Skip to content

Comments

WIP: Chore(deps): Minor dependency version bumps to fix security issues#7864

Open
KhizerRehan wants to merge 1 commit intokubermatic:mainfrom
KhizerRehan:fix-cve-issue
Open

WIP: Chore(deps): Minor dependency version bumps to fix security issues#7864
KhizerRehan wants to merge 1 commit intokubermatic:mainfrom
KhizerRehan:fix-cve-issue

Conversation

@KhizerRehan
Copy link
Contributor

@KhizerRehan KhizerRehan commented Feb 17, 2026
edited
Loading

This PR fixes high-severity CVE vulnerabilities by upgrading @angular/cli to 20.3.16 and start-server-and-test to 2.1.3 to address security issues including the ModelContextProtocol SDK dependency chain.

Summary:

     The dependency chain is straightforward and direct:
       @angular/cli@20.3.16  (devDependency)
         └── @modelcontextprotocol/sdk@1.26.0  (direct dependency, pinned exactly)

Before:

7 vulnerabilities (4 low, 3 high)

To address issues that do not require attention, run:
  npm audit fix

After:

	4 low severity vulnerabilities
	
	Some issues need review, and may require choosing
	a different dependency.

Build:

Screenshot 2026-02-17 at 8 14 31 PM

Tests

Screenshot 2026-02-17 at 8 14 38 PM

What type of PR is this?

Special notes for your reviewer:

Does this PR introduce a user-facing change? Then add your Release Note here:

Fixes CVE vulnerabilities identified in npm audit

Documentation:

NONE

@kubermatic-bot kubermatic-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. docs/none Denotes a PR that doesn't need documentation (changes). do-not-merge/code-freeze Indicates that a PR should not merge because it has not been approved for code freeze yet. labels Feb 17, 2026
@kubermatic-bot
Copy link
Contributor

kubermatic-bot commented Feb 17, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign waseem826 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubermatic-bot kubermatic-bot added dco-signoff: no Denotes that at least one commit in the pull request doesn't have a valid DCO signoff message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 17, 2026
@KhizerRehan KhizerRehan force-pushed the fix-cve-issue branch 2 times, most recently from a90e5fb to ac85dc0 Compare February 17, 2026 15:27
@kubermatic-bot kubermatic-bot added dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. and removed dco-signoff: no Denotes that at least one commit in the pull request doesn't have a valid DCO signoff message. labels Feb 17, 2026
@ahmadhamzh
Copy link
Contributor

ahmadhamzh commented Feb 17, 2026

/retest

@Waseem826 Waseem826 added the code-freeze-approved Indicates a PR has been approved by release managers during code freeze. label Feb 18, 2026
@kubermatic-bot kubermatic-bot removed the do-not-merge/code-freeze Indicates that a PR should not merge because it has not been approved for code freeze yet. label Feb 18, 2026
@KhizerRehan
Copy link
Contributor Author

KhizerRehan commented Feb 18, 2026

/hold

@kubermatic-bot kubermatic-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 18, 2026
@KhizerRehan KhizerRehan removed the request for review from ahmadhamzh February 19, 2026 07:58
@KhizerRehan KhizerRehan changed the title Chore(deps): Minor dependency version bumps to fix security issues WIP: Chore(deps): Minor dependency version bumps to fix security issues Feb 23, 2026
@kubermatic-bot kubermatic-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

code-freeze-approved Indicates a PR has been approved by release managers during code freeze. dco-signoff: yes Denotes that all commits in the pull request have the valid DCO signoff message. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. docs/none Denotes a PR that doesn't need documentation (changes). release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KhizerRehan @kubermatic-bot @ahmadhamzh @Waseem826