Skip to content

fix(deps): clear Dependabot alerts for @babel/core, js-yaml, undici#67

Merged
GeiserX merged 1 commit into
mainfrom
fix/dep-cves-undici-babel-jsyaml
Jun 20, 2026
Merged

fix(deps): clear Dependabot alerts for @babel/core, js-yaml, undici#67
GeiserX merged 1 commit into
mainfrom
fix/dep-cves-undici-babel-jsyaml

Conversation

@GeiserX

@GeiserX GeiserX commented Jun 20, 2026

Copy link
Copy Markdown
Owner

What

Adds explicit npm overrides floors so the security-patched transitive deps cannot regress on a future lockfile regeneration. Same mechanism already used in this repo for esbuild, postcss, lodash, minimatch, etc.

Package Override Advisory Severity
@babel/core ^7.29.6 → resolves 7.29.7 GHSA-4x5r-pxfx-6jf8 low
js-yaml ^4.2.0 GHSA-h67p-54hq-rp68 medium
jsdom > undici ^7.28.0 GHSA-hm92-r4w5-c3mj, GHSA-vmh5-mc38-953g, GHSA-35p6-xmwp-9g52, GHSA-g8m3-5g58-fq7m, GHSA-p88m-4jfj-68fv, GHSA-pr7r-676h-xcf6 high / med / low
testcontainers > undici ^8.5.0 same undici advisories (8.x branch) high / med / low

Why nested overrides for undici

undici resolves to two majors in the tree, and a flat pin would break one of them:

  • jsdom (component tests) requires undici ^7.25.0 → patched to 7.28.0
  • testcontainers (integration tests) requires undici ^8.3.0 → patched to 8.5.0

Per-parent nested overrides patch each major on its own branch, avoiding a breaking downgrade of testcontainers to 7.x.

Runtime impact

None. All four packages are dev/build-only — zero entries in production dependencies (jsdom, testcontainers, @babel/core, js-yaml are all dev tooling). The runtime Docker image is unaffected.

The bulk of the lockfile diff is the @babel/* toolchain moving 7.29.0 → 7.29.7 as a set, pulled by the @babel/core floor.

Verification

  • npm audit0 vulnerabilities
  • npm ci — clean, package.json ↔ lock in sync
  • tsc --noEmit — pass
  • npm run lint — pass (pre-existing warnings only)
  • npm test533/533 passed (75 files)
  • npm run build — pass, 31/31 static pages

…abot alerts

Adds explicit npm override floors so the security-patched versions cannot
regress on future lockfile regenerations:

- @babel/core ^7.29.6  (GHSA-4x5r-pxfx-6jf8, low) -> resolves 7.29.7
- js-yaml ^4.2.0        (GHSA-h67p-54hq-rp68, medium)
- jsdom > undici ^7.28.0       (high/med/low undici advisories, 7.x branch)
- testcontainers > undici ^8.5.0 (same advisories, 8.x branch)

undici is split across two majors (jsdom needs 7.x, testcontainers needs
8.x), so nested per-parent overrides patch each branch without forcing a
breaking downgrade. All four packages are dev/build-only (zero runtime
dependencies), so the production image is unaffected.

npm audit: 0 vulnerabilities. tsc, lint, 533 tests, next build all green.
@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@GeiserX, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 1 second. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 03d72c4c-b24c-45f4-b4ed-8d4bd51e40ab

📥 Commits

Reviewing files that changed from the base of the PR and between 25ff8b6 and ade3759.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dep-cves-undici-babel-jsyaml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@GeiserX GeiserX merged commit 18674db into main Jun 20, 2026
8 checks passed
@GeiserX GeiserX deleted the fix/dep-cves-undici-babel-jsyaml branch June 20, 2026 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant