Skip to content

chore: update vulnerable dependencies in pg-manual#58

Merged
rubenhensen merged 1 commit into
mainfrom
chore/update-vulnerable-deps-57
Jun 12, 2026
Merged

chore: update vulnerable dependencies in pg-manual#58
rubenhensen merged 1 commit into
mainfrom
chore/update-vulnerable-deps-57

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Closes #57

All three advisories resolve to packages in pg-manual's lockfile only (none appear in pg-sveltekit, pg-node, or pg-dotnet):

  • shell-quote 1.8.3 -> 1.8.4 (GHSA-w7jw-789q-3m8p, critical) — in-range lockfile refresh via launch-editor.
  • qs 6.15.1 -> 6.15.2 (GHSA-q8mj-m7cp-5q26) — in-range lockfile refresh via url/express/body-parser.
  • uuid 8.3.2 -> 11.1.1 (GHSA-w5hq-g745-h8pq) — major bump via npm overrides, since sockjs (latest, 0.3.24) still pins ^8.3.2. Chose 11.1.1 over 12–14 because those are ESM-only and sockjs loads uuid through require(); 11.1.1 is the newest patched line that keeps a CJS entry point.

Verified: npm audit reports 0 vulnerabilities, npm run build compiles clean with no export warnings, and webpack serve starts normally.

This repo has no build/test CI (only the PR title check), so please review manually.

shell-quote 1.8.3 -> 1.8.4 (GHSA-w7jw-789q-3m8p), qs 6.15.1 -> 6.15.2
(GHSA-q8mj-m7cp-5q26) via lockfile refresh. uuid 8.3.2 -> 11.1.1
(GHSA-w5hq-g745-h8pq) via npm override since sockjs pins ^8.3.2.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@dobby-coder dobby-coder Bot requested a review from rubenhensen June 11, 2026 17:23
@rubenhensen rubenhensen marked this pull request as ready for review June 12, 2026 07:34
@rubenhensen rubenhensen merged commit 3aea16e into main Jun 12, 2026
1 check passed
@rubenhensen rubenhensen deleted the chore/update-vulnerable-deps-57 branch June 12, 2026 07:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: update vulnerable dependencies (security audit 2026-06-10)

1 participant