Skip to content

chore: fix Dependabot security alerts #683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Fletch153 merged 1 commit into from
Feb 9, 2026
Merged

chore: fix Dependabot security alerts #683

Fletch153 merged 1 commit into from
Feb 9, 2026
+540 −719

Conversation

@Fletch153
Copy link
Collaborator

@Fletch153 Fletch153 commented Feb 8, 2026

Dependabot Security Alerts Status

Repository: smartcontractkit/ea-framework-js
Branch: dependabot-update-2026-02-08
Date: 2026-02-08

Summary

Metric Count
Total Open Alerts 3
Fixed 3
Needs Approval 0
Blocked 0

Alert Details

# Dependency Severity CVSS CVE Vulnerable Range Patched Resolved To Fix Method Status
52 glob high 7.5 CVE-2025-64756 >= 10.2.0, < 10.5.0 10.5.0 10.5.0 Lockfile refresh Fixed
50 js-yaml medium 5.3 CVE-2025-64718 < 3.14.2 3.14.2 3.14.2 Lockfile refresh Fixed
49 js-yaml medium 5.3 CVE-2025-64718 >= 4.0.0, < 4.1.1 4.1.1 4.1.1 Lockfile refresh Fixed

Fix Log

Tier 1: Lockfile Refresh

  • Deleted yarn.lock and ran yarn install to regenerate
  • All 3 alerts resolved by the lockfile refresh alone

Dependency Chain Details

Alert Dependency Chain Before After
#52 c8 -> test-exclude -> glob, ava -> @vercel/nft -> glob 10.4.5 10.5.0
#50 ava -> supertap -> js-yaml 3.14.1 3.14.2
#49 eslint -> @eslint/eslintrc -> js-yaml 4.1.0 4.1.1

Verification

  • TypeScript compilation: Passed (exit code 0)
  • Test suite (AVA + c8): All tests passed (exit code 0)
  • Build (yarn build): Pre-existing failure in nested scripts/generator-adapter sub-project due to local Node version mismatch (local: v20.11.0 vs required: v24.13.0). This failure exists on main and will pass in CI which uses Node 24.13.

Notes

  • All 3 alerts are transitive, development-scope dependencies
  • No direct dependency changes were required
  • No code changes were required
  • CI runtime (Node 24.13) is correctly pinned in .github/actions/setup/action.yaml and .tool-versions

@Fletch153 Fletch153 requested a review from a team as a code owner February 8, 2026 13:32
@github-actions
Copy link
Contributor

github-actions bot commented Feb 8, 2026

👋 Fletch153, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

@github-actions
Copy link
Contributor

github-actions bot commented Feb 8, 2026

NPM Publishing labels 🏷️

🛑 This PR needs labels to indicate how to increase the current package version in the automated workflows. Please add one of the following labels: none, patch, minor, or major.

@Fletch153 Fletch153 force-pushed the dependabot-update-2026-02-08 branch from 2e4e308 to e49f0a2 Compare February 9, 2026 10:38
@Fletch153 Fletch153 merged commit bab96ca into main Feb 9, 2026
14 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Feb 9, 2026

❌ failed to run preflight checks
Failure message: No labels present on the PR, expected version bump label (one of 'major', 'minor', 'patch', or 'none')
Failed job: preflight

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dskloetc dskloetc dskloetc approved these changes

@cawthorne cawthorne Awaiting requested review from cawthorne

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Fletch153 @dskloetc