Skip to content

fix: vulnerable dependencies in repo#11

Closed
stefanhalbritterpdg wants to merge 1 commit intomainfrom
fix/vulnerable-dependencies
Closed

fix: vulnerable dependencies in repo#11
stefanhalbritterpdg wants to merge 1 commit intomainfrom
fix/vulnerable-dependencies

Conversation

@stefanhalbritterpdg
Copy link
Copy Markdown
Contributor

@stefanhalbritterpdg stefanhalbritterpdg commented Apr 1, 2026

No description provided.

Copilot AI review requested due to automatic review settings April 1, 2026 06:28
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s Node.js tooling dependencies and lockfile to address vulnerable transitive packages, including forcing a patched @xmldom/xmldom version via pnpm overrides.

Changes:

  • Bumps several dev tooling dependencies (Marp CLI, Vite, Vitest, Prettier, lint-staged, tar-fs, tsx) to newer patch/minor versions.
  • Adds a pnpm override for @xmldom/xmldom to enforce a non-vulnerable version.
  • Regenerates pnpm-lock.yaml to reflect the new dependency graph and resolved versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
package.json Updates devDependency versions and adds pnpm.overrides for @xmldom/xmldom.
pnpm-lock.yaml Records updated resolutions/snapshots and the lockfile-level overrides entry.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
Comment on lines +14 to +23
"@marp-team/marp-cli": "^4.3.1",
"@types/node": "^24.10.1",
"husky": "^9.1.7",
"js-yaml": "^4.1.1",
"lint-staged": "^16.2.6",
"prettier": "^3.6.2",
"tar-fs": "^3.1.1",
"tsx": "^4.20.6",
"lint-staged": "^16.4.0",
"prettier": "^3.8.1",
"tar-fs": "^3.1.2",
"tsx": "^4.21.0",
"typescript": "^5.9.3",
"vite": "^8.0.0",
"vitest": "^4.1.0"
"vite": "^8.0.3",
"vitest": "^4.1.2"
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated toolchain (notably vite@8.0.3 and lint-staged@16.4.0) has stricter Node.js engine requirements (vite requires >=20.19.0, lint-staged requires >=20.17). package.json currently doesn’t declare an engines.node range, so contributors/CI running an older Node 20.x patch can hit install/runtime failures. Consider adding an explicit "engines": {"node": ">=20.19.0"} (or whichever minimum you intend) and aligning CI/local tooling to that minimum.

Copilot uses AI. Check for mistakes.
package.json
},
"pnpm": {
"overrides": {
"@xmldom/xmldom": ">=0.9.9"
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pnpm override for @xmldom/xmldom is currently an open-ended range (">=0.9.9"), which would allow a future 1.x/major release to be pulled in via the override when the lockfile is refreshed. To reduce the chance of unexpected breaking changes, consider constraining the override (e.g., "^0.9.9" or ">=0.9.9 <1.0.0") while still enforcing the patched baseline.

Suggested change
"@xmldom/xmldom": ">=0.9.9"
"@xmldom/xmldom": ">=0.9.9 <1.0.0"

Copilot uses AI. Check for mistakes.
@stefanhalbritterpdg stefanhalbritterpdg deleted the fix/vulnerable-dependencies branch April 1, 2026 06:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stefanhalbritterpdg