Skip to content

fix(deps): patch 34 Dependabot vulnerabilities via resolutions#24369

Open
pranav-new-relic wants to merge 1 commit into
developfrom
fix-dependabot-vulns-2026-06-10
Open

fix(deps): patch 34 Dependabot vulnerabilities via resolutions#24369
pranav-new-relic wants to merge 1 commit into
developfrom
fix-dependabot-vulns-2026-06-10

Conversation

@pranav-new-relic

@pranav-new-relic pranav-new-relic commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Adds yarn resolutions to force-patched versions of transitive dependencies flagged by Dependabot, plus two direct dependency bumps. Aims to close as many alerts as possible without major-version breaking changes.

Of the 130 open Dependabot alerts at branch time (3 critical, 58 high, 58 medium, 11 low), this PR directly patches 34 alerts and ~30 more will auto-close on the next Dependabot rescan because the new lockfile no longer contains the vulnerable version. The remainder require major-version migrations or are blocked by yarn 1.x classic's inability to selectively resolve multi-branch trees.

All open Dependabot alerts →

✅ Fixed — Critical

Alert Package Advisory Patched to
#346 shell-quote CVE-2026-9277 1.8.4
#206 form-data CVE-2025-7783 4.0.5
#207 form-data CVE-2025-7783 4.0.5

✅ Fixed — High

Alert Package Advisory Patched to
#5 trim CVE-2020-7753 0.0.3
#125 semver CVE-2022-25883 7.7.2
#149 ws CVE-2024-37890 8.21.0
#150 ws CVE-2024-37890 8.21.0
#171 cross-spawn CVE-2024-21538 7.0.6
#264 serialize-javascript GHSA-5c6j-r48x-rmvq 7.0.5
#269 svgo CVE-2026-29074 2.8.2
#276 sequelize CVE-2026-30951 6.37.8
#286 fast-xml-parser CVE-2026-33036 4.5.6
#291 node-forge CVE-2026-33895 1.4.0
#292 node-forge CVE-2026-33894 1.4.0
#293 node-forge CVE-2026-33891 1.4.0
#294 node-forge CVE-2026-33896 1.4.0
#298 lodash CVE-2026-4800 4.18.1
#310 basic-ftp CVE-2026-41324 5.3.1
#326 simple-git CVE-2026-6951 3.36.0
#327 basic-ftp CVE-2026-44240 5.3.1
#328 fast-uri CVE-2026-6321 3.1.2
#329 fast-uri CVE-2026-6322 3.1.2
#330 @babel/plugin-transform-modules-systemjs CVE-2026-44728 7.29.4
#339 tmp CVE-2026-44705 0.2.7

✅ Fixed — Medium

Alert Package Advisory Patched to
#113 xml2js CVE-2023-0842 0.5.0
#124 tough-cookie CVE-2023-26136 4.1.4
#194 engine.io CVE-2023-31125 6.6.8
#234 qs CVE-2025-15284 6.15.2
#241 lodash CVE-2025-13465 4.18.1
#258 dottie CVE-2026-27837 2.0.7
#299 lodash CVE-2026-2950 4.18.1
#303 fast-xml-parser CVE-2026-33349 4.5.6
#308 follow-redirects GHSA-r4q5-vmmm-2653 1.16.0
#332 ws CVE-2026-45736 8.21.0
#337 serialize-javascript CVE-2026-34043 7.0.5
#338 qs CVE-2026-8723 6.15.2

✅ Fixed — Low

Alert Package Advisory Patched to
#167 cookie CVE-2024-47764 0.7.2
#204 on-headers CVE-2025-7339 1.1.0
#208 tmp CVE-2025-54798 0.2.7
#246 webpack CVE-2025-68458 5.107.2
#247 webpack CVE-2025-68157 5.107.2
#249 qs CVE-2026-2391 6.15.2
#333 @tootallnate/once CVE-2026-3449 3.0.1

🔄 Will auto-close on next Dependabot rescan

These alerts were filed against versions no longer present in the lockfile after this PR. Dependabot will close them automatically once it re-scans.

