Skip to content

chore: fix 5 open security alerts and bump Node to v24#40

Merged
rubenhensen merged 1 commit into
masterfrom
chore/fix-security-alerts
Jun 18, 2026
Merged

chore: fix 5 open security alerts and bump Node to v24#40
rubenhensen merged 1 commit into
masterfrom
chore/fix-security-alerts

Conversation

@rubenhensen

Copy link
Copy Markdown

Summary

  • Bump all Docker base images to node:24-slim / node:24-alpine — Node 24 ships a newer bundled npm that resolves the brace-expansion (GHSA-jxxr-4gwj-5jf2) and ip-address (GHSA-v2v4-37r5-5v8g) image-scan alerts; the rebuilt container also picks up pm2@7 with a patched ws (GHSA-58qx-3vcg-4xpx)
  • Override js-yaml to ^4.2.0 in both server and client to close the CVE-2026-53550 DoS alert in both package-lock files (both projects use .eslintrc.js, so eslint's removed safeLoad path is never invoked)

Closes Dependabot alerts Amsterdam#263 and Amsterdam#264; resolves code-scanning alerts Amsterdam#222, Amsterdam#223, and Amsterdam#224.

@dobby-coder

dobby-coder Bot commented Jun 18, 2026

Copy link
Copy Markdown

Dobby looked at this but isn't routing it anywhere: Dobby couldn't route this (router error) If that's wrong, ping Dobby again or be explicit with /dobby review, /dobby fix, or /dobby ask.

Bump all Docker base images from node:16-slim/node:lts-alpine to
node:24-slim/node:24-alpine. Node 24 ships a newer bundled npm that
resolves the brace-expansion (GHSA-jxxr-4gwj-5jf2) and ip-address
(GHSA-v2v4-37r5-5v8g) image-scan alerts; the rebuild also picks up
pm2@7 with a patched ws (GHSA-58qx-3vcg-4xpx).

Override js-yaml to ^4.2.0 in server and client to close the
CVE-2026-53550 DoS alert in both package-lock files. Both projects
use .eslintrc.js so the removed safeLoad API is never invoked.
@rubenhensen rubenhensen force-pushed the chore/fix-security-alerts branch from a873798 to ba5bf9b Compare June 18, 2026 11:42
@rubenhensen rubenhensen merged commit b0cdaad into master Jun 18, 2026
1 check passed
@rubenhensen rubenhensen deleted the chore/fix-security-alerts branch June 18, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant