Skip to content

Address non-angular CVEs #8196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sameerag merged 2 commits into from
Dec 9, 2025
Merged

Address non-angular CVEs #8196

sameerag merged 2 commits into from
Dec 9, 2025

Conversation

@sameerag
Copy link
Member

@sameerag sameerag commented Dec 9, 2025
edited
Loading

Address CVEs on dev branch

@sameerag sameerag requested review from a team as code owners December 9, 2025 15:37
Copilot AI review requested due to automatic review settings December 9, 2025 15:37
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security vulnerabilities (CVEs) in dependencies across sample applications by updating vulnerable packages to more secure versions. The changes are limited to sample application dependencies and the root package.json devDependencies, not affecting the core MSAL libraries.

Key changes:

  • Update nodemon from ^2.0.20 to ^3.1.11 across multiple samples (security patch)
  • Update electron from 22.3.25 to ^36.9.5 in ElectronSystemBrowserTestApp (major version bump)
  • Update axios from ^1.9.0 to ^1.12.0 in b2c-user-flows sample
  • Update @azure/identity from ^3.4.2 to ^4.5.0 in auth-code-key-vault sample (major version bump)
  • Update semver from ^7.3.4 to ^7.7.3 in root package.json (security patch)
  • Reformat package.json files for consistency (indentation changes)

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
samples/msal-node-samples/on-behalf-of-distributed-cache/package.json Update nodemon to ^3.1.11 for CVE fixes
samples/msal-node-samples/client-credentials-distributed-cache/package.json Update nodemon to ^3.1.11 for CVE fixes
samples/msal-node-samples/b2c-user-flows/package.json Update axios to ^1.12.0 and reformat JSON indentation
samples/msal-node-samples/auth-code-key-vault/package.json Update @azure/identity to ^4.5.0 (major version) and reformat JSON
samples/msal-node-samples/auth-code-distributed-cache/package.json Update nodemon to ^3.1.11 for CVE fixes
samples/msal-node-samples/ElectronSystemBrowserTestApp/package.json Update electron from 22.3.25 to ^36.9.5 (major version bump)
samples/msal-browser-samples/ExpressSample/package.json Update nodemon to ^3.1.11 and reformat JSON indentation
package.json Update semver to ^7.7.3 for CVE fixes

@sameerag sameerag enabled auto-merge (squash) December 9, 2025 20:03
@sameerag sameerag disabled auto-merge December 9, 2025 20:04
@sameerag sameerag enabled auto-merge (squash) December 9, 2025 20:27
@sameerag sameerag merged commit 15f3b13 into dev Dec 9, 2025
7 checks passed
@sameerag sameerag deleted the cves-dec-2025 branch December 9, 2025 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hectormmg hectormmg hectormmg approved these changes

@tnorling tnorling tnorling approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sameerag @hectormmg @tnorling