Skip to content

fix(deps): update deps with security issues via breakign changes #2421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
seaerchin wants to merge 1 commit into
base: fix/deps
Choose a base branch
from
Draft

fix(deps): update deps with security issues via breakign changes #2421

seaerchin wants to merge 1 commit into from

Conversation

@seaerchin
Copy link
Collaborator

@seaerchin seaerchin commented Dec 4, 2025

Problem

this pr upgrades deps that require a breaking change. this was done via npm audit fix --force --legacy-peer-deps on top of the previous PR

Solution

  • run npm audit fix --force --legacy-peer-deps

list of breaking changes

npm warn audit Updating nodemailer to 7.0.11, which is a SemVer major change.
npm warn audit Updating webpack-dev-server to 5.2.2, which is a SemVer major change.
npm warn audit Updating @sentry/react to 10.28.0, which is a SemVer major change.
npm warn audit Updating cookie-session to 2.1.1, which is a SemVer major change.
npm warn audit Updating dd-trace to 5.80.0, which is a SemVer major change.
npm warn audit Updating testcafe to 0.16.0, which is a SemVer major change.
npm warn audit Updating commitizen to 3.0.0, which is a SemVer major change.
npm warn audit Updating @commitlint/travis-cli to 20.1.0, which is a SemVer major change.
npm warn audit Updating jest to 30.2.0, which is a SemVer major change.
npm warn audit Updating cz-conventional-changelog to 3.0.1, which is a SemVer major change.

@socket-security
Copy link

socket-security bot commented Dec 4, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedjest@​26.6.3 ⏵ 30.2.010010069 +291100
Updated@​types/​express@​4.17.13 ⏵ 4.17.2510010071 -192100
Updated@​babel/​preset-react@​7.14.5 ⏵ 7.28.51001007191100
Updated@​babel/​preset-env@​7.14.8 ⏵ 7.28.597 +110077 +192100
Updated@​babel/​core@​7.14.8 ⏵ 7.28.59810080 +193100
Updatedtestcafe@​2.6.2 ⏵ 3.7.29510010083100
Updatedcookie-session@​1.4.0 ⏵ 2.1.1100100100 +186 +1100
Updatedwebpack-dev-server@​4.15.2 ⏵ 5.2.297 +1100 +1310086100
Updateddd-trace@​2.46.0 ⏵ 5.80.088 +510010095 +45100
Updatednodemailer@​6.10.1 ⏵ 7.0.1199 +1100 +1397 +193 +2100
Updated@​commitlint/​travis-cli@​14.1.0 ⏵ 20.1.0100 +5100100 +29100 +9100

View full report

@seaerchin seaerchin requested a review from Copilot December 4, 2025 08:25
@seaerchin seaerchin marked this pull request as draft December 4, 2025 08:25
Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades dependencies with security vulnerabilities that require breaking changes, executed via npm audit fix --force --legacy-peer-deps. However, there are significant discrepancies between the stated changes and the actual package.json updates.

  • Major version upgrades for 10 packages including nodemailer (6→7), webpack-dev-server (4→5), dd-trace (2→5), and Jest (26→30)
  • Several version mismatches between PR description and actual changes
  • One apparent version downgrade that conflicts with security update goals

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"copyfiles": "^2.4.1",
"csv-parse": "^5.3.6",
"cz-conventional-changelog": "^3.3.0",
"cz-conventional-changelog": "^3.0.1",
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to be a version downgrade from ^3.3.0 to ^3.0.1. Downgrading dependencies is unusual in a security update PR and may reintroduce vulnerabilities or remove features. This should be verified as intentional.

Suggested change
"cz-conventional-changelog": "^3.0.1",
"cz-conventional-changelog": "^3.3.0",

Copilot uses AI. Check for mistakes.
package.json
"serverless-plugin-include-dependencies": "^5.0.0",
"supertest": "^6.1.3",
"testcafe": "^2.6.2",
"testcafe": "^3.7.2",
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version update for testcafe appears inconsistent with the PR description. The PR states it's updating to 0.16.0, but the actual change shows an update to ^3.7.2. This discrepancy should be clarified.

Suggested change
"testcafe": "^3.7.2",
"testcafe": "0.16.0",

Copilot uses AI. Check for mistakes.
package.json
"babel-eslint": "^10.1.0",
"babel-loader": "^8.2.2",
"commitizen": "^4.2.4",
"commitizen": "^4.3.1",
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version update for commitizen appears inconsistent. The PR description states it's updating to 3.0.0, but the actual change shows an update to ^4.3.1. This discrepancy should be clarified.

Suggested change
"commitizen": "^4.3.1",
"commitizen": "3.0.0",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seaerchin