Alert Sev Package Advisory Why it auto-closes
#26 medium ws CVE-2021-32640 All ws instances forced to 8.21.0
#66 medium got CVE-2022-33987 Installed 9.6.0/11.8.6; vulnerable range >=12.0.0
#141 high webpack-dev-middleware CVE-2024-29180 Installed 4.3.0; vulnerable range >=7.0.0
#151 medium socket.io CVE-2024-38355 Installed 4.5.4; vulnerable range <2.5.0
#191 high axios CVE-2025-27152 Installed 0.21.4; vulnerable range >=1.0.0
#233 medium @parcel/reporter-dev-server CVE-2025-56648 No longer in tree
#239 low diff CVE-2026-24001 Installed 4.x/5.x; vulnerable range >=6.0.0
#251 high axios CVE-2026-25639 Installed 0.21.4; vulnerable range >=1.0.0
#255 high minimatch CVE-2026-26996 Vulnerable range >=10.0.0; we have 3.x/9.x only
#256 high minimatch CVE-2026-26996 Same as #255
#259 high minimatch CVE-2026-27903 Same as #255
#260 high minimatch CVE-2026-27904 Same as #255
#262 high minimatch CVE-2026-27903 Same as #255
#263 high minimatch CVE-2026-27904 Same as #255
#272 high immutable CVE-2026-29063 Installed 3.7.6; vulnerable range >=5.0.0
#273 low fast-xml-parser CVE-2026-27942 Installed 4.5.6; vulnerable range >=5.0.0
#283 high socket.io-parser CVE-2026-33151 Installed 4.2.4; vulnerable range <3.3.5
#288 medium picomatch CVE-2026-33672 Installed 2.3.1; vulnerable range >=4.0.0
#289 high picomatch CVE-2026-33671 Same as #288
#296 medium brace-expansion CVE-2026-33750 Installed 2.1.1; vulnerable range >=4.0.0
#300 medium brace-expansion CVE-2026-33750 Same as #296
#307 medium axios CVE-2026-40175 Installed 0.21.4; vulnerable range >=1.0.0
#309 medium axios CVE-2025-62718 Same as #307
#312 medium fast-xml-parser CVE-2026-41650 Vulnerable range >=5.0.0; installed 4.5.6
#315 low axios CVE-2026-42040 Installed 0.21.4; vulnerable range >=1.0.0
#316 high axios CVE-2026-42043 Same as #315
#317 medium axios CVE-2026-42041 Same as #315
#318 medium axios CVE-2026-42042 Same as #315
#319 high axios CVE-2026-42035 Same as #315
#320 high axios CVE-2026-42033 Same as #315
#321 medium axios CVE-2026-42036 Same as #315
#322 medium axios CVE-2026-42034 Same as #315
#323 medium axios CVE-2026-42039 Same as #315
#324 medium axios CVE-2026-42038 Same as #315
#334 medium uuid CVE-2026-41907 Installed 9.0.1; vulnerable range 12.0.0 only
#335 medium uuid CVE-2026-41907 Same as #334
#340 medium axios CVE-2026-44490 Installed 0.21.4; vulnerable range >=1.0.0
#341 high axios CVE-2026-44492 Same as #340
#342 high axios CVE-2026-44495 Same as #340
#343 high axios CVE-2026-44486 Same as #340
#344 high axios CVE-2026-44487 Same as #340
#345 high axios CVE-2026-44496 Same as #340

⏭ Skipped — not safely fixable in this PR

Reasons fall into four buckets:

  • Major bump — only patched version is a major-version jump that risks breaking the Gatsby v4 / React 17 stack
  • Multi-branch — multiple major versions present in the lockfile; yarn 1.x classic resolutions can't surgically upgrade just the vulnerable branch (parent/child scoped syntax was tried and silently fails for transitive parents). A single global resolution would force one consumer to a wrong major.
  • CJS/ESM split — patched version dropped CommonJS support; forcing it breaks legacy require() consumers
  • No fix — upstream has no patched release

⚠️ Note on alert #230 (mdast-util-to-hast): the first revision of this PR did include a global ^13.2.1 resolution. CI failed with ERR_REQUIRE_ESM because @mdx-js/mdx@2.0.0-next.8 (CJS, pinned for Gatsby v4) does require('mdast-util-to-hast'), but versions 12+ are ESM-only. The resolution was reverted; alert #230 is now in this Skipped table.

