Skip to content

chore: resolve open dependabot security alerts#252

Draft
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts
Draft

chore: resolve open dependabot security alerts#252
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

@jonathannorris jonathannorris commented Jun 8, 2026

Copy link
Copy Markdown
Member

Summary

Resolves the open critical Dependabot alerts for vitest in the Angular integration test workspace.

Verification

  • npm install clean, npm audit reports 0 vulnerabilities.
  • Angular integration suite passes locally: 4 files, 58 tests green on vitest 4.1.8 (generated client built via openfeature generate angular).
  • go build ./... and go test ./... pass.

@jonathannorris
chore: resolve open dependabot security alerts
bf83771 
- vitest ^2.1.9 -> ^4.1.0 to fix UI server arbitrary file read/exec (critical, GHSA-5xrq-8626-4rwp, alerts #40 #41)
- @analogjs/vitest-angular ^1.11.0 -> ^2.6.0 for vitest 4 compatibility
- add ws ^8.21.0 override to avoid reintroducing GHSA-58qx-3vcg-4xpx via jsdom

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris marked this pull request as draft June 8, 2026 14:41
@jonathannorris jonathannorris requested a review from Copilot June 8, 2026 14:41
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 8, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request upgrades @analogjs/vitest-angular to ^2.6.0 and vitest to ^4.1.0 in the Angular integration test package, along with adding a ws override. However, these upgraded dependencies require a higher Node.js version than the currently specified >=18 in the engines field. It is recommended to update the minimum Node.js version requirement to at least >=20 to prevent installation warnings or runtime failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread test/angular-integration/package.json Outdated
Comment on lines 41 to 44
"ws": "^8.21.0"
},
"engines": {
"node": ">=18"

@gemini-code-assist gemini-code-assist Bot Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The upgraded vitest dependency (v4.1.8) requires Node.js ^20.0.0 || ^22.0.0 || >=24.0.0. Additionally, the transitive peer dependency @angular-devkit/schematics (v22.0.0) requires Node.js ^22.22.3 || ^24.15.0 || >=26.0.0. Keeping the engine requirement at >=18 will cause installation warnings or runtime failures on older Node.js versions. Please update the minimum Node.js version in the engines field to at least >=20 (or >=22 to fully satisfy the schematics peer dependency).

Suggested change
"ws": "^8.21.0"
},
"engines": {
"node": ">=18"
"ws": "^8.21.0"
},
"engines": {
"node": ">=20"

@jonathannorris
chore: bump angular-integration node engine to >=22 for vitest 4
fdd7607 
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Copilot AI reviewed Jun 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Angular integration-test workspace dependencies to address Dependabot security alerts, primarily by upgrading Vitest and related tooling and pinning a safe ws version via overrides.

Changes:

  • Upgraded vitest to ^4.1.0 and @analogjs/vitest-angular to ^2.6.0 in the Angular integration workspace.
  • Added a ws override (^8.21.0) to avoid reintroducing a known vulnerable transitive version.
  • Raised the Angular integration workspace Node engine requirement from >=18 to >=22 (per diff).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
test/angular-integration/package.json Bumps Vitest + Angular Vitest adapter versions, adds ws override, and updates Node engine floor.
test/angular-integration/package-lock.json Regenerates lockfile to reflect upgraded dependencies (Vitest 4.x tree, new transitive deps, updated engines).
Files not reviewed (1)
  • test/angular-integration/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread test/angular-integration/package.json
Comment on lines 43 to 45
"engines": {
"node": ">=18"
"node": ">=22"
}
Comment thread test/angular-integration/package-lock.json
Comment on lines 33 to 35
"engines": {
"node": ">=18"
"node": ">=22"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris