chore: resolve open dependabot security alerts#1391
Conversation
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
✅ Deploy Preview for openfeature ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the 'ws' dependency to version 8.21.0 via a resolution in package.json. The reviewer recommends using a global resolution for 'ws' instead of a scoped one to ensure that all instances of the package throughout the dependency tree are correctly patched for security.
| "yaml": "^2.8.3", | ||
| "markdownlint-cli2/js-yaml": ">=4.1.1", | ||
| "@docusaurus/theme-mermaid/mermaid": "^11.15.0", | ||
| "webpack-dev-server/ws": "^8.20.1", |
There was a problem hiding this comment.
For security-related dependency overrides, using a global resolution (e.g., "ws": "^8.20.1") is generally more robust than a scoped one like "webpack-dev-server/ws". A global resolution ensures that all instances of the vulnerable package throughout the entire dependency tree are patched, providing better security coverage in case other packages also depend on ws.
| "webpack-dev-server/ws": "^8.20.1", | |
| "ws": "^8.20.1", |
1 participant
Summary
wsto>=8.20.1via scopedwebpack-dev-server/wsresolution to resolve moderate vulnerability (uninitialized memory disclosure, alert fix(deps): update dependency postcss to v8.4.31 - autoclosed #218). Lockfile now resolves tows@8.21.0.Alert #80 (
tsup, low, DOM Clobbering) has no patched version available and is left open.