Security: upgrade dependencies to resolve high-severity vulnerabilities#21
Security: upgrade dependencies to resolve high-severity vulnerabilities#21
Conversation
❌ Deploy Preview for melodious-squirrel-f66679 failed. Why did it fail? →
|
Co-authored-by: 512Andrew <203588790+512Andrew@users.noreply.github.com>
|
Thank you for handling that for me. I have had to back burner this project for a while and it needed a polish. |
There was a problem hiding this comment.
Pull request overview
This PR upgrades core frontend dependencies (notably Next.js) to address reported high-severity security vulnerabilities and updates the lockfile to reflect the new resolved dependency graph.
Changes:
- Bump runtime dependencies:
next,react,react-dom,three,@react-three/fiber. - Update
package-lock.jsonwith new resolved versions, including transitive dependency updates fromnpm audit fix.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates direct dependency version ranges/pins for security + maintenance upgrades. |
| package-lock.json | Updates resolved dependency tree, including Next.js/SWC artifacts and audited transitive packages. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react-dom": "19.2.0", | ||
| "three": "^0.181.2" | ||
| "@react-three/fiber": "^9.4.2", | ||
| "next": "^16.1.5", |
There was a problem hiding this comment.
Using caret ranges here allows npm install to resolve newer minor versions than the ones listed in the PR (e.g., ^16.1.5 can pull 16.2.x, which in this lockfile also changes the Node engine requirement). If you want this PR to be a controlled security bump, consider pinning to the exact versions (or ~ ranges) so installs remain reproducible across environments.
| "next": "^16.1.5", | |
| "next": "16.1.5", |
|
@copilot apply changes based on the comments in this thread |
Implements all security and maintenance dependency upgrades recommended by open Snyk/Dependabot PRs (#14–#20). The most critical are two high-severity DoS vulnerabilities in
next(SNYK-JS-NEXT-15104645, SNYK-JS-NEXT-15105315).Dependency upgrades
nextreactreact-domthree@react-three/fiberTransitive vulnerabilities
npm audit fixresolved 3 additional transitive vulnerabilities inajv(ReDoS),flatted(DoS + prototype pollution), andminimatch(ReDoS). Final audit: 0 vulnerabilities.💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.