Skip to content

Resolve Dependabot security alerts (534)#8

Merged
AlexP11223 merged 3 commits intodev/mainfrom
dev/IZET-534-resolve-dependabot-alerts
Mar 20, 2026
Merged

Resolve Dependabot security alerts (534)#8
AlexP11223 merged 3 commits intodev/mainfrom
dev/IZET-534-resolve-dependabot-alerts

Conversation

@danieldudzic
Copy link
Copy Markdown
Contributor

@danieldudzic danieldudzic commented Mar 19, 2026

Description

Resolves all Dependabot security alerts by updating vulnerable dependencies across npm and Composer lock files.

Root (package-lock.json):

  • Updated minimatch to fix ReDoS vulnerabilities

Modules (paypal-pos-assets, paypal-pos-product-debug, paypal-pos-product-settings):

  • Upgraded @symfony/webpack-encore from v4 to v6
  • Bumped webpack-cli to ^6, postcss-loader to ^8, sass-loader to ^16
  • Updated cleanupOutputBeforeBuild() calls in webpack configs (v6 breaking change)
  • Resolves: serialize-javascript, webpack-dev-server, minimatch, immutable, node-forge, svgo, lodash, qs, js-yaml, ajv, tough-cookie, form-data vulnerabilities

Composer (composer.lock):

  • Updated phpunit/phpunit from 9.6.29 to 9.6.34 (fixes CVE-2026-24765 unsafe deserialization)

Supersedes #7.

Steps to Test

  1. Run npm audit in root, modules.local/paypal-pos-assets, modules.local/paypal-pos-product-debug, and modules.local/paypal-pos-product-settings — all should report 0 vulnerabilities
  2. Run ddev composer audit — should report no security advisories
  3. Run npx encore production in each of the 3 module directories — all builds should succeed

@private-packagist
Copy link
Copy Markdown

private-packagist bot commented Mar 19, 2026

composer.lock

Dev Package changes

Package Operation From To About
doctrine/deprecations upgrade 1.1.5 1.1.6 diff - changelog
nikic/php-parser upgrade v4.19.4 v4.19.5 diff - changelog
phpdocumentor/reflection-docblock upgrade 5.6.3 5.6.7 diff - changelog
phpdocumentor/type-resolver upgrade 1.10.0 1.12.0 diff - changelog
phpstan/phpdoc-parser upgrade 2.3.0 2.3.2 diff - changelog
phpunit/phpunit upgrade 9.6.29 ⚠️ 9.6.34 ✅ diff - changelog
sebastian/comparator upgrade 4.0.9 4.0.10 diff - changelog
theseer/tokenizer upgrade 1.2.3 1.3.1 diff - changelog

Settings · Docs · Powered by Private Packagist

@danieldudzic danieldudzic requested a review from AlexP11223 March 19, 2026 21:02
@AlexP11223 AlexP11223 merged commit 6483937 into dev/main Mar 20, 2026
4 checks passed
@AlexP11223 AlexP11223 deleted the dev/IZET-534-resolve-dependabot-alerts branch March 20, 2026 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlexP11223 AlexP11223 AlexP11223 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danieldudzic @AlexP11223