fix(deps): resolve HIGH severity npm vulnerabilities in website#3
Conversation
- path-to-regexp: 0.1.12 → 0.1.13 (CVE-2026-4867, GHSA-37ch-88jc-xwx2) - picomatch: 2.3.1 → 2.3.2 (CVE-2026-33671, GHSA-c2c7-rcm5-vvqj) - undici: 7.23.0 → 7.27.1 (CVE-2026-1526/CVE-2026-2229/CVE-2026-1528) - serialize-javascript: 6.0.2 → 7.0.3 (GHSA-5c6j-r48x-rmvq, via overrides) Fixes Dependabot alerts NousResearch#37, NousResearch#34, NousResearch#33, NousResearch#32, NousResearch#29, NousResearch#27
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 71877343ac
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ] | ||
| }, | ||
| "overrides": { | ||
| "serialize-javascript": "7.0.3" |
There was a problem hiding this comment.
Upgrade serialize-javascript past vulnerable 7.0.3
When this security update is evaluated against current advisories, this override still pins every transitive serialize-javascript consumer to 7.0.3, but the active high-severity advisory covers versions <7.0.5. That means npm audit/Snyk-style checks will continue to flag the website lockfile and the dependency update does not actually resolve the reported vulnerability; pin the override and lockfile to 7.0.5 or newer instead.
Useful? React with 👍 / 👎.
| "prism-react-renderer": "^2.3.0", | ||
| "react": "^19.0.0", | ||
| "react-dom": "^19.0.0" | ||
| "@docusaurus/theme-mermaid": "^3.10.1", |
There was a problem hiding this comment.
Keep Docusaurus packages on one version
This bumps only @docusaurus/theme-mermaid to 3.10.1 while @docusaurus/core, @docusaurus/preset-classic, and the Docusaurus dev packages remain pinned to 3.9.2. Because website/docusaurus.config.ts enables this theme, the 3.9.2 CLI will load a 3.10.1 official theme and the lockfile now contains a second 3.10.1 Docusaurus stack under the theme; Docusaurus expects all @docusaurus/* packages in a site to use the same version, so Mermaid docs builds can fail on minor-version API mismatches. Either upgrade the whole Docusaurus set to 3.10.1 or keep the theme at 3.9.2.
Useful? React with 👍 / 👎.
Summary
Fixes HIGH severity Dependabot alerts in the Docusaurus website (
website/).Changes
serialize-javascriptrequired anoverridesentry since 6.x → 7.x is a major version bump not covered by semver ranges.