Skip to content

docs/site: fix Dependabot npm alerts via overrides#21168

Merged
yperbasis merged 1 commit into
mainfrom
yperbasis/deps1
May 13, 2026
Merged

docs/site: fix Dependabot npm alerts via overrides#21168
yperbasis merged 1 commit into
mainfrom
yperbasis/deps1

Conversation

@yperbasis

@yperbasis yperbasis commented May 13, 2026

Copy link
Copy Markdown
Member

Summary

Fixes all 5 open Dependabot alerts (4 high, 1 medium) in docs/site/package-lock.json. Each is a transitive npm dep, so the fix uses npm overrides in docs/site/package.json:

serialize-javascript jumps a major version (6 → 7), but v7 only drops Node 14 support — the engines field in docs/site/package.json already requires Node ≥ 20.

Test plan

  • npm audit reports 0 vulnerabilities
  • npm run build succeeds (Node 24)
  • CI builds the Docusaurus site successfully

🤖 Generated with Claude Code

@yperbasis @claude
docs/site: fix Dependabot npm alerts via overrides
9567c39 
Add npm `overrides` for vulnerable transitive deps in the Docusaurus
site and regenerate `package-lock.json`:

- `@babel/plugin-transform-modules-systemjs` 7.29.0 → 7.29.4
  (GHSA-fv7c-fp4j-7gwp, high)
- `fast-uri` 3.1.0 → 3.1.2 (GHSA-v39h-62p7-jpjc, GHSA-q3j6-qgpj-74h6,
  both high)
- `serialize-javascript` 6.0.2 → 7.0.5 (GHSA-5c6j-r48x-rmvq high,
  GHSA-qj8w-gfj5-8c6v medium)

`npm audit` now reports 0 vulnerabilities. The site still builds via
`npm run build` (Node 24).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@yperbasis yperbasis added dependencies Pull requests that update a dependency file docs labels May 13, 2026
@yperbasis yperbasis enabled auto-merge May 13, 2026 10:35
@yperbasis yperbasis requested a review from Copilot May 13, 2026 10:35
Copilot AI reviewed May 13, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot security alerts in the Docusaurus docs site by forcing patched versions of vulnerable transitive npm dependencies via overrides, and updating the lockfile accordingly.

Changes:

  • Add npm overrides for @babel/plugin-transform-modules-systemjs, fast-uri, and serialize-javascript to require non-vulnerable versions.
  • Update package-lock.json to reflect the resolved patched versions (and remove randombytes as it’s no longer needed via serialize-javascript@7).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
docs/site/package.json Adds security-motivated overrides entries for vulnerable transitive dependencies.
docs/site/package-lock.json Updates resolved transitive dependency versions to patched releases and removes no-longer-required entries.
Files not reviewed (1)
  • docs/site/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/site/package.json
@yperbasis yperbasis added this pull request to the merge queue May 13, 2026
Merged via the queue into main with commit 71acfea May 13, 2026
66 checks passed
@yperbasis yperbasis deleted the yperbasis/deps1 branch May 13, 2026 12:48
@yperbasis yperbasis mentioned this pull request Jun 9, 2026
Merged
5 tasks
pull Bot pushed a commit to Dustin4444/erigon that referenced this pull request Jun 9, 2026
@yperbasis
docs/site, tracetest: fix Dependabot npm alerts (uuid, ws) (erigontec…
98508bf 
…h#21691)

## Summary

Fixes all 3 open [Dependabot
alerts](https://github.com/erigontech/erigon/security/dependabot) (3
medium) — two transitive npm deps across two lockfiles. Both are fixed
with npm `overrides`, the same approach as erigontech#21168.

| Alert | Package | Lockfile | Bump |
|---|---|---|---|
| [84](https://github.com/erigontech/erigon/security/dependabot/84) |
`uuid` (via `sockjs`) | `docs/site` | 8.3.2 → 11.1.1 |
| [82](https://github.com/erigontech/erigon/security/dependabot/82) |
`ws` (via `webpack-dev-server`) | `docs/site` | 8.20.0 → 8.21.0 |
| [83](https://github.com/erigontech/erigon/security/dependabot/83) |
`ws` (via `ethers`) |
`execution/tracing/tracers/internal/tracetest/testgenerator` | 8.17.1 →
8.21.0 |

- `uuid` < 11.1.1 —
[CVE-2026-41907](GHSA-w5hq-g745-h8pq) /
GHSA-w5hq-g745-h8pq (medium): missing buffer bounds check in
`v3`/`v5`/`v6` when `buf` is provided.
- `ws` >= 8.0.0, < 8.20.1 —
[CVE-2026-45736](GHSA-58qx-3vcg-4xpx) /
GHSA-58qx-3vcg-4xpx (medium): uninitialized memory disclosure.

The overrides are **scoped to the vulnerable consumers**, so the
non-vulnerable sibling copies in `docs/site` are left untouched:
`ws@7.5.10` (`webpack-bundle-analyzer`, which needs `^7`) and
`uuid@14.0.0` (`mermaid`).

## Test plan

`docs/site` (mirrors the `Docs Site Build` CI workflow; run on Node 24):
- [x] `npm ci` — clean, lockfile in sync with `package.json`, **0
vulnerabilities**
- [x] `npm run typecheck` — passes
- [x] `npm run build` — succeeds

`testgenerator`:
- [x] `npm ci` — **0 vulnerabilities**
- [x] `npm run build` (`tsc`) — passes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@AskAlexSharov AskAlexSharov AskAlexSharov approved these changes

@bloxster bloxster Awaiting requested review from bloxster bloxster is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yperbasis @AskAlexSharov