[compliance] Update dependencies with vulnerabilities #2749
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates dependencies across multiple projects to address security vulnerabilities, as indicated by the "[compliance]" prefix in the title. The changes include updates to JavaScript/Node.js dependencies in the VS Code extension and test scripts, as well as PHP/Composer dependencies in the Drupal example stack.
Key changes:
- Added
js-yaml@^4.1.1to the VS Code extension dependencies - Updated Node.js packages in test scripts, including major updates to
less(4.1.3→4.4.2),shelljs(0.8.5→0.10.0), and numerous transitive dependencies - Updated Symfony components and other PHP packages in the Drupal stack to their latest patch versions
- Added a new
devbox.lockfile for the Node.js test environment
Reviewed changes
Copilot reviewed 1 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| vscode-extension/package.json | Added js-yaml@^4.1.1 as a new direct dependency for vulnerability mitigation |
| vscode-extension/yarn.lock | Added corresponding lock entry for js-yaml@4.1.1 |
| testscripts/shellenv/node/package-lock.json | Updated multiple dependencies including less, shelljs, and their transitive dependencies; replaced older glob-based packages with modern alternatives |
| testscripts/shellenv/node/devbox.lock | New lock file for Node.js 18 environment with package resolution metadata |
| examples/stacks/drupal/composer.lock | Updated Drupal core (10.5.1→10.5.6), Symfony components, and various PHP packages to latest patch versions for security and bug fixes |
Files not reviewed (1)
- testscripts/shellenv/node/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,90 @@ | |||
| { | |||
There was a problem hiding this comment.
is it necessary to add this file? currently, we have devbox.json adding nodejs@18 and so upon execution we download the latest (and secure) version of it. With the lock file, we'll need to do more work to maintain and update it
There was a problem hiding this comment.
(I recognize that some version of my argument could apply to many other lock files we have in the repo :p)
Replaces 'macos-13' with 'macos-latest' for all matrix OS configurations in the GitHub Actions workflow. This ensures CI jobs use the most up-to-date macOS environment provided by GitHub.
Summary
Update dependencies with vulnerabilities
How was it tested?
CICD tests
Community Contribution License
All community contributions in this pull request are licensed to the project
maintainers under the terms of the
Apache 2 License.
By creating this pull request, I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 License as stated in
the
Community Contribution License.