MAINT: Fix 22 additional dependabot security vulnerabilities#1701
Open
romanlutz wants to merge 1 commit intomicrosoft:mainfrom
Open
MAINT: Fix 22 additional dependabot security vulnerabilities#1701romanlutz wants to merge 1 commit intomicrosoft:mainfrom
romanlutz wants to merge 1 commit intomicrosoft:mainfrom
Conversation
Follow-up to microsoft#1683. Addresses 22 alerts that were either: - not covered by microsoft#1683 (axios x13, jupyter-server x4, mistune ReDoS x1), or - newly disclosed after that PR was merged (mistune XSS x3, GitPython newline injection x1). ## Changes ### Direct dependencies - frontend/package.json: pin `axios` `1.15.0` -> `1.16.0` (GHSA-pf86-5x62-jrwf, GHSA-pmwg-cvhr-8vh7, GHSA-6chq-wfr3-2hj9, GHSA-q8qp-cvcw-x6jj, GHSA-xhjh-pmcv-23jw, GHSA-445q-vr5w-6q77, GHSA-m7pr-hjqh-92cm, GHSA-62hf-57xw-28j9, GHSA-3w6x-2g7m-8v23, GHSA-vf2m-468p-8v99, GHSA-xx6v-rp6x-q39c, GHSA-w9j2-pvgh-6h63, GHSA-5c9x-8gcm-mpgx). Pinned to exact version, matching the convention from microsoft#1683. ### Transitive dependencies (uv constraint-dependencies) - `GitPython` `>=3.1.47` -> `>=3.1.50` (GHSA-mv93-w799-cj2w newline injection) - `jupyter-server` `>=2.18.0` (NEW) (GHSA-5789-5fc7-67v3, GHSA-5mrq-x3x5-8v8f, GHSA-24qx-w28j-9m6p, GHSA-qh7q-6qm3-653w) - `mistune` `>=3.2.1` (NEW) (GHSA-8mp2-v27r-99xp ReDoS, plus GHSA-v87v-83h2-53w7, GHSA-58cw-g322-p94v, GHSA-8g87-j6q8-g93x XSS) Both `uv.lock` and `frontend/package-lock.json` were regenerated by their respective tools (not manually edited). ## Verification - `npm audit` reports 0 vulnerabilities - `tsc --noEmit` clean - `npm test` 560/560 passing - All 22 alert ranges cross-checked against resolved versions in both lockfiles - none of the vulnerable versions remain. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #1683. Addresses 22 Dependabot alerts that were either not covered by that PR or have been disclosed since it was merged.
Coverage
axios1.16.0infrontend/package.jsonjupyter-serverjupyter-server>=2.18.0to[tool.uv].constraint-dependenciesmistunemistune>=3.2.1GitPythonGitPython>=3.1.47->>=3.1.50Verification
npm auditreports 0 vulnerabilitiestsc --noEmitclean;npm test560/560 passinguv.lock/package-lock.jsonwas cross-checked against thevulnerable_version_rangefrom the GitHub advisory; no vulnerable version remains (including no nestednode_modules/.../axioscopies)Two
mistuneadvisories (GHSA-58cw-g322-p94v, GHSA-8g87-j6q8-g93x) do not yet publish afirst_patched_version, but both list<= 3.2.0as vulnerable, so 3.2.1 is outside the vulnerable range.Both
uv.lockandfrontend/package-lock.jsonwere regenerated by their respective tools (not manually edited).