Skip to content

Fix critical npm dependency alerts#328

Closed
lancewillett wants to merge 1 commit into
trunkfrom
fix/critical-dependabot-alerts
Closed

Fix critical npm dependency alerts#328
lancewillett wants to merge 1 commit into
trunkfrom
fix/critical-dependabot-alerts

Conversation

@lancewillett
Copy link
Copy Markdown

@lancewillett lancewillett commented May 31, 2026

Summary

  • Add targeted npm overrides for patched basic-ftp and handlebars releases.
  • Refresh package-lock.json so the current Dependabot critical alerts resolve to patched versions.
  • Leave the existing high, medium, and low alert backlog for a separate pass.

Validation

  • npm ci
  • npm ls handlebars basic-ftp --all
  • npm audit --audit-level=critical
  • npm run lint
  • npm run build
  • npm test
  • git diff --check

Notes

  • Dependabot alerts are now enabled for this repository.
  • Dependabot security updates remain disabled; this PR only addresses the critical alerts found after enabling alerts.

@lancewillett lancewillett requested a review from a team as a code owner May 31, 2026 20:47
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

👋 Thanks for your interest in contributing to Newspack!

Newspack development has moved to a single monorepo: Automattic/newspack-workspace. This repository is now a read-only mirror, so we're automatically closing new pull requests here.

Please reopen your change against the monorepo – newspack-network now lives at plugins/newspack-network/ there. Thank you! 💙

@lancewillett lancewillett self-assigned this May 31, 2026
@github-actions github-actions Bot closed this May 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@lancewillett lancewillett

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lancewillett