Skip to content

chore: refresh security dependencies#674

Merged
zibs merged 2 commits into
mainfrom
codex/security-dependency-refresh
Jun 5, 2026
Merged

chore: refresh security dependencies#674
zibs merged 2 commits into
mainfrom
codex/security-dependency-refresh

Conversation

@zibs

@zibs zibs commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator

Description

Refreshes security-sensitive dependency resolutions in the root workspace and website lockfiles.

This updates the root Changesets tooling and patched transitive dependency versions for packages flagged by GitHub security alerts, including braces, cross-spawn, micromatch, picomatch, ws, postcss, webpack, path-to-regexp, and related Docusaurus/website dependencies.

The website Docusaurus packages were upgraded to 3.10.1, with targeted Yarn 1 resolutions added for vulnerable transitive packages that remain inside valid semver ranges.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Tested locally with Node 24.16.0.

  • yarn install --immutable
  • cd website && yarn install --frozen-lockfile
  • yarn check:code
  • cd website && yarn build

Checklist

  • No changeset required; this only updates dev/docs dependencies and lockfiles.
  • I have performed a self-review of my own code
  • I have run yarn run check:code and all checks pass
  • No documentation update required
  • No new tests required; this is a dependency/security maintenance change
  • Any dependent changes have been merged and published in downstream modules

@zibs zibs requested a review from Copilot June 4, 2026 17:28
@changeset-bot

changeset-bot Bot commented Jun 4, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 5839672

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel

vercel Bot commented Jun 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
victory-native-xl-docs Ready Ready Preview, Comment Jun 4, 2026 5:32pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refreshes security-sensitive dependency versions across the monorepo by updating Changesets tooling in the root workspace and upgrading the website’s Docusaurus stack, with additional Yarn 1 resolutions to pin patched transitive packages implicated by security alerts (Issue #588 context: vulnerable dependency remediation).

Changes:

  • Bumps root @changesets/cli and its dependency graph, updating the root lockfile accordingly.
  • Upgrades website Docusaurus packages to 3.10.1 and bumps postcss.
  • Adds targeted website resolutions to force patched versions of vulnerable transitive dependencies (e.g., braces, cross-spawn, micromatch, picomatch, path-to-regexp, webpack, ws).

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File Description
package.json Updates root Changesets CLI version (dev tooling).
yarn.lock Updates locked dependency graph to match the refreshed Changesets/tooling and patched transitive versions.
website/package.json Upgrades Docusaurus and adds Yarn 1 resolutions to pin patched transitive dependencies for the docs site.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zibs zibs merged commit 6af69cc into main Jun 5, 2026
3 checks passed
@zibs zibs deleted the codex/security-dependency-refresh branch June 5, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants