Conversation
There was a problem hiding this comment.
Pull request overview
Updates the project’s Node/NPM dependency resolution to address security alerts and bumps the plugin version metadata accordingly.
Changes:
- Add/extend
package.jsonnpmoverridesto enforce patched transitive dependency versions. - Regenerate
package-lock.jsonto reflect updated transitive dependency graph (e.g., minimatch/ajv/serialize-javascript updates). - Bump plugin version references to
1.1.2across WordPress metadata files and changelog.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| readme.txt | Bumps WordPress plugin “Stable tag” to 1.1.2. |
| package.json | Adds new npm overrides entries to mitigate vulnerable transitive deps. |
| package-lock.json | Locks updated transitive dependency versions corresponding to overrides. |
| oneaccess.php | Bumps plugin header version and ONEACCESS_VERSION constant to 1.1.2. |
| CHANGELOG.md | Adds 1.1.2 changelog entry for the dependency updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "webpack-dev-server@<=5.2.0": ">=5.2.1", | ||
| "minimatch": ">=10.2.1", | ||
| "serialize-javascript": ">=7.0.3", | ||
| "@wp-playground/blueprints": { | ||
| "ajv": ">=8.18.0" | ||
| }, | ||
| "@wp-playground/tools": { | ||
| "ajv": ">=8.18.0" | ||
| }, | ||
| "@wp-playground/cli": { | ||
| "ajv": ">=8.18.0" |
There was a problem hiding this comment.
The new npm overrides entries use open-ended minimum ranges (e.g., minimatch: ">=10.2.1", serialize-javascript: ">=7.0.3", ajv: ">=8.18.0"). This can allow a future major release (or a release that bumps its required Node engine) to be pulled in on a fresh install, potentially breaking installs/builds despite the project’s own engine constraints. Prefer pinning overrides to a specific major (e.g., ^10.2.4 / ^7.0.4 / ^8.18.0) or an exact version so updates remain intentional and controlled.
| "webpack-dev-server@<=5.2.0": ">=5.2.1", | |
| "minimatch": ">=10.2.1", | |
| "serialize-javascript": ">=7.0.3", | |
| "@wp-playground/blueprints": { | |
| "ajv": ">=8.18.0" | |
| }, | |
| "@wp-playground/tools": { | |
| "ajv": ">=8.18.0" | |
| }, | |
| "@wp-playground/cli": { | |
| "ajv": ">=8.18.0" | |
| "webpack-dev-server@<=5.2.0": "^5.2.1", | |
| "minimatch": "^10.2.1", | |
| "serialize-javascript": "^7.0.3", | |
| "@wp-playground/blueprints": { | |
| "ajv": "^8.18.0" | |
| }, | |
| "@wp-playground/tools": { | |
| "ajv": "^8.18.0" | |
| }, | |
| "@wp-playground/cli": { | |
| "ajv": "^8.18.0" |
What
This PR adds overrides in
package.jsonto address security vulnerabilities reported by Dependabot andnpm audit.Why
Fixes dependabot alerts
How
Testing Instructions
Screenshots
Additional Info
Checklist