fix(security): bump vulnerable JS deps to patched versions (ENG-12518)#141
fix(security): bump vulnerable JS deps to patched versions (ENG-12518)#141KateZhang98 merged 1 commit intomainfrom
Conversation
- axios 1.13.2 → 1.13.6 (GHSA-43fc-jf86-j433, DoS via __proto__ in mergeConfig, HIGH) - minimatch 3.1.2 → 3.1.5 (GHSA-7r86-cg39-jmmj, ReDoS via GLOBSTAR, HIGH) Both are transitive dependencies; added npm `overrides` in package.json to floor-pin them to their first non-vulnerable releases. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis change adds an npm overrides section to the 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
examples/js/package.json (1)
26-29: Overrides approach is appropriate for pinning transitive dependencies.The axios vulnerability (GHSA-43fc-jf86-j433) is fixed in 1.13.5, so
>=1.13.5is correct.For minimatch, GHSA-7r86-cg39-jmmj affects versions ">=0.0.0, <3.1.3" and 3.1.3 is listed as a patched version for the 3.x line. However, related minimatch vulnerabilities (CVE-2026-27904) require version 3.1.4 to fix. Since your test plan targets 3.1.5, consider tightening the constraint to ensure npm resolves to at least 3.1.4:
"overrides": { "axios": ">=1.13.5", - "minimatch": "^3.1.3" + "minimatch": ">=3.1.4" }This ensures coverage for multiple minimatch ReDoS vulnerabilities disclosed around the same time.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@examples/js/package.json` around lines 26 - 29, Update the minimatch override to ensure resolution to a patched release: change the "minimatch" override currently set to "^3.1.3" to require at least 3.1.4 (for example ">=3.1.4" or "^3.1.4") so npm will pick a version that includes the CVE fixes; leave the axios override ("axios": ">=1.13.5") as-is.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@examples/js/package.json`:
- Around line 26-29: Update the minimatch override to ensure resolution to a
patched release: change the "minimatch" override currently set to "^3.1.3" to
require at least 3.1.4 (for example ">=3.1.4" or "^3.1.4") so npm will pick a
version that includes the CVE fixes; leave the axios override ("axios":
">=1.13.5") as-is.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f2823812-9925-4dea-b680-06313ec753fd
⛔ Files ignored due to path filters (1)
examples/js/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
examples/js/package.json
2 participants
Summary
Fixes two HIGH-severity open Dependabot alerts by floor-pinning transitive JS dependencies via npm
overridesinexamples/js/package.json.Both packages are transitive dependencies (axios via
agentql, minimatch viaeslint/glob). They cannot be updated directly — instead, npmoverridesare used to force the resolver to pick a safe version.This supersedes Dependabot PR #138 (which only addressed axios).
Test plan
npm installresolves axios to 1.13.6 and minimatch to 3.1.5🤖 Generated with Claude Code