Skip to content

fix: patch vulnerabilities and bump outdated dependencies#7429

Open
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-weekly-deps-bump-jun-29
Open

fix: patch vulnerabilities and bump outdated dependencies#7429
waldekmastykarz wants to merge 1 commit into
pnp:mainfrom
waldekmastykarz:waldekmastykarz-weekly-deps-bump-jun-29

Conversation

@waldekmastykarz

Copy link
Copy Markdown
Member

Summary

Patches eligible npm vulnerabilities and bumps outdated dependencies that have passed the 7-day cooldown period.

Vulnerabilities fixed

Package Severity Fix Advisory
form-data high 4.0.5 → 4.0.6 CRLF injection (GHSA-hmw2-7cc7-3qxx)
undici high ≤6.26.0 → 6.27.0+ HTTP header injection, WebSocket DoS, response queue poisoning
js-yaml moderate 4.1.1 → 4.2.0 Quadratic DoS in merge key handling

Dependencies bumped

Package From To
axios 1.16.1 1.18.1
@types/node 24.12.4 24.13.2
@typescript-eslint/eslint-plugin 8.60.0 8.62.0
@typescript-eslint/parser 8.60.1 8.62.0
csv-stringify 6.7.0 6.8.0
semver 7.8.1 7.8.5
uuid 14.0.0 14.0.1
globals 17.6.0 17.7.0
@inquirer/confirm 6.1.0 6.1.1
@inquirer/input 5.1.0 5.1.2
@inquirer/select 5.2.0 5.2.1

Remaining vulnerabilities (not patchable without breaking changes)

30 moderate/high vulnerabilities in @opentelemetry/* and protobufjs — all require downgrading applicationinsights from 3.x to 2.x (semver-major breaking change). These should be addressed when applicationinsights releases a compatible fix.

Packages in cooldown (< 7 days since publish)

Package Version Eligible date
@azure/msal-node 5.3.0 Jun 30, 2026
@azure/msal-common 16.10.0 Jun 30, 2026
eslint 10.6.0 Jul 3, 2026
tsc-watch 7.2.1 Jul 5, 2026

Verification

  • ✅ Build passes
  • ✅ All 15,938 tests pass

Supersedes #7418

- Fix high-severity vulnerabilities: undici, form-data
- Bump outdated packages: axios, @types/node, @typescript-eslint/eslint-plugin,
  @typescript-eslint/parser, csv-stringify, semver, uuid, globals,
  @inquirer/confirm, @inquirer/input, @inquirer/select

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant