Bump dependencies flagged by dependabot #1953

Shinomix · 2025-03-17T10:14:23Z

In this PR we bump all the dependencies flagged by dependabot as having alerts:

terser-webpack-plugin~5.3.11, sub-dependency of webpack to patch serialize-javascript
karma~6.4.4, to include socket.io^4.7.2
socket.io-adapter, sub-dependency of karma to include ws~8.17.1
rack~2.2.13 to include CVE patches

With all these bumps, we should be able to pass the dependabot step again and rollout the gem to Rubygems.

These are development dependencies, if CI is green this shouldn't cause any problem nor require further testing.

Before submitting the PR, please consider if any of the following are needed:

…ncy to serialize-javascript~6.0.1

Shinomix added 2 commits March 17, 2025 10:52

Bump terser-webpack-plugin subdependency to ~5.3.11 to remove depende…

b957972

…ncy to serialize-javascript~6.0.1

Bump rack to 2.2.13 to include CVE patches

c932624

Shinomix added the dependencies Pull requests that update a dependency file label Mar 17, 2025

Shinomix requested a review from a team as a code owner March 17, 2025 10:14

hubb approved these changes Mar 17, 2025

View reviewed changes

lizkenyon approved these changes Mar 17, 2025

View reviewed changes

Shinomix merged commit 0f28d84 into main Mar 17, 2025
8 checks passed

Shinomix deleted the bump-risky-dependencies branch March 17, 2025 13:50

shopify-shipit bot temporarily deployed to rubygems March 17, 2025 15:11 Inactive

Provide feedback