chore: refresh security dependencies#674
Conversation
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Refreshes security-sensitive dependency versions across the monorepo by updating Changesets tooling in the root workspace and upgrading the website’s Docusaurus stack, with additional Yarn 1 resolutions to pin patched transitive packages implicated by security alerts (Issue #588 context: vulnerable dependency remediation).
Changes:
- Bumps root
@changesets/cliand its dependency graph, updating the root lockfile accordingly. - Upgrades website Docusaurus packages to
3.10.1and bumpspostcss. - Adds targeted website
resolutionsto force patched versions of vulnerable transitive dependencies (e.g.,braces,cross-spawn,micromatch,picomatch,path-to-regexp,webpack,ws).
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Updates root Changesets CLI version (dev tooling). |
| yarn.lock | Updates locked dependency graph to match the refreshed Changesets/tooling and patched transitive versions. |
| website/package.json | Upgrades Docusaurus and adds Yarn 1 resolutions to pin patched transitive dependencies for the docs site. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Description
Refreshes security-sensitive dependency resolutions in the root workspace and website lockfiles.
This updates the root Changesets tooling and patched transitive dependency versions for packages flagged by GitHub security alerts, including
braces,cross-spawn,micromatch,picomatch,ws,postcss,webpack,path-to-regexp, and related Docusaurus/website dependencies.The website Docusaurus packages were upgraded to
3.10.1, with targeted Yarn 1 resolutions added for vulnerable transitive packages that remain inside valid semver ranges.Type of Change
How Has This Been Tested?
Tested locally with Node
24.16.0.yarn install --immutablecd website && yarn install --frozen-lockfileyarn check:codecd website && yarn buildChecklist
yarn run check:codeand all checks pass