Skip to content

Bump dependencies to clear all open Dependabot alerts#43

Merged
vincentmakes merged 2 commits into
mainfrom
security/dependency-updates-2026-06
Jun 23, 2026
Merged

Bump dependencies to clear all open Dependabot alerts#43
vincentmakes merged 2 commits into
mainfrom
security/dependency-updates-2026-06

Conversation

@vincentmakes

Copy link
Copy Markdown
Owner

Why

Three open Dependabot-related PRs (#40, #41, #42) addressed the security alerts piecemeal and inconsistently — one even proposed removing a build dependency. They've been closed in favour of this single, audited update that brings the repo to zero open Dependabot alerts in one reviewable change, with the version bump and CHANGELOG entry the project's CI requires.

What changed

Backend — requirements.txt

Frontend — package.json / package-lock.json

Verification

  • npm audit0 vulnerabilities.
  • npm run build (tsc + vite) succeeds.
  • pip install --dry-run -r requirements.txt resolves with no conflicts (fastapi 0.109.2 / python-jose 3.4.0 / starlette 0.36.3 all satisfied).

Closes the work tracked by the previously open Dependabot PRs (#40, #41) and supersedes #42.

Consolidates the open piecemeal Dependabot PRs into a single audited
update that resolves every current security alert.

Backend (requirements.txt):
- cryptography 46.0.7 -> 48.0.1 (vulnerable bundled OpenSSL)
- python-multipart 0.0.27 -> 0.0.31 (querystring/multipart DoS &
  parameter smuggling)

Frontend (package.json / package-lock.json):
- vite ^7.3.2 -> ^7.3.5 (server.fs.deny bypass, NTLM hash disclosure)
- overrides force patched transitive deps: form-data >=4.0.6,
  js-yaml ^4.2.0, @babel/core >=7.29.6, esbuild >=0.28.1
- regenerated lockfile also lifts ws and brace-expansion to patched
  versions; npm audit reports 0 vulnerabilities

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 23, 2026

Copy link
Copy Markdown

Deploying milestone-planner with  Cloudflare Pages  Cloudflare Pages

Latest commit: 906f216
Status: ✅  Deploy successful!
Preview URL: https://b3ddc729.milestone-planner.pages.dev
Branch Preview URL: https://security-dependency-updates.milestone-planner.pages.dev

View logs

The previous lockfile was regenerated on alpine/musl, which trimmed the
optional native deps to a single platform and dropped
@rollup/rollup-linux-x64-gnu — breaking npm ci on the glibc CI runner.
Regenerated in place from the complete lockfile so all 51 platform
binaries are retained.

Also pinned ws (>=8.21.0) and brace-expansion (^1.1.13 / ^2.0.3) via
overrides to clear newer transitive advisories surfaced by npm audit.
npm ci + build + tests pass; npm audit reports 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vincentmakes vincentmakes merged commit 03caaae into main Jun 23, 2026
9 checks passed
@vincentmakes vincentmakes deleted the security/dependency-updates-2026-06 branch June 23, 2026 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant