Fix dependabot vulnerability alerts by updating vulnerable dependencies#228
Fix dependabot vulnerability alerts by updating vulnerable dependencies#228
Conversation
Co-authored-by: lcollins <528874+lcollins@users.noreply.github.com>
Co-authored-by: lcollins <528874+lcollins@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses 9 npm audit vulnerability alerts by updating the affected dependencies (cross-spawn, ajv, @babel/*, undici, @actions/github, @actions/http-client, and @octokit/*) to secure versions, and makes the necessary TypeScript compiler configuration adjustments for the upgraded library types.
Changes:
- Dependency upgrades:
@actions/githubbumped from^6.0.0to^8.0.1,@octokit/restpinned at^22.0.1, and non-breaking audit fixes applied tocross-spawn,ajv, and@babel/*. - undici override: An
overridesentry is added topackage.jsonto forceundici@^6.23.0across all transitive consumers (including@actions/http-client@2.xused by@actions/core), addressing theundiciCVE. - tsconfig adjustment:
liboption expanded to includees2021.promiseandes2022.errorto satisfy type requirements introduced by the newer@octokitpackages.
Reviewed changes
Copilot reviewed 1 out of 6 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
package.json |
Bumps @actions/github, pins @octokit/rest, and adds overrides for undici |
package-lock.json |
Regenerated lock file reflecting all updated transitive dependency resolutions |
tsconfig.json |
Adds lib array to include es2021.promise and es2022.error for newer @octokit type compatibility |
dist/licenses.txt |
Rebuilt license attribution reflecting removed/replaced dependencies in the bundle |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@actions/glob": "^0.4.0", | ||
| "@actions/io": "^1.1.3", | ||
| "@octokit/rest": "latest", | ||
| "@octokit/rest": "^22.0.1", |
There was a problem hiding this comment.
The @octokit/rest package is listed as a direct production dependency (line 34 in package.json) but is never imported or used anywhere in the source code (checked all files in src/). The actual GitHub API calls use getOctokit from @actions/github (see src/main.ts:7). This creates unnecessary bloat in the bundle and may cause confusion. If it was intentionally added for type augmentation or indirect reasons, a comment explaining this would help; otherwise it should be removed from dependencies.
| "@octokit/rest": "^22.0.1", |
| "overrides": { | ||
| "undici": "^6.23.0" | ||
| }, |
There was a problem hiding this comment.
The overrides field forces undici@^6.23.0 for all transitive consumers, including @actions/http-client@2.2.3 (pulled in by @actions/core), which was originally designed to work with undici@^5. While the installed undici version is correctly resolved to 6.23.0 in the lock file (as intended by the override), @actions/http-client@2.x still declares "undici": "^5.25.4" as its dependency. This version mismatch is a compatibility risk: if @actions/http-client@2.x relies on any undici@5-specific internals that changed in v6, it could cause runtime failures when making HTTP requests.
The proper long-term fix would be to upgrade @actions/core to a version that directly depends on @actions/http-client@3.x (which supports undici@6), rather than relying on the override as a workaround. The PR description acknowledges this limitation ("no non-breaking fix within v1.x"), so consider documenting this technical debt clearly, and plan to upgrade @actions/core when a compatible v2 is released.
| "overrides": { | |
| "undici": "^6.23.0" | |
| }, |
9 npm audit vulnerabilities (1 high, 8 moderate) across
cross-spawn,ajv,@babel/*,undici,@actions/github,@actions/http-client, and@octokit/*.Changes
@actions/github^6.0.0→^8.0.1: v8.0.1 bundles safeundici ^6.23.0and@actions/http-client ^3.0.2. v9 was skipped — it's pure ESM and incompatible with this CJS project without a larger migration.@octokit/restlatest→^22.0.1: Pins to a version that resolves the@octokit/plugin-paginate-restReDoS vulnerability (GHSA-h5c3-5r3r-rr8q).overrides: { undici: "^6.23.0" }:@actions/corev1.x pulls in@actions/http-client ^2.x→undici ^5, which has no non-breaking fix within v1.x. The override forces the safe version across all transitive consumers.npm audit fix):cross-spawn,ajv,@babel/helpers,@babel/runtime.tsconfig.json: Addedlib: ["es6", "es2021.promise", "es2022.error"]—@octokit/request-errorv7 referencesAggregateErrorandErrorOptionswhich aren't included in the default ES6 lib.dist/bundle.💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.