Skip to content

chore(deps): consolidate dependency bumps + fix webpack SSRF in samples/weather-forecast#239

Open
Copilot wants to merge 2 commits intomainfrom
copilot/chore-bump-dependencies-in-weather-forecast
Open

chore(deps): consolidate dependency bumps + fix webpack SSRF in samples/weather-forecast#239
Copilot wants to merge 2 commits intomainfrom
copilot/chore-bump-dependencies-in-weather-forecast

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026

Consolidates dependabot PRs #233#238 into a single update and closes two webpack SSRF security alerts (#96/#97) where a transitive webpack@^5 was resolving to the vulnerable 5.101.3.

Dependency bumps

  • Runtime: axios ^1.13.5→^1.15.0, @staffbase/widget-sdk ^3.15.5→^3.17.0, acorn ^8.15.0→^8.16.0, dayjs 1.11.18→1.11.20
  • Dev: typescript 5.9.2→6.0.2, @types/node 24.5.2→25.5.2, copy-webpack-plugin ^13.0.1→**^14.0.0**, @babel/core|preset-*, @testing-library/*, core-js, jest-environment-jsdom, prettier, ts-loader, webpack-dev-server
  • Transitive (yarn.lock only): follow-redirects 1.15.9→1.16.0

Security: webpack SSRF (CVE-2025-68157 / CVE-2025-68458)

Both CVEs (HTTP-redirect allowedUris bypass and URL userinfo bypass, fixed in webpack ≥5.104.1) were exploitable through a transitive dependency requiring just webpack@^5, which yarn resolved to the unfixed 5.101.3 independently of the project's own ^5.104.1 pin.

Fix: pin via yarn resolutions so all ranges collapse to 5.105.4:

"resolutions": {
  "webpack": "5.105.4"
}
# yarn.lock — before: two separate entries
webpack@^5:          version "5.101.3"  ← vulnerable
webpack@^5.104.1:    version "5.105.4"

# after: single entry
webpack@5.105.4, webpack@^5, webpack@^5.104.1:
  version "5.105.4"

TypeScript 6 compatibility fixes

  • tsconfig.json: add "ignoreDeprecations": "6.0" — TS6 now errors on the deprecated moduleResolution: "node" and baseUrl options (TS5101/TS5107)
  • webpack.common.ts: replace require("copy-webpack-plugin") with an ES import — TS6 no longer implicitly provides the require global (TS2591)
  • dev/widget-api-mock/index.ts: add flags: [] to the BranchInformation mock — new required field introduced in @staffbase/widget-sdk 3.17

Copilot AI and others added 2 commits April 16, 2026 00:43
@maximizeIT
chore(deps): bump all dependencies in /samples/weather-forecast
c1c3387 
Consolidates all dependency bumps from PRs #233-#238:

- follow-redirects: 1.15.9 → 1.16.0 (via yarn.lock, PR #238)
- typescript: 5.9.2 → 6.0.2 (PR #237)
- @types/node: 24.5.2 → 25.5.2 (PR #236)
- copy-webpack-plugin: ^13.0.1 → ^14.0.0 (PR #235)
- axios: ^1.13.5 → ^1.15.0 (PR #233)
- @staffbase/widget-sdk: ^3.15.5 → ^3.17.0 (PR #234)
- acorn: ^8.15.0 → ^8.16.0 (PR #234)
- dayjs: 1.11.18 → 1.11.20 (PR #234)
- @babel/core: ^7.28.4 → ^7.29.0 (PR #234)
- @babel/preset-env: ^7.28.3 → ^7.29.2 (PR #234)
- @babel/preset-react: ^7.27.1 → ^7.28.5 (PR #234)
- @babel/preset-typescript: ^7.27.1 → ^7.28.5 (PR #234)
- @testing-library/jest-dom: ^6.8.0 → ^6.9.1 (PR #234)
- @testing-library/react: ^16.3.0 → ^16.3.2 (PR #234)
- core-js: 3.45.1 → 3.49.0 (PR #234)
- jest-environment-jsdom: ^30.1.2 → ^30.3.0 (PR #234)
- prettier: 3.6.2 → 3.8.1 (PR #234)
- ts-loader: ^9.5.4 → ^9.5.7 (PR #234)
- webpack-dev-server: ^5.2.2 → ^5.2.3 (PR #234)

Fixes for TypeScript 6.0 breaking changes:
- Add ignoreDeprecations: "6.0" to tsconfig.json (moduleResolution/baseUrl deprecation)
- Convert require() to ES import in webpack.common.ts (TS2591 error)
- Add missing flags property to BranchInformation mock (new required field in @staffbase/widget-sdk 3.17)

Co-authored-by: GitHub Copilot <copilot@noreply.github.com>

Agent-Logs-Url: https://github.com/Staffbase/custom-widgets-examples/sessions/adca9c8d-9484-48fd-83f8-160d37a1a170

Co-authored-by: maximizeIT <8626039+maximizeIT@users.noreply.github.com>
@maximizeIT
fix(security): force webpack to 5.105.4 to fix CVE-2025-68157 and CVE…
61a1b77 
…-2025-68458

Adds "webpack": "5.105.4" to yarn resolutions, ensuring the transitive
webpack@^5 dependency (which was resolving to the vulnerable 5.101.3) is
forced to the patched version. Both SSRF alerts (#96 and #97) are resolved.

Co-authored-by: GitHub Copilot <copilot@noreply.github.com>

Agent-Logs-Url: https://github.com/Staffbase/custom-widgets-examples/sessions/adca9c8d-9484-48fd-83f8-160d37a1a170

Co-authored-by: maximizeIT <8626039+maximizeIT@users.noreply.github.com>
@maximizeIT maximizeIT marked this pull request as ready for review April 16, 2026 00:51
@maximizeIT maximizeIT requested review from a team and maximizeIT as code owners April 16, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ninerian Ninerian Awaiting requested review from Ninerian Ninerian is a code owner automatically assigned from Staffbase/need-for-speed-devs

@PujaSingh7655 PujaSingh7655 Awaiting requested review from PujaSingh7655 PujaSingh7655 is a code owner automatically assigned from Staffbase/need-for-speed-devs

@yuta-horiuchi-sb yuta-horiuchi-sb Awaiting requested review from yuta-horiuchi-sb yuta-horiuchi-sb is a code owner automatically assigned from Staffbase/cs-tech

1 more reviewer

@maximizeIT maximizeIT maximizeIT approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@maximizeIT maximizeIT

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maximizeIT