fix(deps): Address Dependabot security alerts for multiple packages #107908
Conversation
github-actions
bot
added
Scope: Frontend
|
🚨 Warning: This pull request contains Frontend and Backend changes! It's discouraged to make changes to Sentry's Frontend and Backend in a single pull request. The Frontend and Backend are not atomically deployed. If the changes are interdependent of each other, they must be separated into two pull requests and be made forward or backwards compatible, such that the Backend or Frontend can be safely deployed independently. Have questions? Please ask in the |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
JoshFerge
left a comment
JoshFerge
left a comment
There was a problem hiding this comment.
is it worth splitting this up into multiple PRs (e.g. frontend / backend)?
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
|
@JoshFerge don't think so as they are not interdependent |
Python: - Bump Django minimum to >=5.2.11 (3 HIGH SQL injection, 2 MEDIUM, 3 LOW) - Bump protobuf minimum to >=5.29.6 (HIGH: JSON recursion depth bypass) - Upgrade Werkzeug 3.0.6 -> 3.1.3 (MEDIUM: safe_join device name bypass) - Upgrade filelock 3.13.1 -> 3.20.3 (MEDIUM: TOCTOU race condition) Note: uv.lock will need re-locking once getsentry/pypi#1896 merges to make Django 5.2.11, protobuf 5.29.6, h2 4.3.0, and werkzeug 3.1.5 available on the Sentry PyPI mirror. Until then, werkzeug 3.1.3 and filelock 3.20.3 are the latest available versions on the mirror. npm: - Bump diff 8.0.2 -> 8.0.3 (LOW: DoS in parsePatch/applyPatch) - Add pnpm override for @isaacs/brace-expansion 5.0.1 (HIGH: ReDoS) - Add pnpm overrides for transitive diff@4.x -> 4.0.4, diff@5.x -> 5.2.2 - Add pnpm override for lodash >=4.17.23 in api-docs/ (MEDIUM: prototype pollution)
BYK
force-pushed
the
opencode/happy-panda
branch
from
e07456c to
6900441
Compare
2 participants
Summary
Changes
Python (pyproject.toml + uv.lock)
>=5.2.8→>=5.2.11>=5.27.3→>=5.29.6npm (package.json + pnpm-lock.yaml)
Blocked on PyPI mirror
uv.lockwill need re-locking once getsentry/pypi#1896 merges. That PR adds Django 5.2.11, protobuf 5.29.6, h2 4.3.0, and werkzeug 3.1.5 to the Sentry PyPI mirror. Once available:Not addressed (5 alerts)
buildHttpfeature