Skip to content

chore: resolve open dependabot security alerts#395

Open
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts-2
Open

chore: resolve open dependabot security alerts#395
jonathannorris wants to merge 2 commits into
mainfrom
chore/dependabot-alerts-2

Conversation

@jonathannorris

@jonathannorris jonathannorris commented Jun 22, 2026

Copy link
Copy Markdown
Member

Summary

Resolves open Dependabot security alerts by bumping the affected dev dependencies to patched versions. No overrides/resolutions were used (this is a published repo); the fixes are a parent-package upgrade plus a lockfile-only bump.

Alerts

Alert Package Severity Fix
#26 markdown-it medium -> 14.2.0 via markdownlint-cli 0.49.0
#29 js-yaml medium -> 4.2.0 via markdownlint-cli 0.49.0
#30 js-yaml medium -> 4.2.0 via lockfile-only bump of xmlbuilder2's copy

@jonathannorris jonathannorris marked this pull request as draft June 22, 2026 14:13
@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The markdownlint-cli devDependency in package.json is bumped from ^0.48.0 to ^0.49.0.

Changes

Dependency Version Bump

Layer / File(s) Summary
markdownlint-cli version update
package.json
markdownlint-cli devDependency version constraint updated from ^0.48.0 to ^0.49.0.

Estimated code review effort: 1 (Trivial) | ~1 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: resolving Dependabot security alerts by updating dependencies.
Description check ✅ Passed The description is clearly related to the dependency bumps and security alert fixes in this PR.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@jonathannorris jonathannorris marked this pull request as ready for review June 22, 2026 14:15
@jonathannorris jonathannorris enabled auto-merge (squash) June 22, 2026 14:15
- markdownlint-cli ^0.48.0 -> ^0.49.0 to pull js-yaml 4.2.0 and markdown-it 14.2.0 (medium, alerts #26, #27)
- js-yaml 4.1.1 -> 4.2.0 via lockfile update (medium, alert #27)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
js-yaml 3.14.2 (via markdown-toc -> gray-matter) is vulnerable to a
quadratic-complexity DoS in merge key handling. gray-matter's own
range (^3.8.1 at 2.1.1, the highest version resolvable under
markdown-toc's gray-matter ^2.1.0 constraint) already permits 3.15.0,
so this is a lockfile-only bump via 'npm update js-yaml' with no
package.json or overrides changes.

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris force-pushed the chore/dependabot-alerts-2 branch from 28e65e7 to c96efde Compare July 6, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants