Chore: resolve vulnerabilities in transitive NPM dependencies#95
Chore: resolve vulnerabilities in transitive NPM dependencies#95
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses reported security vulnerabilities in transitive NPM dependencies by adding npm overrides and bumping the plugin version to 1.1.2 across WordPress metadata files and changelog.
Changes:
- Added additional
overridesentries inpackage.jsonfor vulnerable transitive dependencies. - Bumped plugin version from
1.1.1to1.1.2inreadme.txtandonedesign.php. - Added a
1.1.2entry toCHANGELOG.mdnoting the security-related dependency work.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| readme.txt | Updates WordPress “Stable tag” to 1.1.2. |
| package.json | Adds new overrides to force patched transitive dependency versions. |
| onedesign.php | Updates plugin header version and ONEDESIGN_VERSION constant to 1.1.2. |
| CHANGELOG.md | Documents the 1.1.2 security-related dependency change. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "overrides": { | ||
| "@babel/runtime": "^7.27.6", | ||
| "react": "^18.3.1", | ||
| "react-dom": "^18.3.1", | ||
| "webpack-dev-server@<=5.2.0": ">=5.2.1" | ||
| "webpack-dev-server@<=5.2.0": ">=5.2.1", | ||
| "minimatch": ">=10.2.1", | ||
| "serialize-javascript": ">=7.0.3", |
There was a problem hiding this comment.
package.json adds/changes overrides, but package-lock.json is not updated in this PR. With npm projects, the lockfile should be regenerated and committed so installs (and CI) are reproducible and actually reflect the overridden versions.
| "webpack-dev-server@<=5.2.0": ">=5.2.1", | ||
| "minimatch": ">=10.2.1", | ||
| "serialize-javascript": ">=7.0.3", | ||
| "@wp-playground/blueprints": { | ||
| "ajv": ">=8.18.0" | ||
| }, | ||
| "@wp-playground/tools": { | ||
| "ajv": ">=8.18.0" | ||
| }, | ||
| "@wp-playground/cli": { | ||
| "ajv": ">=8.18.0" |
There was a problem hiding this comment.
Several new override constraints are open-ended (e.g., >=5.2.1, >=10.2.1, >=7.0.3, >=8.18.0). Because these ranges have no upper bound, a future install could pull in a new major version and break the toolchain. Prefer pinning to a specific patched version (or at least constraining to the intended major, e.g. ^5.2.1 / ^10.2.1 / ^7.0.3 / ^8.18.0).
| "webpack-dev-server@<=5.2.0": ">=5.2.1", | |
| "minimatch": ">=10.2.1", | |
| "serialize-javascript": ">=7.0.3", | |
| "@wp-playground/blueprints": { | |
| "ajv": ">=8.18.0" | |
| }, | |
| "@wp-playground/tools": { | |
| "ajv": ">=8.18.0" | |
| }, | |
| "@wp-playground/cli": { | |
| "ajv": ">=8.18.0" | |
| "webpack-dev-server@<=5.2.0": "^5.2.1", | |
| "minimatch": "^10.2.1", | |
| "serialize-javascript": "^7.0.3", | |
| "@wp-playground/blueprints": { | |
| "ajv": "^8.18.0" | |
| }, | |
| "@wp-playground/tools": { | |
| "ajv": "^8.18.0" | |
| }, | |
| "@wp-playground/cli": { | |
| "ajv": "^8.18.0" |
What
This PR adds overrides in package.json to address security vulnerabilities reported by Dependabot and npm audit.
Why
Fixes dependabot alerts
How
Testing Instructions
Screenshots
Additional Info
Checklist