Skip to content

[tests] Chore: Update yaml-language-server in lexical-esm-astro-react integration fixture#8163

Merged
etrepum merged 2 commits intomainfrom
fix/cookie-vulnerability
Feb 23, 2026
Merged

[tests] Chore: Update yaml-language-server in lexical-esm-astro-react integration fixture#8163
etrepum merged 2 commits intomainfrom
fix/cookie-vulnerability

Conversation

@PikkaPikkachu
Copy link
Copy Markdown
Contributor

@PikkaPikkachu PikkaPikkachu commented Feb 23, 2026

Test plan

  • Verified lodash is completely absent from the updated pnpm-lock.yaml
  • Verified astro check runs successfully with the overridden yaml-language-server@1.20.0
  • CI integration tests pass (pnpm run test-integration)

Fix lodash security vulnerability in astro-react integration fixture
bbc4425 
Override yaml-language-server to >=1.20.0 which dropped its lodash
dependency entirely, removing the vulnerable lodash (<= 4.17.22) from
the dependency tree.
@vercel
Copy link
Copy Markdown

vercel bot commented Feb 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 23, 2026 3:27am
lexical-playground Ready Ready Preview, Comment Feb 23, 2026 3:27am

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 23, 2026
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Feb 23, 2026
@etrepum
Copy link
Copy Markdown
Collaborator

etrepum commented Feb 23, 2026

It’s not really a vulnerability in any practical sense, this code only runs in CI. Probably a more useful approach would be to update the dependencies to versions where an override isn’t necessary, in case this code ever makes it to the examples folder.

@etrepum etrepum changed the title [vul-fix] Fix lodash security vulnerability in astro-react integration fixture [1/n] [tests] Chore: Update yaml-language-server in lexical-esm-astro-react integration fixture Feb 23, 2026
@etrepum
Copy link
Copy Markdown
Collaborator

etrepum commented Feb 23, 2026

Confirmed that @astrojs/check hasn't been updated yet so in the meantime this override is reasonable. Very low priority to worry about "vulnerabilities" in integration tests though.

@etrepum etrepum added this pull request to the merge queue Feb 23, 2026
Merged via the queue into main with commit cf707b6 Feb 23, 2026
42 checks passed
@PikkaPikkachu
Copy link
Copy Markdown
Contributor Author

PikkaPikkachu commented Feb 24, 2026

thanks @etrepum for merging in! Makes sense to not update vulnerabilities in tests :)

will be putting up some more PRs for more critical vulnerabilities this week!

@etrepum etrepum mentioned this pull request Feb 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etrepum etrepum etrepum approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PikkaPikkachu @etrepum