Skip to content

fix: remediate Dependabot security alerts (2026-06-02)#362

Closed
typeagent-bot[bot] wants to merge 1 commit into
mainfrom
automated/fix-dependabot-alerts-20260602-4
Closed

fix: remediate Dependabot security alerts (2026-06-02)#362
typeagent-bot[bot] wants to merge 1 commit into
mainfrom
automated/fix-dependabot-alerts-20260602-4

Conversation

@typeagent-bot
Copy link
Copy Markdown
Contributor

@typeagent-bot typeagent-bot Bot commented Jun 2, 2026

Automated Dependabot Alert Remediation

This PR was generated by the fix-dependabot-alerts workflow.
Each fix was applied individually and verified against npm ci, npm run build, and npm test before inclusion.

Summary

  • **Applied (1):**minimatch
  • Applied via root overrides: (none)
  • Rolled back (0): (none)
  • **Unfixable via lockfile bump / overrides (3):**qs @tootallnate/once tar
  • Skipped (recent rollback cooldown, 0): (none)

Packages marked Unfixable require a parent-package upgrade — the advisory's safe version is outside every direct parent's declared semver range, and a root overrides entry was either silently ignored by npm or would force an incompatible version. Triage manually.

Packages added under overrides are tracked technical debt — npm will hold them at the pinned version until the entry is removed, which may mask future upstream regressions. Remove the override once a parent has shipped a compatible release.

How this works

  1. Reads open Dependabot alerts via the REST API.
  2. For each alert, attempts in order: npm update <pkg> --package-lock-only, then root overrides entry.
  3. Verifies every resolved instance in package-lock.json is ≥ the advisory's first_patched_version.
  4. Runs npm ci, npm run build, and npm test; rolls back on failure and records a 7-day cooldown.
  5. Only fixes that pass all phases land in this PR.

Review checklist

  • Verify no unrelated lockfile churn
  • Investigate any newly-rolled-back packages separately
  • If overrides were added, confirm the pinned version is acceptable policy

@github-actions
fix: remediate Dependabot security alerts
c96cc6a 
Automated by fix-dependabot-alerts workflow.

Applied:minimatch
Rolled back:
Unfixable: 3 package(s)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@TalZaccai TalZaccai requested a review from robgruen June 3, 2026 01:00
@typeagent-bot
Copy link
Copy Markdown
Contributor Author

typeagent-bot Bot commented Jun 3, 2026

Superseded by #363.

@typeagent-bot typeagent-bot Bot closed this Jun 3, 2026
@typeagent-bot typeagent-bot Bot deleted the automated/fix-dependabot-alerts-20260602-4 branch June 3, 2026 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robgruen robgruen robgruen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robgruen