Skip to content

Add package.json with pinned exact versions and fix brace-expansion vulnerability#1132

Merged
pethers merged 2 commits intomasterfrom
copilot/fix-package-json-versions
Mar 27, 2026
Merged

Add package.json with pinned exact versions and fix brace-expansion vulnerability#1132
pethers merged 2 commits intomasterfrom
copilot/fix-package-json-versions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 27, 2026
edited
Loading

This repo had no package.json — npm tools were installed globally in CI without pinned versions. Introduces a proper manifest with all dependencies locked to exact versions and a package-lock.json for reproducible installs.

Dependencies

All 12 devDependencies pinned exactly (no ^/~):

Tool Version
htmlhint 1.9.2
html-validate 10.11.2
linkinator 7.6.1
html-minifier-terser 7.2.0
clean-css-cli 5.6.3
terser 5.46.1
glob 13.0.6
npm-check-updates 19.6.6
@modelcontextprotocol/server-filesystem 2026.1.14
@modelcontextprotocol/server-memory 2026.1.26
@modelcontextprotocol/server-sequential-thinking 2025.12.18
@playwright/mcp 0.0.68

Vulnerability Fix

clean-css-cli and @modelcontextprotocol/server-filesystem both pull in brace-expansion < 5.0.5 (GHSA-f886-m6hf-6m8v — zero-step sequence causes process hang/OOM). Fixed via overrides:

"overrides": {
  "brace-expansion": "5.0.5",
  "minimatch": "10.2.4"
}

Result: npm audit reports 0 vulnerabilities. npx npm-check-updates confirms all deps are at latest.

.gitignore

Removed package.json and package-lock.json from .gitignore — they were pre-emptively excluded before this manifest existed.

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

Copilot AI requested a review from pethers March 27, 2026 10:19
@pethers
Add package.json with pinned dependency versions and fix brace-expans…
62911a9 
…ion vulnerability

Agent-Logs-Url: https://github.com/Hack23/homepage/sessions/d1e3add4-58e6-47d8-ae19-2098dfb4b5a6

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
@github-actions github-actions bot added dependencies Dependency updates infrastructure CI/CD and infrastructure config Configuration changes content-pages Main website pages labels Mar 27, 2026
Copilot AI changed the title [WIP] Fix all versions in package.json dependencies Add package.json with pinned exact versions and fix brace-expansion vulnerability Mar 27, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@pethers pethers marked this pull request as ready for review March 27, 2026 12:01
@pethers pethers merged commit 389511d into master Mar 27, 2026
14 checks passed
@pethers pethers deleted the copilot/fix-package-json-versions branch March 27, 2026 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pethers pethers Awaiting requested review from pethers pethers is a code owner

Assignees

@pethers pethers

Copilot code review Copilot

Labels

config Configuration changes content-pages Main website pages dependencies Dependency updates infrastructure CI/CD and infrastructure size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pethers