[PR #425] [MERGED] fix(deps): patch all open Dependabot security vulnerabilities #449

Closed
opened 2026-06-05 17:23:07 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/langchain-ai/deepagentsjs/pull/425
Author: @jkennedyvz
Created: 4/4/2026
Status: Merged
Merged: 4/4/2026
Merged by: @christian-bromann

Base: mainHead: fix/dependabot-security-overrides


📝 Commits (1)

  • 6dd0ade fix(deps): patch all open Dependabot security vulnerabilities via pnpm overrides

📊 Changes

2 files changed (+56 additions, -39 deletions)

View changed files

📝 package.json (+6 -2)
📝 pnpm-lock.yaml (+50 -37)

📄 Description

Summary

  • Adds pnpm overrides to resolve all 11 open Dependabot security alerts
  • Patches lodash (→4.18.1), picomatch (→2.3.2/4.0.4), fast-xml-parser (→5.5.10), flatted (→3.4.2)
  • Updates existing fast-xml-parser override to cover all reported CVE ranges

Test plan

  • Verify pnpm install succeeds without errors
  • Verify no vulnerable versions remain in pnpm-lock.yaml
  • Confirm Dependabot alerts auto-close after merge
  • Run pnpm test to ensure no regressions

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/langchain-ai/deepagentsjs/pull/425 **Author:** [@jkennedyvz](https://github.com/jkennedyvz) **Created:** 4/4/2026 **Status:** ✅ Merged **Merged:** 4/4/2026 **Merged by:** [@christian-bromann](https://github.com/christian-bromann) **Base:** `main` ← **Head:** `fix/dependabot-security-overrides` --- ### 📝 Commits (1) - [`6dd0ade`](https://github.com/langchain-ai/deepagentsjs/commit/6dd0ade733d2511eb3bc2e8fc7649c8cfebc44d8) fix(deps): patch all open Dependabot security vulnerabilities via pnpm overrides ### 📊 Changes **2 files changed** (+56 additions, -39 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+6 -2) 📝 `pnpm-lock.yaml` (+50 -37) </details> ### 📄 Description ## Summary - Adds pnpm overrides to resolve all 11 open Dependabot security alerts - Patches `lodash` (→4.18.1), `picomatch` (→2.3.2/4.0.4), `fast-xml-parser` (→5.5.10), `flatted` (→3.4.2) - Updates existing `fast-xml-parser` override to cover all reported CVE ranges ## Test plan - [ ] Verify `pnpm install` succeeds without errors - [ ] Verify no vulnerable versions remain in `pnpm-lock.yaml` - [ ] Confirm Dependabot alerts auto-close after merge - [ ] Run `pnpm test` to ensure no regressions --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 17:23:07 -04:00
yindo closed this issue 2026-06-05 17:23:07 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/deepagentsjs#449