Skip to content

chore(security): triage 47 dependabot alerts on main #352

Description

@loonghao

Context

When pushing to origin, GitHub reports 47 dependabot vulnerabilities on the default branch:

  • 20 high
  • 21 moderate
  • 6 low

https://github.com/loonghao/auroraview/security/dependabot

Tasks

  • Triage the list with gh api repos/loonghao/auroraview/dependabot/alerts --paginate
  • Group by ecosystem: cargo / npm / uv (python) / github-actions
  • Merge any already-open dependabot PRs that bump vulnerable packages (there are many in origin/dependabot/*)
  • For high-severity items without an auto-PR, open fix PRs manually
  • Close stale dependabot PRs that are superseded by a newer version

Non-goals

Don't do a "bump everything to latest" sweep — keep changes scoped to CVE resolution, else we risk breaking the Rust toolchain pinning / PyO3 ABI.

Acceptance

  • Dependabot alert count down to 0 high, <5 moderate, or each remaining alert has a justified reason documented on the alert

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filesecuritySecurity / sandbox / audit

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions