Skip to content

[release/9.0] Update NPM dependencies#66051

Open
wtgodbe wants to merge 3 commits intorelease/9.0from
wtgodbe/AuditNFix9
Open

[release/9.0] Update NPM dependencies#66051
wtgodbe wants to merge 3 commits intorelease/9.0from
wtgodbe/AuditNFix9

Conversation

@wtgodbe
Copy link
Copy Markdown
Member

@wtgodbe wtgodbe commented Mar 28, 2026

Fixes CG alerts

@wtgodbe wtgodbe requested a review from a team as a code owner March 28, 2026 00:01
Copilot AI review requested due to automatic review settings March 28, 2026 00:01
@wtgodbe wtgodbe added the tell-mode Indicates a PR which is being merged during tell-mode label Mar 28, 2026
@dotnet-policy-service dotnet-policy-service bot added this to the 9.0.x milestone Mar 28, 2026
@dotnet-policy-service
Copy link
Copy Markdown
Contributor

dotnet-policy-service bot commented Mar 28, 2026

Hi @@wtgodbe. If this is not a tell-mode PR, please make sure to follow the instructions laid out in the servicing process document.
Otherwise, please add tell-mode label.

@github-actions github-actions bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Mar 28, 2026
Copilot AI reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates NPM dependency graph to address CG (component governance) alerts across the repo’s Node workspaces (notably the JSInterop workspace), primarily by bumping lint tooling and adding root-level overrides for transitive vulnerabilities.

Changes:

  • Bump @typescript-eslint/* devDependencies in the JSInterop workspace to v8.
  • Add root package.json overrides entries to force patched versions of vulnerable transitive packages (e.g., tar, serialize-javascript, @tootallnate/once).
  • Regenerate package-lock.json to reflect updated/overridden dependency versions.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/JSInterop/Microsoft.JSInterop.JS/src/package.json Updates TypeScript ESLint tooling versions used for JSInterop linting.
package.json Adds root overrides to force secure transitive dependency versions repo-wide.
package-lock.json Lockfile refresh capturing updated dependency graph and override effects.

@wtgodbe wtgodbe requested review from a team, BrennanConroy, JamesNK and halter73 as code owners March 28, 2026 01:17
@github-actions github-actions bot added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels Mar 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@akoeplinger akoeplinger akoeplinger approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

Assignees

No one assigned

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions tell-mode Indicates a PR which is being merged during tell-mode

Projects

None yet

Milestone

9.0.x

Development

Successfully merging this pull request may close these issues.

3 participants

@wtgodbe @akoeplinger