fix(security): bump vulnerable example deps (supersedes #155)#156
Merged
Conversation
examples/js (package.json overrides + lock): - axios 1.15.0 -> 1.18.1 (GHSA-j5f8-grm9-p9fc + 8 more open alerts, HIGH) - form-data 4.0.5 -> 4.0.6 (GHSA-hmw2-7cc7-3qxx, HIGH - CRLF injection) - ajv 6.12.6 -> 6.14.0 (GHSA-2g4f-4pwh-qvx6, dev) - brace-expansion 1.1.12 -> 1.1.13 (GHSA-f886-m6hf-6m8v, dev) - js-yaml 4.1.1 -> 4.2.0 (GHSA-h67p-54hq-rp68, dev) examples/python (pyproject floors + lock): - urllib3 2.6.3 -> 2.7.0 (PYSEC-2026-141/142, HIGH) - idna 3.11 -> 3.18 (PYSEC-2026-215, MEDIUM) - pygments 2.19.2 -> 2.20.0 (GHSA-5239-wwwm-4pmq, LOW) Remove now-stale osv-scanner.toml ignore for GHSA-5239 (fix published in pygments 2.20.0). Supersedes Dependabot PR #155, which bumped axios only and left form-data 4.0.5 vulnerable. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe PR updates dependency constraints in the example JavaScript and Python projects. It expands the JavaScript package overrides, raises the 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
akuzminsky
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Supersedes Dependabot #155 (axios 1.15.0 → 1.18.1,
examples/jsonly). That PR bumped axios but left form-data 4.0.5 still vulnerable (GHSA-hmw2-7cc7-3qxx, HIGH) and did not touch the newly-published dev-tree advisories or the Python example. This PR clears every open finding across both example ecosystems and removes a now-stale suppression.All changes are limited to manifest/lock file version bumps — no functional source code changes.
examples/js—package.jsonoverrides +package-lock.jsonexamples/python—pyproject.tomlfloor pins +poetry.lockosv-scanner.tomlRemoved the
GHSA-5239-wwwm-4pmqignore — it was both expired (ignoreUntil = 2026-06-23) and stale: a fix is now published in pygments 2.20.0, so the lock is upgraded instead of suppressed.Verification
osv-scanner scan --config osv-scanner.toml --recursive ./→ No issues found (both lock files, no unused ignores).npm auditinexamples/js→ 0 vulnerabilities.🤖 Generated with Claude Code