fix: fix dependabot vulnerabilities (Go, npm, GitHub Actions)#987
Merged
Conversation
…s (kt-qk6) Go modules: - filippo.io/age v1.2.1 → v1.3.1 - github.com/DataDog/datadog-go/v5 v5.8.2 → v5.8.3 - github.com/aws/aws-sdk-go-v2 group: v1.41.0 → v1.41.6 (security) - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.20.15 → v1.22.16 - github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2 → v1.100.0 - Skipped kubevirt.io/client-go v1.7.0: incompatible with k8s.io/client-go v0.32.5 pin npm (web): - axios 1.13.2 → ^1.15.2 (fixes GHSA-43fc-jf86-j433, GHSA-3p68-rc4w-qgx5, GHSA-fvcv-3m26-pcqx) - Updated all other vulnerable transitive deps via npm audit fix - Remaining: 3 moderate (uuid in webpack-dev-server/sockjs, no safe fix) GitHub Actions: - docker/login-action v3 → v4 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
✅ Deploy Preview for kurlsh-testgrid ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for kurlsh-testgrid-staging ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
…lns, gt-pvx safety net)" This reverts commit d3e059e.
…-qk6) Fixes SA1019 staticcheck deprecations caused by the aws-sdk-go-v2 upgrade: - Replace feature/s3/manager (deprecated) with feature/s3/transfermanager - manager.Uploader → transfermanager.Client - manager.NewUploader() → transfermanager.New() - Uploader.Upload() → Client.UploadObject() with UploadObjectInput Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lns, gt-pvx safety net)" This reverts commit af76c17.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates and applies all outstanding dependabot security fixes into a single PR.
Go modules
filippo.io/agev1.2.1 → v1.3.1github.com/DataDog/datadog-go/v5v5.8.2 → v5.8.3 (security)github.com/aws/aws-sdk-go-v2group: v1.41.0 → v1.41.6 (security — includes config, ec2/imds, s3/manager, s3, credentials, and all indirect deps)kubevirt.io/client-gov1.7.0: requiresk8s.io/client-gov0.33+ but go.mod pins to v0.32.5 — incompatible without a larger k8s upgradenpm (web/)
axios1.13.2 → ^1.15.2 — fixes GHSA-43fc-jf86-j433 (DoS via proto), GHSA-3p68-rc4w-qgx5 (SSRF), GHSA-fvcv-3m26-pcqx (metadata exfiltration)npm audit fix(ajv, flatted, follow-redirects, immutable, lodash, minimatch, nanoid, node-forge, serialize-javascript, webpack, and others)GitHub Actions
docker/login-actionv3 → v4Test plan
go build ./...passesgo vet ./...passesgo test ./...passes (3 test packages, all green)npm audit fixapplied (reduced from 24 to 3 moderate vulnerabilities)🤖 Generated with Claude Code