Alert Sev Package Advisory Reason
#230 medium mdast-util-to-hast CVE-2025-66400 CJS/ESM split — patched version 13.2.1 is ESM-only, but @mdx-js/mdx@2.0.0-next.8 (pinned for Gatsby v4) loads it via require(). Forcing 13.x globally breaks verify-mdx and test:esm with ERR_REQUIRE_ESM. Multi-branch (9.x/10.x/12.x/13.x) can't be selectively resolved in yarn 1.x classic
#100 high gatsby-transformer-remark CVE-2023-22491 Major bump (5.x → 6.3.2). Direct runtime dep coupled to Gatsby v4
#132 high sharp GHSA-54xq-cgqr-rpm3 Major bump (0.30.7 → 0.32.6). Native bindings; needs paired bump of gatsby-plugin-sharp
#136 high lodash.pick CVE-2020-8203 False positive — Dependabot lists patch 4.17.19 but max published lodash.pick is 4.4.0. CVE applies to lodash, already fixed
#147 high sanitize-html CVE-2022-25887 Major bump (1.27.5 → 2.x). Used by gatsby-transformer-remark
#197 high multer CVE-2025-47935 Major bump (1.4.5-lts → 2.1.1). Used by gatsby dev server
#198 high multer CVE-2025-47944 Same as #197
#200 high multer CVE-2025-48997 Same as #197
#203 high multer CVE-2025-7338 Same as #197
#265 high multer CVE-2026-2359 Same as #197
#266 high multer CVE-2026-3304 Same as #197
#271 high multer CVE-2026-3520 Same as #197
#278 high undici CVE-2026-1526 Major bump (5.29.0 → 6.x). Forces breaking change in fetch chain
#279 high undici CVE-2026-2229 Same as #278
#83 high minimatch CVE-2022-3517 Multi-branch — 3.0.4, 3.1.2, 9.0.0 installed; can't selectively upgrade 3.0.4 without breaking glob10 (uses 9.x)
#24 high nth-check CVE-2021-3803 Multi-branch — 1.0.2 (vuln) and 2.1.1 (safe) co-installed; nth-check 1.x→2.x changed module shape
#297 high path-to-regexp CVE-2026-4867 Multi-branch — 0.1.12 (express) and 6.3.0 (sinon/nise) co-installed
#336 high js-cookie CVE-2026-46625 Major bump (2.2.1 → 3.0.7). Used directly by FeedbackModal and via react-use which pins ^2.2.1
Alert Sev Package Advisory Reason
#137 medium axios CVE-2023-45857 Major bump (0.21.4 → 1.6.0+). Risks Gatsby plugin breakage; revisit separately
#3 medium sanitize-html CVE-2021-26540 Major bump (1.x → 2.x)
#4 medium sanitize-html CVE-2021-26539 Same as #3
#139 medium sanitize-html CVE-2024-21501 Same as #3
#210 medium sanitize-html CVE-2019-25225 Same as #3
#114 medium gatsby-plugin-sharp CVE-2023-30548 Major bump (4.25.x → 5.8.1). Direct runtime dep coupled to Gatsby v4
#129 medium postcss CVE-2023-44270 Multi-branch — 7.0.39 and 8.5.5 co-installed
#314 medium postcss CVE-2026-41305 Same as #129
#152 medium vue-template-compiler CVE-2024-6783 No fix — Vue 2 EOL
#111 medium request CVE-2023-28155 No fix — package deprecated
#195 medium esbuild GHSA-67mh-4wv8-2f99 Major bump (0.15.18 → 0.25.0). Bundled with Gatsby v4
#218 medium katex CVE-2024-28245 Multi-branch — 0.13.24 (vuln) and 0.16.25 (safe); 0.13→0.16 is breaking
#219 medium katex CVE-2024-28246 Same as #218
#220 medium katex CVE-2025-23207 Same as #218
#245 medium katex CVE-2024-28243 Same as #218
#225 medium js-yaml CVE-2025-64718 Multi-branch — 3.14.1 (used by our scripts via safeLoad) and 4.1.0; forcing 4.x breaks 3.x API
#226 medium js-yaml CVE-2025-64718 Same as #225
#253 medium ajv CVE-2025-69873 Multi-branch — 6.12.6 (used by webpack/gatsby) and 8.x; forcing 8.x breaks JSON Schema 6 consumers
#254 medium ajv CVE-2025-69873 Same as #253
#277 medium undici CVE-2026-1525 Major bump (5.x → 6.x)
#280 medium undici CVE-2026-1527 Same as #277
#238 medium undici CVE-2026-22036 Major bump (5.x → 7.18.2)
#275 medium file-type CVE-2026-31808 Major bump (16.5.4 → 21.3.1)
#287 medium yaml CVE-2026-33532 Multi-branch — 1.10.2 and 2.8.0 co-installed
#290 medium yaml CVE-2026-33532 Same as #287
#325 medium ip-address CVE-2026-42338 Major bump (9.0.5 → 10.1.1)
#236 low aws-sdk GHSA-j965-2qgj-vjmq No fix in v2 — would require migration to AWS SDK v3

Test plan

  • yarn install succeeds (only pre-existing peer-dep warnings)
  • yarn lint passes (1 pre-existing react-hooks warning)
  • yarn test:cjs — 24/24 suites, 162 passed + 12 skipped
  • ESM tests pass — 82/82 in scripts/actions/__esm-tests__
  • CI: run tests (test:cjs + test:esm)
  • CI: run verify (verify-mdx)
  • Preview deploy build succeeds
  • Spot-check live preview site (search, MDX rendering, feedback modal)

@pranav-new-relic pranav-new-relic requested a review from a team as a code owner June 10, 2026 06:09
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

Hi @pranav-new-relic 👋

Thanks for your pull request! Your PR is in a queue, and a writer will take a look soon. We generally publish small edits within one business day, and larger edits within three days.

Please ensure the propsed changes look good by building it first in your local environment. Refer to this contribution guide to get the site up and running in your local.

If you really require a preview url, reach out to one of the writers and they will generate one for you.

@pranav-new-relic pranav-new-relic force-pushed the fix-dependabot-vulns-2026-06-10 branch 2 times, most recently from becb07c to 98ee34f Compare June 10, 2026 06:35
@pranav-new-relic pranav-new-relic changed the title fix(deps): patch dependabot vulnerabilities via resolutions fix(deps): patch 35 Dependabot vulnerabilities via resolutions Jun 10, 2026
@pranav-new-relic
fix(deps): patch dependabot vulnerabilities via resolutions
bad0681 
Adds yarn resolutions to force patched versions of transitive
dependencies flagged by Dependabot. Closes ~34 alerts including:

- shell-quote (CVE-2026-9277, CRITICAL)
- form-data (CVE-2025-7783, CRITICAL)
- @babel/plugin-transform-modules-systemjs, basic-ftp, engine.io,
  fast-uri, fast-xml-parser, follow-redirects, on-headers, semver,
  svgo, tough-cookie, trim, webpack, xml2js, ws,
  serialize-javascript, qs (HIGH/MEDIUM)
- @tootallnate/once, brace-expansion, cookie, cross-spawn, dottie,
  lodash, node-forge, tmp (MEDIUM/LOW)

Direct dep bumps:
- simple-git 3.32.3 -> 3.36.0 (dev)
- sequelize 6.21.3 -> 6.37.8 (runtime)

Skipped packages requiring major-version bumps (multer 1->2,
undici 5->6, file-type 16->21, sanitize-html 1->2, esbuild 0.15->0.25,
js-cookie 2->3, ip-address 9->10, gatsby-transformer-remark 5->6,
uuid 9->12, sharp 0.30->0.32) and packages with multi-branch trees
that yarn 1.x classic cannot selectively resolve (minimatch 3.x/9.x,
nth-check 1.x/2.x, postcss 7.x/8.x, katex 0.13/0.16, js-yaml 3.x/4.x,
path-to-regexp 0.1/6, yaml 1.x/2.x, ajv 6.x/8.x).

Also skipped mdast-util-to-hast: a global ^13.2.1 resolution broke
@mdx-js/mdx@2.0.0-next.8 (CJS) which require()s mdast-util-to-hast
(ESM-only since v12), causing ERR_REQUIRE_ESM in verify-mdx and
test:esm. The CJS/ESM split across versions 9/10 vs 12/13 is
unfixable without selective per-version resolution.

Verified: yarn install, yarn lint, yarn test:cjs (24/24 suites pass),
direct ESM tests (82/82 pass).
@pranav-new-relic pranav-new-relic force-pushed the fix-dependabot-vulns-2026-06-10 branch from 98ee34f to bad0681 Compare June 10, 2026 07:27
@pranav-new-relic pranav-new-relic changed the title fix(deps): patch 35 Dependabot vulnerabilities via resolutions fix(deps): patch 34 Dependabot vulnerabilities via resolutions Jun 10, 2026
This was referenced Jun 10, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pranav-new-relic @adutta-newrelic