Skip to content

Run npm audit fix (non-breaking)#25832

Merged
rzhao271 merged 2 commits intomainfrom
copilot/run-npm-audit-fix
Mar 3, 2026
Merged

Run npm audit fix (non-breaking)#25832
rzhao271 merged 2 commits intomainfrom
copilot/run-npm-audit-fix

Conversation

Copy link

Copilot AI commented Mar 3, 2026
edited
Loading

Applies npm audit fix (no --force) to resolve 5 of 26 reported vulnerabilities. Only package-lock.json is modified — semver ranges in package.json are unchanged.

Packages updated

Package Before After CVE/Advisory
cipher-base 1.0.4 1.0.7 GHSA-cpq7-6gpm-g9rccritical, missing type checks
ajv 6.12.6 / 8.17.1 6.14.0 / 8.18.0 GHSA-2g4f-4pwh-qvx6 — ReDoS via $data
bn.js 4.11.8 / 5.2.1 4.12.3 / 5.2.3 GHSA-378v-28hj-76wf — infinite loop
glob 10.4.5 10.5.0 GHSA-5j98-mcp5-4vw2 — CLI command injection
minimatch (3.x / 9.x) 3.1.2 / 9.0.x 3.1.5 / 9.0.9 GHSA-3ppc-4f35-3m26 — ReDoS

Remaining vulnerabilities (21)

All require --force and involve breaking changes (e.g. mocha downgrade, copy-webpack-plugin major bump, node-polyfill-webpack-plugin major bump). Not addressed here per the constraint of no forced updates.

Original prompt

Run npm audit fix. Do not use force flag.

Created from VS Code.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@rzhao271
Apply npm audit fix to update vulnerable dependencies in package-lock…
fafb5b4 
….json

Co-authored-by: rzhao271 <7199958+rzhao271@users.noreply.github.com>
Copilot AI changed the title [WIP] Run npm audit fix without using force flag Run npm audit fix (non-breaking) Mar 3, 2026
@rzhao271 rzhao271 marked this pull request as ready for review March 3, 2026 17:40
@rzhao271 rzhao271 enabled auto-merge (squash) March 3, 2026 17:40
@rzhao271 rzhao271 added this to the March 2026 milestone Mar 3, 2026
@rzhao271 rzhao271 added no-changelog No news entry required skip package*.json package.json and package-lock.json don't both need updating dependencies Pull requests that update a dependency file skip-issue-check labels Mar 3, 2026
@rzhao271 rzhao271 merged commit bec2bbd into main Mar 3, 2026
95 of 98 checks passed
@rzhao271 rzhao271 deleted the copilot/run-npm-audit-fix branch March 3, 2026 18:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roblourens roblourens roblourens approved these changes

+1 more reviewer

@rzhao271 rzhao271 rzhao271 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rzhao271 rzhao271

Copilot code review Copilot

Labels

dependencies Pull requests that update a dependency file no-changelog No news entry required skip package*.json package.json and package-lock.json don't both need updating skip-issue-check

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@roblourens @rzhao271