Skip to content

chore(deps): patch Dependabot security alerts (pytest, serialize-javascript, uuid)#27

Merged
taran-dbx merged 1 commit into
mainfrom
chore/security-deps
Jun 1, 2026
Merged

chore(deps): patch Dependabot security alerts (pytest, serialize-javascript, uuid)#27
taran-dbx merged 1 commit into
mainfrom
chore/security-deps

Conversation

@taran-dbx
Copy link
Copy Markdown
Collaborator

@taran-dbx taran-dbx commented Jun 1, 2026

Summary

Clears the 4 open Dependabot alerts on the default branch.

Severity Package Manifest Fix
High serialize-javascript website/package-lock.json override ^7.0.5 (RCE via RegExp.flags / Date.prototype.toISOString)
Moderate serialize-javascript website/package-lock.json same override (also covers the >=5.0.0 <7.0.5 CPU-DoS)
Moderate uuid website/package-lock.json override ^11.1.1 (missing buffer bounds check in v3/v5/v6)
Moderate pytest requirements-dev.txt bump to >=9.0.3 (vulnerable tmpdir handling)

serialize-javascript and uuid are transitive (via terser / mermaid / sockjs), so they're pinned through npm overrides in website/package.json. requirements.lock was regenerated with make lock (uv pip compile --generate-hashes). The lockfile's resolved URLs are normalized to registry.npmjs.org (matching repo convention).

Test plan

  • pytest 9.0.3 runs tests/test_python_patterns.py — 11 passed
  • cd website && npm run build succeeds (strict broken-link check)
  • package-lock.json resolved hosts: all registry.npmjs.org, zero dev-proxy leakage
  • Pinned to caret ranges near the patched versions to minimize transitive breakage

@taran-dbx
chore(deps): patch Dependabot security alerts (pytest, serialize-java…
9b87d87 
…script, uuid)

- pytest >=9.0.3 (was <9.0) — fixes vulnerable tmpdir handling; requirements.lock
  regenerated via 'make lock' (uv pip compile --generate-hashes).
- website: add npm overrides serialize-javascript ^7.0.5 (high: RCE via
  RegExp.flags / Date.prototype.toISOString; also the >=5.0.0 <7.0.5 CPU-DoS) and
  uuid ^11.1.1 (missing buffer bounds check). Both are transitive (terser /
  mermaid / sockjs). Lockfile resolved URLs normalized to registry.npmjs.org.

Verified: pytest 9.0.3 runs tests/test_python_patterns.py (11 passed); docs
'npm run build' succeeds.
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jun 1, 2026
@taran-dbx taran-dbx merged commit 9ff7b1d into main Jun 1, 2026
10 checks passed
@taran-dbx taran-dbx deleted the chore/security-deps branch June 1, 2026 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@taran-dbx