[WTF-2591]: Fix vulnerabilities in transitive dependencies of PWT#174
Open
weirdwater wants to merge 43 commits into
Open
[WTF-2591]: Fix vulnerabilities in transitive dependencies of PWT#174weirdwater wants to merge 43 commits into
weirdwater wants to merge 43 commits into
Conversation
Removed fast-xml-parser from command-tests package as it was not used anywhere in the code. This fixes a critical vulnerability (CVE-2026-25896) related to entity encoding bypass. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated Babel core and related packages to resolve potential vulnerabilities in transitive dependencies: - @babel/core: 7.26.0 → 7.29.0 - @babel/preset-env: 7.26.0 → 7.29.2 - @babel/preset-react: 7.25.9 → 7.28.5 - @babel/plugin-transform-*: 7.25.9 → 7.28.6 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Upgraded generator-widget from ESLint 7 to 8 - Upgraded all packages from ESLint 8 to 9 - Updated ESLint plugins (@typescript-eslint, eslint-plugin-react, eslint-plugin-react-hooks) to v9-compatible versions - Added ESLINT_USE_FLAT_CONFIG=false environment variable in mx-scripts.js to maintain compatibility with legacy .eslintrc configs - Tested with test widget - lint and build commands work correctly ESLint 10 is not yet released, and flat config migration has been deferred until it's available. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Upgraded ESLint to v10.2.1 across all packages - Updated @babel/eslint-parser to 8.0.0-rc.3 for ESLint 10 compatibility - Updated eslint-plugin-react-hooks to v7.1.1 - Tested with test widget - lint and build commands work correctly - Legacy .eslintrc config still works with ESLINT_USE_FLAT_CONFIG=false Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Upgraded rollup to v4.60.2 - Tested with test widget - build works correctly - No breaking changes affecting our usage Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update @rollup/plugin-commonjs from 28.0.6 to 29.0.2 - Update @rollup/plugin-terser from 0.4.4 to 1.0.0 - Update sass from 1.89.2 to 1.99.0 - Fixes immutable vulnerability (5.1.3 → 5.1.5) This reduces total vulnerabilities from 42 to 41. Remaining vulnerabilities in rollup-plugin-postcss are transitive dependencies (svgo, yaml) that only affect build-time and do not ship with widget packages. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Update jest-environment-jsdom from ^29.4.1 to ^30.3.0 - Update jest-junit from ^13.0.0 to ^16.0.0 This update: - Fixes @tootallnate/once vulnerability (via jsdom 20.0.3 → 26.1.0) - Reduces test widget vulnerabilities by 4 - jsdom now uses http-proxy-agent 7.x (no @tootallnate/once dependency) - Improves DOM spec compliance and performance Remaining uuid vulnerability in jest-junit appears to have incorrect advisory version requirements and is test-time only (JUnit reporting). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Major version updates: - yeoman-environment: ^3.19.3 → ^6.0.1 (MAJOR) - yeoman-generator: ^5.4.2 → ^8.1.2 (MAJOR) - yeoman-test: ^6.3.0 → ^11.3.1 (MAJOR) - @types/node: ^18.0.0 → ^20.14.8 (command-tests) Updated engine requirements: - generator-widget: node >=16 → >=20 Vulnerability reduction: - Total: 41 → 24 vulnerabilities (-17) - High: 25 → 15 (-10) - Moderate: 11 → 8 (-3) - Low: 5 → 1 (-4) Fixed vulnerabilities in transitive dependencies: - tar (multiple path traversal issues) - minimatch (ReDoS vulnerabilities) - node-forge (cryptographic vulnerabilities) - lodash (prototype pollution) - @tootallnate/once (control flow scoping) - @octokit/* packages (ReDoS vulnerabilities) - tmp (symbolic link vulnerability) Added VULNERABLE_TRANSITIVE_DEPS.md with comprehensive list of all transitive dependencies with vulnerabilities and required versions. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.