Skip to content

chore(deps): update aws-sdk to ^3.1081.0#311

Merged
stophecom merged 1 commit into
devfrom
chore/update-aws-sdk
Jul 7, 2026
Merged

chore(deps): update aws-sdk to ^3.1081.0#311
stophecom merged 1 commit into
devfrom
chore/update-aws-sdk

Conversation

@stophecom

@stophecom stophecom commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

Bumps the @aws-sdk S3 packages to pick up upstream fixes and clear the critical Dependabot alert.

  • @aws-sdk/{client-s3,s3-presigned-post,s3-request-presigner}: ^3.772.0^3.1081.0
    • Side effect: drops the transitive fast-xml-parser dependency entirely, which resolves the sole critical Dependabot alert (entity-encoding bypass via regex injection in DOCTYPE entity names).
  • pnpm-workspace.yaml gains auto-generated minimumReleaseAgeExclude entries — pnpm's supply-chain release-age policy gates freshly-published versions, and these entries whitelist the new AWS SDK releases so the install passes.

Scoped to the AWS bump only. The remaining Dependabot alerts (svelte/kit runtime XSS — medium; tar/rollup/form-data — build-time highs) are deferred to a separate follow-up.

Note: this branch is stacked on the browser-extension work, so those commits also appear here until that branch lands in dev.

Verification

  • pnpm install --frozen-lockfile passes (Vercel parity)
  • ✅ Lockfile verified: fast-xml-parser fully removed

🤖 Generated with Claude Code

@vercel

vercel Bot commented Jul 7, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
scrt-link-v2 Ready Ready Preview, Comment Jul 7, 2026 8:34pm

Request Review

@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​aws-sdk/​client-s3@​3.1081.09910010098100
Added@​aws-sdk/​s3-presigned-post@​3.1081.09910010098100
Added@​aws-sdk/​s3-request-presigner@​3.1081.010010010098100

View full report

Bump @aws-sdk/{client-s3,s3-presigned-post,s3-request-presigner} from
^3.772.0 to ^3.1081.0. This drops the transitive fast-xml-parser
dependency, resolving the critical Dependabot alert (entity-encoding
bypass via regex injection in DOCTYPE entity names).

pnpm auto-added the new AWS SDK versions to minimumReleaseAgeExclude in
pnpm-workspace.yaml so they pass the supply-chain release-age policy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@stophecom stophecom force-pushed the chore/update-aws-sdk branch from 148eb09 to fb58cc0 Compare July 7, 2026 20:32
@stophecom stophecom changed the title chore(deps): update aws-sdk and patch Dependabot security alerts chore(deps): update aws-sdk to ^3.1081.0 Jul 7, 2026
@stophecom stophecom merged commit f5983b2 into dev Jul 7, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant