docs/site, tracetest: fix Dependabot npm alerts (uuid, ws)#21691
Conversation
Bumps two transitive npm deps flagged by Dependabot, via npm overrides (same approach as #21168): - uuid 8.3.2 -> 11.1.1 in docs/site (sockjs) — CVE-2026-41907 / GHSA-w5hq-g745-h8pq, missing buffer bounds check in v3/v5/v6. - ws -> 8.21.0 in docs/site (webpack-dev-server) and testgenerator (ethers) — CVE-2026-45736 / GHSA-58qx-3vcg-4xpx, uninitialized memory disclosure (vulnerable >= 8.0.0, < 8.20.1). Overrides are scoped to the vulnerable consumers, leaving the non-vulnerable siblings untouched: ws@7.5.10 (webpack-bundle-analyzer) and uuid@14 (mermaid).
There was a problem hiding this comment.
Pull request overview
This PR addresses three medium Dependabot alerts by updating vulnerable transitive npm dependencies (uuid, ws) via npm overrides, aligning with the existing approach used in the repo for transitive dependency remediation.
Changes:
- Add an npm
overridesentry intracetest/testgeneratorto forcewsto a non-vulnerable version. - Add scoped npm
overridesindocs/siteto bumpuuid(viasockjs) andws(viawebpack-dev-server) without affecting non-vulnerable sibling copies. - Update both corresponding
package-lock.jsonfiles to reflect the resolved secure versions (uuid@11.1.1,ws@8.21.0).
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| execution/tracing/tracers/internal/tracetest/testgenerator/package.json | Adds overrides to bump ws for the ethers dependency chain. |
| execution/tracing/tracers/internal/tracetest/testgenerator/package-lock.json | Updates resolved ws version to 8.21.0 in the lockfile. |
| docs/site/package.json | Adds scoped overrides to bump uuid (via sockjs) and ws (via webpack-dev-server). |
| docs/site/package-lock.json | Updates resolved uuid to 11.1.1 and webpack-dev-server’s ws to 8.21.0, leaving other copies intact. |
Files not reviewed (2)
- docs/site/package-lock.json: Language not supported
- execution/tracing/tracers/internal/tracetest/testgenerator/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Giulio2002
left a comment
There was a problem hiding this comment.
LGTM — straightforward dependency override/lockfile bump to address Dependabot npm alerts for uuid and ws.
Giulio2002
left a comment
There was a problem hiding this comment.
LGTM — small, obviously safe test-only/test-heavy change
bloxster
left a comment
There was a problem hiding this comment.
Smoke-tested locally (clean npm ci + dev server). The fix is correct: scoping is complete (uuid@8 only via sockjs; ws@7.5.10 correctly left alone), and after install the dev server compiles/serves cleanly. Loaded sockjs's actual require('uuid').v4 call site — works under uuid@11, so the 3-major jump is runtime-safe.
One heads-up: npm ci no longer reports 0 vulns — there's now 1 critical (shell-quote ≤1.8.3 via launch-editor), a new advisory. Not a regression here, and already covered by #21705. Landing both together gets docs/site back to 0. 👍
Summary
Fixes all 3 open Dependabot alerts (3 medium) — two transitive npm deps across two lockfiles. Both are fixed with npm
overrides, the same approach as #21168.uuid(viasockjs)docs/sitews(viawebpack-dev-server)docs/sitews(viaethers)execution/tracing/tracers/internal/tracetest/testgeneratoruuid< 11.1.1 — CVE-2026-41907 / GHSA-w5hq-g745-h8pq (medium): missing buffer bounds check inv3/v5/v6whenbufis provided.ws>= 8.0.0, < 8.20.1 — CVE-2026-45736 / GHSA-58qx-3vcg-4xpx (medium): uninitialized memory disclosure.The overrides are scoped to the vulnerable consumers, so the non-vulnerable sibling copies in
docs/siteare left untouched:ws@7.5.10(webpack-bundle-analyzer, which needs^7) anduuid@14.0.0(mermaid).Test plan
docs/site(mirrors theDocs Site BuildCI workflow; run on Node 24):npm ci— clean, lockfile in sync withpackage.json, 0 vulnerabilitiesnpm run typecheck— passesnpm run build— succeedstestgenerator:npm ci— 0 vulnerabilitiesnpm run build(tsc) — passes