Skip to content

Fix Dependabot security alerts#10

Merged
fbsobreira merged 1 commit intodevelopfrom
fix/dependabot-security-updates
Mar 1, 2026
Merged

Fix Dependabot security alerts#10
fbsobreira merged 1 commit intodevelopfrom
fix/dependabot-security-updates

Conversation

@fbsobreira
Copy link
Member

@fbsobreira fbsobreira commented Mar 1, 2026

Summary

  • Update eslint 9.x → 10.x, typedoc 0.27.x → 0.28.x, @eslint/js 9.x → 10.x, @typhonjs-typedoc/typedoc-theme-dmt 0.3.x → 0.4.x
  • Update @typescript-eslint/* 8.54.0 → 8.56.1, turbo 2.8.3 → 2.8.12, lint-staged 16.2.7 → 16.3.0
  • Add pnpm overrides for transitive vulnerabilities: rollup ≥4.59.0, glob>minimatch 10.2.3, markdown-it ≥14.1.1
  • Preserve error cause in PEM error handling to satisfy eslint 10 preserve-caught-error rule

Resolves all 8 open Dependabot security alerts (6 high, 2 moderate):

  • rollup — Arbitrary File Write via Path Traversal
  • minimatch (×5) — ReDoS via repeated wildcards, nested extglobs, and combinatorial backtracking
  • ajv — ReDoS when using $data option
  • markdown-it — Regular Expression Denial of Service

Test plan

  • pnpm audit returns 0 vulnerabilities
  • pnpm build — all 9 packages build successfully
  • pnpm test — all 9 packages pass (695 tests)
  • pnpm lint — all 9 packages pass with eslint 10
  • typedoc generates docs with 0.28.x and updated theme

@fbsobreira
fix(deps): resolve Dependabot security alerts
5fe2344 
Update dependencies to fix 13 vulnerabilities (11 high, 2 moderate):
- eslint 9.x -> 10.x (fixes minimatch, ajv transitive vulns)
- typedoc 0.27.x -> 0.28.x (fixes minimatch transitive vuln)
- @typhonjs-typedoc/typedoc-theme-dmt 0.3.x -> 0.4.x
- @eslint/js 9.x -> 10.x
- @typescript-eslint/* 8.54.0 -> 8.56.1
- typescript-eslint 8.54.0 -> 8.56.1
- turbo 2.8.3 -> 2.8.12
- lint-staged 16.2.7 -> 16.3.0

Add pnpm overrides for remaining transitive vulnerabilities:
- rollup >=4.59.0 (path traversal)
- glob>minimatch 10.2.3 (ReDoS)
- markdown-it >=14.1.1 (ReDoS)

Preserve error cause in PEM error handling (eslint 10 rule).
@github-actions
Copy link

github-actions bot commented Mar 1, 2026

Dependency Review

The following issues were found:

  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 10 package(s) with unknown licenses.

View full job summary

@github-actions
Copy link

github-actions bot commented Mar 1, 2026

📦 Bundle Size Report

Package Size Gzipped
connect-contracts 86KB 17KB
connect-core 26KB 6KB
connect-crypto 29KB 7KB
connect-encoding 215KB 26KB
connect-provider 48KB 10KB
connect-react 24KB 5KB
connect-transactions 48KB 10KB
connect-wallet 59KB 10KB
connect 8KB 1KB

@fbsobreira fbsobreira merged commit 5e09d0a into develop Mar 1, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fbsobreira