minimatch, picomatch, and brace-expansion changed. The new brace-expansion@2.1.1 (pulled by minimatch 7.4.8/9.0.9's ^2.0.2) stays on the clean 2.x -> balanced-match@^1.0.0 chain (published 2026-05-25, no install scripts). Every resolved URL is on registry.yarnpkg.com/registry.npmjs.org; integrity hashes intact; zero new packages; jackspeak / balanced-match@4 / brace-expansion@5 confirmed absent. Build + lint + spellcheck green. Note: the mandated live alert re-pull (gh api dependabot/alerts) was not available in this session (GitHub REST not enabled); relied on the brief's alert list (verified 2026-07-06) plus per-package registry verification. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
… of 3) Completes the docs Dependabot remediation. PR 1 (#1729) could not clear 4 of the 6 `next` advisories (fixed only in 15.5.15/15.5.16), so full Vanta clearance requires the 14 -> 15 major upgrade. Clears: GHSA-h25m-26qc-wcjf, GHSA-q4gf-8mx6-v5v3, CVE-2026-44573, CVE-2026-44578, GHSA-8h8q-6873-q5fj. - next ^14.2.32 -> 15.5.16 (minimal for clearance; not 16.x latest) - react ^18.3.1 -> 19.2.7 (required by Next 15) - react-dom ^18.3.1 -> 19.2.7 - @types/react ^18.3.12 -> ^19.2.17 - @types/react-dom ^18.3.1 -> ^19.2.3 - react-medium-image-zoom 5.2.5 -> 5.4.8 (official React 19 support; it is used on the landing page; clears its runtime peer warning) Code change: pages/_document.tsx now imports the `JSX` type from 'react' (@types/react 19 removed the global JSX namespace). This is a Pages-router Nextra 3 site, so the app-router async request API changes (cookies()/headers()/params) do not apply -- _document's getInitialProps is unaffected. next.config.mjs uses no Next-15-removed options. next-env.d.ts was regenerated by Next 15 (typed-routes reference). Verification (production build + `next start` + browser spot-check, per the brief): - yarn build / tsc --noEmit / yarn lint / yarn spellcheck all green - Chromium spot-check of landing, content pages, search and navigation under React 19: pages render, flexsearch returns results, sidebar nav works, the image-zoom modal opens, mermaid/SVG render. ZERO uncaught errors and ZERO hydration warnings across all pages. (The only console errors are external analytics CDNs blocked by the sandbox network egress -- environmental, not code.) Every bumped package verified against the registry (age > 7d, no install scripts, not deprecated, dependency-delta clean). The one remaining peer warning is a Nextra build-time transitive (@theguild/remark-mermaid wants react ^18.2.0) -- a remark plugin, not runtime React; mermaid renders correctly. Note: the mandated live alert re-pull (gh api dependabot/alerts) was not available in this session (GitHub REST not enabled); relied on the brief's alert list (verified 2026-07-06) plus per-package registry verification. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018xytCgBQ6DmXUEMKWbKKBH
What & why
PR 1 of the two-phase docs dependency remediation for AVO-3258. This PR contains only the clean, single-version bumps that require no code changes. The
next14 → 15 major upgrade is a separate follow-up (PR 2), andpicomatch/minimatchare deferred pending a maintainer decision (see below).Every version was verified against the registry per the mandatory supply-chain protocol: publish age > 7 days, no
preinstall/install/postinstallscripts, not deprecated, and no unexpected transitive additions.Changes
next(direct)dependenciesjs-cookieresolutionstmpresolutionslodashresolutionslodash-esresolutionsflattedresolutionsnext@14.2.35also brings its own@next/env@14.2.35and@next/swc-*@14.2.33(the swc pin is whatnext@14.2.35itself declares —@next/swc@14.2.35is not published).tmp@0.2.6drops the now-unusedos-tmpdirtransitive.Deviation from the brief (protocol-mandated)
The brief named
lodash/lodash-es4.18.0, but 4.18.0 is deprecated upstream ("Bad release. Please use lodash@4.17.21 instead."). Per the deprecation-check step, the minimal non-deprecated patched version is 4.18.1 (published 2026-04-01, clean), adopted here.Deferred — needs a maintainer decision (raised on the Linear ticket)
minimatch9.x → 9.0.7 pulls a suspicious transitive chain:brace-expansion@^5.0.2 → balanced-match@^4.0.2 → jackspeak.balanced-matchhas been a zero-dependency utility across its entire history; its 4.x line suddenly injecting an unrelated CLI-args parser is a supply-chain red flag (protocol step 6). Held for review.picomatch2.x andminimatch3.x/5.x/7.x need per-major scoped pins (both packages coexist across multiple majors in the tree). Yarn 1 cannot express version-scoped resolutions cleanly, and this work is entangled with theminimatch9.x decision, so allpicomatch/minimatchpins are grouped into the follow-up.All deferred consumers are dev/build-time tooling (eslint, glob, micromatch, avo CLI, ignore-walk), not shipped to docs-site users.
Verification
resolvedURL onregistry.yarnpkg.com/registry.npmjs.org; integrity hashes intact on all 1124 entries; zero packages added; thebrace-expansion@5 / balanced-match@4 / jackspeakchain is confirmed absent.yarn build✅ (production build)yarn lint✅ ·yarn spellcheck✅ (via pre-commit hook)🤖 Generated with Claude Code
Generated by Claude Code
Summary by CodeRabbit