chore: resolve open dependabot security alerts#1967
Conversation
✅ Deploy Preview for polite-licorice-3db33c canceled.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies, including an upgrade of js-cookie to version 3.0.7 in the playground app and minor version bumps for containerd and compress in the integration tests. A review comment suggests refining the js-cookie version override from a loose >=3.0.7 range to a safer ^3.0.7 caret range to avoid potential breaking changes from future major releases.
| "react-use": "^17.6.0" | ||
| }, | ||
| "overrides": { | ||
| "js-cookie": ">=3.0.7" |
There was a problem hiding this comment.
Using a loose version range like >=3.0.7 in overrides can lead to unexpected breaking changes if a new major version of js-cookie is released in the future. It is safer to use a caret range (^3.0.7) to allow only non-breaking updates while still receiving security patches and bug fixes within the v3.x series.
| "js-cookie": ">=3.0.7" | |
| "js-cookie": "^3.0.7" |
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
jonathannorris
force-pushed
the
chore/dependabot-alerts-2
branch
from
d43ece7 to
75051b3
Compare
dosubot
Bot
added
the
size:XS
| "overrides": { | ||
| "js-cookie": "^3.0.7" | ||
| }, |
There was a problem hiding this comment.
Can this override be avoided? Is there a transitive dep we can update?
There was a problem hiding this comment.
react-use is the only dep pulling in js-cookie, and it's a production dependency. The latest version (17.6.0) still requires js-cookie: ^2.2.1, so there's nothing to bump. That said, I don't think we're actually affected: the vulnerability only triggers when a JSON-derived object is passed as the attributes argument to Cookies.set or similar, and the playground only imports useMedia and useObservable from react-use. No cookie APIs are used. I'd lean toward dismissing the alert.
|
2 participants
Summary
Resolved 2 of 7 open Dependabot security alerts. The remaining 5 alerts are for
github.com/docker/dockerand currently have no patched version available upstream.Dependabot Alerts Resolved
js-cookie>=3.0.7inplayground-app/package.json(transitive viareact-use)github.com/containerd/containerd/v2v2.2.4viago get+go mod tidyintest/integration/go.modUnresolvable Alerts
These Docker-related alerts in
test/integration/go.mod(transitive viatestcontainers-go) have no upstream patched version yet:PUT /containers/{id}/archiveexecutes container binary on the hostdocker cpallows creation of arbitrary empty filesdocker cpallows bind mount redirection29.3.1but no such release exists yet