Skip to content

fix: resolve 72 of 79 Dependabot security alerts#2223

Open
shikanime wants to merge 1 commit into
mainfrom
fix/dependabot-security-patch-no-oxfmt
Open

fix: resolve 72 of 79 Dependabot security alerts#2223
shikanime wants to merge 1 commit into
mainfrom
fix/dependabot-security-patch-no-oxfmt

Conversation

@shikanime

@shikanime shikanime commented Jun 17, 2026

Copy link
Copy Markdown
Member
  • pnpm overrides for 22 transitive dependencies to address security alerts
  • Dependency bumps for OpenTelemetry, Vitest, coverage tooling, and NestJS core
  • Vite 8 compatibility updates in client and server test configs
  • Package export metadata updates for workspace packages used by Vite/Vitest resolution
  • Lockfile and workspace metadata refreshed to match the patched dependency set

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from 17176c5 to cee95c9 Compare June 17, 2026 10:00
@shikanime shikanime marked this pull request as ready for review June 17, 2026 10:02
@github-actions github-actions Bot added the built label Jun 17, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

2 similar comments
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from ff74e51 to 12b11b2 Compare June 17, 2026 11:46
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from 12b11b2 to f872096 Compare June 17, 2026 13:15
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from f872096 to 421d277 Compare June 17, 2026 13:56
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

7 similar comments
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from 19be067 to c472c4b Compare June 18, 2026 08:50
@shikanime shikanime changed the title fix: resolve 72 of 79 Dependabot security alerts (no-oxfmt workspace) fix: resolve 72 of 79 Dependabot security alerts Jun 18, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime requested a review from StephaneTrebel June 18, 2026 09:09
@shikanime shikanime self-assigned this Jun 18, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@iliesmrf iliesmrf linked an issue Jun 22, 2026 that may be closed by this pull request
9 tasks

@StephaneTrebel StephaneTrebel left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: Virer les patches et faire attention pendant le rebasage à ne pas vraquer le pnpm-lock 😅

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch 2 times, most recently from 5ecdc52 to 38065d3 Compare June 25, 2026 15:37
@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch 5 times, most recently from 90513dd to 92f0250 Compare June 26, 2026 12:12
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from 92f0250 to 17a5013 Compare June 26, 2026 12:19
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch 2 times, most recently from 13d8aab to d2642c7 Compare June 26, 2026 12:29
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

- Add pnpm overrides for 22 transitive dependencies (protobufjs, fast-jwt,
  esbuild, vite, serialize-javascript, uuid, lodash, picomatch, ws, and others)
- Upgrade direct dependencies: OTel packages, @nestjs/core, @nestjs/terminus,
  @nestjs/schematics, @nestjs/testing
- Update lodash to 4.18.1 (4.18.0 was a bad release removing assignWith)
- Fix vite build: change target from ESNext to es2022 for LightningCSS compat
- Disable stylelint no-invalid-position-declaration (false positive on Vue
  inline styles)
- Upgrade vitest from 4.15 to 4.19 for Node 24 compatibility

7 remaining alerts: 4 fastify false positives (current version is safe),
2 @keycloak/keycloak-admin-client (no fix available), 1 elliptic (no fix).

Signed-off-by: Shikanime Deva <william.phetsinorath@shikanime.studio>
Change-Id: I4810079fdc0d24e04e82d7c0860463ca6a6a6964
@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from d2642c7 to f2da062 Compare June 26, 2026 13:08
@github-actions

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@cloud-pi-native-sonarqube

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

💡 [REQUEST] - Etat des lieux issues dependabot remontées

2 participants