Skip to content

fix(deps): resolve all Dependabot security alerts#31

Merged
mdesoto merged 1 commit intomainfrom
chore/fix-dependency-vulnerabilities
Apr 14, 2026
Merged

fix(deps): resolve all Dependabot security alerts#31
mdesoto merged 1 commit intomainfrom
chore/fix-dependency-vulnerabilities

Conversation

@mdesoto
Copy link
Copy Markdown
Contributor

@mdesoto mdesoto commented Apr 14, 2026
edited
Loading

Summary

  • Update transitive dev dependencies to clear all 9 open Dependabot alerts
  • handlebars 4.7.8 → 4.7.9 (critical: JS injection, prototype pollution, DoS)
  • picomatch 2.3.1 → 2.3.2, 4.0.3 → 4.0.4 (high: method injection, ReDoS)
  • brace-expansion 1.1.12 → 1.1.14, 5.0.4 → 5.0.5 (moderate: DoS)
  • npm audit now reports 0 vulnerabilities

Test plan

  • npm run build succeeds
  • All 33 tests pass
  • CI passes on Node 20.x, 22.x, 24.x

🤖 Generated with Claude Code

@mdesoto @claude
fix(deps): resolve all Dependabot security alerts
db05e68 
Update transitive dev dependencies to patch all known vulnerabilities:
- handlebars 4.7.8 → 4.7.9 (critical: JS injection, prototype pollution)
- picomatch 2.3.1 → 2.3.2, 4.0.3 → 4.0.4 (high: method injection, ReDoS)
- brace-expansion 1.1.12 → 1.1.14, 5.0.4 → 5.0.5 (moderate: DoS via zero-step sequence)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mdesoto mdesoto merged commit 04ec4ef into main Apr 14, 2026
3 checks passed
@mdesoto mdesoto deleted the chore/fix-dependency-vulnerabilities branch April 14, 2026 22:58
This was referenced Apr 14, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mdesoto