Skip to content

[security] run npm audit fix for dependabot alerts #3076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

[security] run npm audit fix for dependabot alerts #3076

wants to merge 7 commits into from

Conversation

@shouples
Copy link
Contributor

@shouples shouples commented Nov 24, 2025
edited
Loading

Updates:

Previous report 
# npm audit report

glob  10.2.0 - 10.4.5 || 11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@openapitools/openapi-generator-cli/node_modules/glob
node_modules/@vscode/vsce/node_modules/glob
node_modules/glob
node_modules/rimraf/node_modules/glob
  @openapitools/openapi-generator-cli  2.20.4 - 2.25.0
  Depends on vulnerable versions of glob
  node_modules/@openapitools/openapi-generator-cli

hono  <=4.10.2
Severity: high
Hono Improper Authorization vulnerability - https://github.com/advisories/GHSA-m732-5p4w-x69g
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass - https://github.com/advisories/GHSA-q7jf-gf43-6x6p
fix available via `npm audit fix`
node_modules/hono

js-yaml  4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml

playwright  <1.55.1
Severity: high
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate - https://github.com/advisories/GHSA-7mvr-c777-76hp
fix available via `npm audit fix`
node_modules/playwright
  @playwright/test  0.9.7 - 0.1112.0-alpha2 || 1.38.0-alpha-1692262648000 - 1.55.1-beta-1758616458000
  Depends on vulnerable versions of playwright
  node_modules/@playwright/test

6 vulnerabilities (1 moderate, 5 high)

Also includes some test updates for breaking playwright changes in 1.46.0:

Fixture values that are array of objects, when specified in the test.use() block, may require being wrapped into a fixture tuple. This is best seen on the example:

import { test as base } from '@playwright/test';

// Define an option fixture that has an "array of objects" value
type User = { name: string, password: string };
const test = base.extend<{ users: User[] }>({
  users: [ [], { option: true } ],
}); 

// Specify option value in the test.use block.
test.use({
  // WRONG: this syntax may not work for you
  users: [
    { name: 'John Doe', password: 'secret' },
    { name: 'John Smith', password: 's3cr3t' },
  ],
  // CORRECT: this syntax will work. Note extra [] around the value, and the "scope" property.
  users: [[
    { name: 'John Doe', password: 'secret' },
    { name: 'John Smith', password: 's3cr3t' },
  ], { scope: 'test' }],
});

test('example test', async () => {
  // ...
});

@shouples shouples changed the title run npm audit fix for dependabot alerts [security] run npm audit fix for dependabot alerts Nov 24, 2025
@shouples shouples marked this pull request as ready for review November 24, 2025 22:32
@shouples shouples requested a review from a team as a code owner November 24, 2025 22:33
Copilot AI review requested due to automatic review settings November 24, 2025 22:33
Copilot AI reviewed Nov 24, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

@shouples shouples marked this pull request as draft November 25, 2025 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shouples