Skip to content

fix(security): bump vulnerable example deps (supersedes #155)#156

Merged
andriy-sudo merged 1 commit into
mainfrom
andriy/fix-examples-deps-vulns
Jun 24, 2026
Merged

fix(security): bump vulnerable example deps (supersedes #155)#156
andriy-sudo merged 1 commit into
mainfrom
andriy/fix-examples-deps-vulns

Conversation

@andriy-sudo

Copy link
Copy Markdown
Contributor

Summary

Supersedes Dependabot #155 (axios 1.15.0 → 1.18.1, examples/js only). That PR bumped axios but left form-data 4.0.5 still vulnerable (GHSA-hmw2-7cc7-3qxx, HIGH) and did not touch the newly-published dev-tree advisories or the Python example. This PR clears every open finding across both example ecosystems and removes a now-stale suppression.

All changes are limited to manifest/lock file version bumps — no functional source code changes.

examples/jspackage.json overrides + package-lock.json

Package Old New Advisory Severity Status
axios 1.15.0 1.18.1 GHSA-j5f8-grm9-p9fc (+8 more) HIGH ✅ Fixed
form-data 4.0.5 4.0.6 GHSA-hmw2-7cc7-3qxx (CRLF injection) HIGH ✅ Fixed
ajv (dev) 6.12.6 6.14.0 GHSA-2g4f-4pwh-qvx6 (ReDoS) MEDIUM ✅ Fixed
brace-expansion (dev) 1.1.12 1.1.13 GHSA-f886-m6hf-6m8v (DoS) MEDIUM ✅ Fixed
js-yaml (dev) 4.1.1 4.2.0 GHSA-h67p-54hq-rp68 (quadratic DoS) MEDIUM ✅ Fixed

examples/pythonpyproject.toml floor pins + poetry.lock

Package Old New Advisory Severity Status
urllib3 2.6.3 2.7.0 PYSEC-2026-141, PYSEC-2026-142 HIGH ✅ Fixed
idna 3.11 3.18 PYSEC-2026-215 (GHSA-65pc-fj4g-8rjx) MEDIUM ✅ Fixed
pygments 2.19.2 2.20.0 GHSA-5239-wwwm-4pmq (ReDoS) LOW ✅ Fixed

osv-scanner.toml

Removed the GHSA-5239-wwwm-4pmq ignore — it was both expired (ignoreUntil = 2026-06-23) and stale: a fix is now published in pygments 2.20.0, so the lock is upgraded instead of suppressed.

Verification

osv-scanner scan --config osv-scanner.toml --recursive ./No issues found (both lock files, no unused ignores). npm audit in examples/js → 0 vulnerabilities.

Reviewer: please close Dependabot #155 as superseded by this PR after merge.

🤖 Generated with Claude Code

examples/js (package.json overrides + lock):
- axios 1.15.0 -> 1.18.1 (GHSA-j5f8-grm9-p9fc + 8 more open alerts, HIGH)
- form-data 4.0.5 -> 4.0.6 (GHSA-hmw2-7cc7-3qxx, HIGH - CRLF injection)
- ajv 6.12.6 -> 6.14.0 (GHSA-2g4f-4pwh-qvx6, dev)
- brace-expansion 1.1.12 -> 1.1.13 (GHSA-f886-m6hf-6m8v, dev)
- js-yaml 4.1.1 -> 4.2.0 (GHSA-h67p-54hq-rp68, dev)

examples/python (pyproject floors + lock):
- urllib3 2.6.3 -> 2.7.0 (PYSEC-2026-141/142, HIGH)
- idna 3.11 -> 3.18 (PYSEC-2026-215, MEDIUM)
- pygments 2.19.2 -> 2.20.0 (GHSA-5239-wwwm-4pmq, LOW)

Remove now-stale osv-scanner.toml ignore for GHSA-5239 (fix published in pygments 2.20.0).

Supersedes Dependabot PR #155, which bumped axios only and left form-data 4.0.5 vulnerable.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@andriy-sudo andriy-sudo requested a review from a team as a code owner June 24, 2026 21:55
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 501e557b-64de-4863-a169-088592b520b5

📥 Commits

Reviewing files that changed from the base of the PR and between 7f5527b and be89dd3.

⛔ Files ignored due to path filters (2)
  • examples/js/package-lock.json is excluded by !**/package-lock.json
  • examples/python/poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • examples/js/package.json
  • examples/python/pyproject.toml
  • osv-scanner.toml

📝 Walkthrough

Walkthrough

The PR updates dependency constraints in the example JavaScript and Python projects. It expands the JavaScript package overrides, raises the axios override version, adds minimum version pins for urllib3, idna, and pygments in the Python example, and removes the active pygments vulnerability ignore from osv-scanner.toml.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the security-focused dependency bump across the example projects.
Description check ✅ Passed The description accurately matches the manifest and lockfile security fixes described in the changeset.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/fix-examples-deps-vulns

Comment @coderabbitai help to get the list of available commands.

@andriy-sudo andriy-sudo merged commit 8cec2a2 into main Jun 24, 2026
4 checks passed
@andriy-sudo andriy-sudo deleted the andriy/fix-examples-deps-vulns branch June 24, 2026 21:57
@andriy-sudo andriy-sudo requested a review from KateZhang98 June 24, 2026 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants