Skip to content

fix(security): resolve high severity dependabot alerts#3963

Open
misama-ct wants to merge 1 commit intomainfrom
fix/security-vulnerabilities
Open

fix(security): resolve high severity dependabot alerts#3963
misama-ct wants to merge 1 commit intomainfrom
fix/security-vulnerabilities

Conversation

@misama-ct
Copy link
Copy Markdown
Contributor

@misama-ct misama-ct commented Apr 8, 2026

Summary

This PR resolves 12 high-severity Dependabot security alerts by updating vulnerable dependencies to their patched versions.

Vulnerabilities Fixed

Package Severity CVE Version Change Fix Method
vite HIGH CVE-2026-39363 6.4.1 → 6.4.2 Direct dependency update
lodash HIGH CVE-2026-4800 4.17.23 → 4.18.1 Direct dependency update + pnpm override
node-forge HIGH CVE-2026-33896 1.3.3 → 1.4.0 Override update (was pinning vulnerable version)
node-forge HIGH CVE-2026-33895 1.3.3 → 1.4.0 Override update
node-forge HIGH CVE-2026-33891 1.3.3 → 1.4.0 Override update
node-forge HIGH CVE-2026-33894 1.3.3 → 1.4.0 Override update
picomatch HIGH CVE-2026-33671 2.3.1 → 2.3.2 pnpm override
picomatch HIGH CVE-2026-33671 2.3.1 → 2.3.2 pnpm override
flatted HIGH CVE-2026-33228 3.3.3 → 3.4.2 pnpm override
flatted HIGH CVE-2026-32141 3.3.3 → 3.4.2 pnpm override
path-to-regexp HIGH CVE-2026-4867 0.1.12 → 0.1.13 Lockfile re-resolution

Not actionable (3 alerts)

The following alerts are not present in the dependency tree and are likely stale Dependabot reports:

Changes

  • package.json: Updated node-forge override from 1.3.31.4.0; added overrides for lodash, picomatch@^2, and flatted
  • 10 packages/**/package.json: Bumped direct lodash dependency from 4.17.234.18.1
  • packages/mc-scripts/package.json: vite updated from 6.4.16.4.2 (within existing ~6.4.0 range)
  • pnpm-lock.yaml: Regenerated

Consumer API impact

  • lodash is a production dependency in published packages. The 4.17.23 → 4.18.1 bump is a security-only minor release addressing _.template code injection — no API breaking changes.
  • vite is in mc-scripts (dev tooling only) — no consumer API impact.
  • All other fixes are dev-only transitive dependencies resolved via pnpm overrides — no consumer impact.

Validation

  • pnpm typecheck — No type errors
  • pnpm test — Running (CI will confirm)

Review Checklist

  • Verify no breaking changes in lodash 4.18.1
  • Confirm Dependabot alerts close after merge
  • Dismiss stale alerts for lodash-es, @xmldom/xmldom, undici

@misama-ct
fix(security): resolve high severity dependabot alerts
c4bc674 
Update vulnerable dependencies to patched versions to address
12 open high-severity security alerts.
@misama-ct misama-ct requested a review from a team as a code owner April 8, 2026 09:04
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 8, 2026

⚠️ No Changeset found

Latest commit: c4bc674

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mc-app-kit-playground Ready Ready Preview, Comment Apr 8, 2026 9:05am
merchant-center-application-kit-components-playground Ready Ready Preview, Comment Apr 8, 2026 9:05am

Request Review

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 8, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.91%. Comparing base (ee05b63) to head (c4bc674).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #3963   +/-   ##
=======================================
  Coverage   71.91%   71.91%           
=======================================
  Files         263      263           
  Lines        6801     6801           
  Branches     2104     2104           
=======================================
  Hits         4891     4891           
  Misses       1889     1889           
  Partials       21       21
Components Coverage Δ
Application Components 81.18% <ø> (ø)
Application Shell 74.54% <ø> (ø)
Application Shell Connectors 77.54% <ø> (ø)

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ee05b63...c4bc674. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

tylermorrisford
tylermorrisford approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tylermorrisford tylermorrisford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tylermorrisford tylermorrisford tylermorrisford approved these changes

@valoriecarli valoriecarli Awaiting requested review from valoriecarli

@ByronDWall ByronDWall Awaiting requested review from ByronDWall

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@misama-ct @codecov-commenter @tylermorrisford