Skip to content

Fix npm security vulnerabilities#100

Open
ditto-integrations wants to merge 1 commit into
masterfrom
security/35cd2abd-689f-488d-bd19-f223a8f23fb7-react-ditto-master-npm-c0-master
Open

Fix npm security vulnerabilities#100
ditto-integrations wants to merge 1 commit into
masterfrom
security/35cd2abd-689f-488d-bd19-f223a8f23fb7-react-ditto-master-npm-c0-master

Conversation

@ditto-integrations

Copy link
Copy Markdown

Summary

Refs: SPO-1105

Workflow run

Note: Target versions are sourced from Tines and may not always
reflect the latest or most appropriate release (e.g. a version may
be deprecated upstream). Please verify that the resolved versions
in lockfiles are suitable.

Test plan

  • CI passes
  • No new high/critical vulnerabilities in affected lockfiles
  • Affected SDK/component builds successfully

Generated by Tines + Claude Code

- **ws** → 8.21.0 (CVE-2026-48779)
- **vite** → 6.4.3 (CVE-2026-53571)
- **form-data** → 4.0.6 (CVE-2026-12143)
- **vite** → 6.4.3 (CVE-2026-53571)
- **ws** → 8.21.0 (CVE-2026-48779)

Refs: SPO-1105

Co-Authored-By: Claude <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates npm dependency resolutions to address reported security vulnerabilities, primarily by pinning vulnerable transitive packages and upgrading the Vite-based example app.

Changes:

  • Pin ws to 8.21.0 via npm overrides (root + example).
  • Upgrade the Vite TypeScript example from Vite ^5.4.11 to ^6.4.3.
  • Pin form-data to 4.0.6 via npm overrides in the example and refresh lockfiles accordingly.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated 1 comment.

File Description
package.json Adds an overrides pin for ws@8.21.0 to address the ws CVE via resolution.
package-lock.json Updates resolved ws version to 8.21.0 and adjusts dependency graph accordingly.
examples/vite-typescript-example/package.json Upgrades Vite to ^6.4.3 and adds overrides pins for ws/form-data plus a vite override.
examples/vite-typescript-example/package-lock.json Regenerates the example lockfile for Vite 6 and updated resolved dependency versions.
Files not reviewed (1)
  • examples/vite-typescript-example/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +64 to +66
"ws": "8.21.0",
"form-data": "4.0.6",
"vite": "$vite"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants