Skip to content

chore(deps): fix security vulnerabilities (2026-01-12) #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
miguelcalderon merged 2 commits into from
Jan 12, 2026
Merged

chore(deps): fix security vulnerabilities (2026-01-12) #64

miguelcalderon merged 2 commits into from
Jan 12, 2026

Conversation

@miguelcalderon
Copy link
Contributor

@miguelcalderon miguelcalderon commented Jan 12, 2026

Summary

This PR addresses security vulnerabilities identified by Dependabot.

Branch: miguel/vuln-deps-2026-01-12

Changes

  • Angular example: Added npm overrides to pin @angular/core and @angular/compiler to 21.0.7 (patches XSS vulnerability via unsanitized SVG)
  • GatsbyJS example: Updated transitive dependencies (@swc/helpers, tslib)
  • Laravel example: Updated cryptographic libraries (bn.js, browserify-rsa, browserify-sign, hash-base, parse-asn1, pbkdf2, ripemd160)

Remaining Vulnerabilities (4)

These vulnerabilities could not be automatically fixed and require manual intervention:

Package Severity Summary Reason
elliptic low Elliptic Uses a Cryptographic Primitive... No patch available
@angular/core high Angular has XSS Vulnerability via Unsanitized SVG Breaking changes (pinned via override)
@angular/compiler high Angular has XSS Vulnerability via Unsanitized SVG Breaking changes (pinned via override)
@parcel/reporter-dev-server medium Parcel has an Origin Validation Error vulnerability No patch available

Notes

This is an automated security maintenance PR. Changes were reviewed before submission.

@miguelcalderon
chore(deps): fix security vulnerabilities
d2d5337 
Addresses 2 high/critical vulnerabilities identified by Dependabot.
@miguelcalderon miguelcalderon self-assigned this Jan 12, 2026
@miguelcalderon miguelcalderon requested a review from a team January 12, 2026 05:46
divyanshu013
divyanshu013 approved these changes Jan 12, 2026
View reviewed changes
Copy link
Member

@divyanshu013 divyanshu013 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@miguelcalderon @claude
fix(deps): bump Angular deps directly instead of using overrides
f8dc816 
- Bumped @angular/* packages from ^21.0.3 to ^21.0.8 in dependencies
- Removed @angular/core and @angular/compiler from overrides
- Kept qs override as it's a transitive dependency
- Direct dependencies should be bumped directly, not via overrides

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@miguelcalderon miguelcalderon merged commit 9892ec2 into main Jan 12, 2026
3 checks passed
@miguelcalderon miguelcalderon deleted the miguel/vuln-deps-2026-01-12 branch January 12, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@divyanshu013 divyanshu013 divyanshu013 approved these changes

Assignees

@miguelcalderon miguelcalderon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@miguelcalderon @divyanshu013