Skip to content

Fix Component Governance alert: Upgrade underscore from 1.12.1 to 1.13.8#3024

Open
sunbrk wants to merge 3 commits intomainfrom
users/shakeels/cg_Fix_april2_1
Open

Fix Component Governance alert: Upgrade underscore from 1.12.1 to 1.13.8#3024
sunbrk wants to merge 3 commits intomainfrom
users/shakeels/cg_Fix_april2_1

Conversation

@sunbrk
Copy link
Copy Markdown

@sunbrk sunbrk commented Apr 3, 2026

Description

This PR upgrades the underscore dependency from version 1.12.1 to 1.13.8 to resolve a component governance security alert.

Changes Made

  • Updated underscore version in package.json overrides section from 1.12.1 to 1.13.8
  • Regenerated pnpm-lock.yaml to reflect the updated dependency version

Why This Change is Needed

  • Security Fix: Addresses a component governance alert flagging underscore version 1.12.1 as vulnerable
  • Compliance: Ensures the project meets security compliance requirements
  • Risk Mitigation: Upgrades to a patched version (1.13.8) that resolves known security issues

Files Modified

  • package.json - Updated underscore version in overrides
  • pnpm-lock.yaml - Lock file updated via pnpm install

Validation

Validation performed:

  • ✅ Dependencies installed successfully with pnpm install
  • ✅ No breaking changes expected (minor version upgrade from 1.12.x to 1.13.x)
  • ✅ All existing functionality should remain intact

Unit Tests added:

No

End-to-end tests added:

No

Additional Requirements

Change file added:

Yes

@sunbrk sunbrk requested a review from a team as a code owner April 3, 2026 00:03
@sunbrk sunbrk requested a review from jekloudaMSFT April 3, 2026 00:04
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

size-limit report 📦

Path Size Loading time (3g) Running time (snapdragon) Total time
packages/teams-js/dist/esm/packages/teams-js/src/index.js 202.69 KB (0%) 4.1 s (0%) 1.8 s (+8.4% 🔺) 5.9 s

@sunbrk sunbrk requested review from Copilot and jekloudaMSFT and removed request for jekloudaMSFT April 3, 2026 00:27
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Upgrades the underscore dependency override to address a component governance security alert, updating the root dependency override and regenerating the pnpm lockfile accordingly.

Changes:

  • Bumped underscore override from 1.12.1 to 1.13.8 in root package.json.
  • Regenerated pnpm-lock.yaml to resolve and pin underscore@1.13.8.
  • Added a Beachball change file recording the security-related dependency upgrade.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
package.json Updates the pnpm override to force underscore@1.13.8.
pnpm-lock.yaml Reflects the resolved underscore@1.13.8 version and integrity in the lockfile.
change/@microsoft-teams-js-a8f7b2c1-5d4e-4a9c-8b3f-7c6e9d2a1b5e.json Adds a patch change entry documenting the security-driven upgrade.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
Comment on lines 140 to 145
"string_decoder": "^1.3.0",
"tar": ">=6.2.1",
"tough-cookie": "^4.1.3",
"underscore": "1.12.1",
"underscore": "1.13.8",
"url-parse": "^1.5.0",
"word-wrap": "^1.2.4",
Copy link

Copilot AI Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pnpm overrides-explanation section documents why each override exists, but there is no entry for the underscore override. Since this PR updates the override version for a security alert, please add an underscore key under pnpm.overrides-explanation describing the reason and any relevant context (e.g., the component governance/vulnerability motivation) so future maintainers know why it’s pinned.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@aeunms aeunms Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sunbrk I think this is a good idea too, but given this is a security concern I support merging now and keeping an ADO item tracked to follow up on this.

aeunms
aeunms approved these changes Apr 3, 2026
View reviewed changes
package.json
Comment on lines 140 to 145
"string_decoder": "^1.3.0",
"tar": ">=6.2.1",
"tough-cookie": "^4.1.3",
"underscore": "1.12.1",
"underscore": "1.13.8",
"url-parse": "^1.5.0",
"word-wrap": "^1.2.4",
Copy link
Copy Markdown
Contributor

@aeunms aeunms Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sunbrk I think this is a good idea too, but given this is a security concern I support merging now and keeping an ADO item tracked to follow up on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aeunms aeunms aeunms approved these changes

@jekloudaMSFT jekloudaMSFT jekloudaMSFT approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sunbrk @aeunms @jekloudaMSFT