Conversation
There was a problem hiding this comment.
Pull request overview
Updates JavaScript tooling dependencies to address multiple Dependabot security alerts in the Carousel Kit project’s build/lint/test toolchain.
Changes:
- Bumped
@wordpress/scriptsfrom^31.2.0to^31.6.0. - Added an npm
overridesentry forserialize-javascript(^7.0.3).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react-dom": "^18.3.1", | ||
| "webpack-dev-server": ">=5.2.1" | ||
| "webpack-dev-server": ">=5.2.1", | ||
| "serialize-javascript": "^7.0.3" |
There was a problem hiding this comment.
The new npm override forces serialize-javascript to v7 (^7.0.3), but copy-webpack-plugin@10.2.4 in the dependency tree declares serialize-javascript: ^6.0.0. Forcing a different major than a package declares support for can break the build at runtime. Consider overriding to a patched 6.x version that satisfies ^6.0.0 (e.g., ^6.0.2), or bumping the upstream dependency (e.g., via @wordpress/scripts/webpack plugin versions) to one that officially supports serialize-javascript@7 before enforcing v7.
| "serialize-javascript": "^7.0.3" | |
| "serialize-javascript": "^6.0.2" |
|
@mi5t4n closing this PR as all dependabot issues are fixed. |
Resolves: