From e654be5d433251f45f24534818614f8fa4beea27 Mon Sep 17 00:00:00 2001 From: Danil Mirgaev Date: Fri, 22 May 2026 20:11:27 +0400 Subject: [PATCH 1/2] Security: fix vulnerable dependencies and update Node version --- .github/workflows/health-check.yml | 7 ++++ package.json | 7 ++-- pnpm-lock.yaml | 53 ++++++++++-------------------- 3 files changed, 29 insertions(+), 38 deletions(-) diff --git a/.github/workflows/health-check.yml b/.github/workflows/health-check.yml index 7f9c7c0c5..1371872eb 100644 --- a/.github/workflows/health-check.yml +++ b/.github/workflows/health-check.yml @@ -13,3 +13,10 @@ jobs: invoke: name: Invoke uses: DevExpress/github-actions/.github/workflows/repository-check.yml@repository-check + with: + config: | + { + ignoredAdvisories: [ + 'GHSA-848j-6mx2-7j84', // elliptic + ] + } diff --git a/package.json b/package.json index c3e6170eb..205dce7dc 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ "url": "https://github.com/DevExpress/devextreme-exceljs-fork.git" }, "engines": { - "node": ">=18" + "node": "24.15.0" }, "main": "./dx-excel-fork.js", "browser": "./dist/dx-exceljs-fork.min.js", @@ -105,7 +105,7 @@ "@playwright/test": "^1.58.2", "@types/chai": "^4.2.12", "@types/mocha": "^8.0.3", - "@types/node": "^18.19.0", + "@types/node": "^24.12.4", "babelify": "^10.0.0", "browserify": "^16.5.2", "chai": "^4.3.7", @@ -153,7 +153,8 @@ "picomatch": "^2.3.2", "lodash": "~4.18.1", "@babel/plugin-transform-modules-systemjs": "^7.29.4", - "diff": "^8.0.3" + "diff": "^8.0.3", + "brace-expansion": "~5.0.6" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index f63eda09e..027c85791 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -19,6 +19,7 @@ overrides: lodash: ~4.18.1 '@babel/plugin-transform-modules-systemjs': ^7.29.4 diff: ^8.0.3 + brace-expansion: ~5.0.6 importers: @@ -68,8 +69,8 @@ importers: specifier: ^8.0.3 version: 8.2.3 '@types/node': - specifier: ^18.19.0 - version: 18.19.130 + specifier: ^24.12.4 + version: 24.12.4 babelify: specifier: ^10.0.0 version: 10.0.0(@babel/core@7.29.0) @@ -801,8 +802,8 @@ packages: '@types/mocha@8.2.3': resolution: {integrity: sha512-ekGvFhFgrc2zYQoX4JeZPmVzZxw6Dtllga7iGHzfbYIYkAMUx/sAFP2GdFpLff+vdHXu5fl7WX9AT+TtqYcsyw==} - '@types/node@18.19.130': - resolution: {integrity: sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg==} + '@types/node@24.12.4': + resolution: {integrity: sha512-GUUEShf+PBCGW2KaXwcIt3Yk+e3pkKwWKb9GSyM9WQVE+ep2jzmHdGsHzu4wgcZy5fN9FBdVzjpBQsYlpfpgLA==} '@types/parse-json@4.0.2': resolution: {integrity: sha512-dISoDXWWQwUquiKsyZ4Ng+HX2KsPL7LyHKHQwgGFEA3IaKac4Obd+h2a/a6waisAoepJlBcx9paWqjA8/HVjCw==} @@ -1051,9 +1052,6 @@ packages: peerDependencies: '@babel/core': ^7.0.0 - balanced-match@1.0.2: - resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} - balanced-match@4.0.4: resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==} engines: {node: 18 || 20 || >=22} @@ -1130,11 +1128,8 @@ packages: boolify@1.0.1: resolution: {integrity: sha512-ma2q0Tc760dW54CdOyJjhrg/a54317o1zYADQJFgperNGKIKgAUGIcKnuMiff8z57+yGlrGNEt4lPgZfCgTJgA==} - brace-expansion@1.1.14: - resolution: {integrity: sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==} - - brace-expansion@5.0.5: - resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} + brace-expansion@5.0.6: + resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==} engines: {node: 18 || 20 || >=22} braces@3.0.3: @@ -1366,9 +1361,6 @@ packages: resolution: {integrity: sha512-6FqVXeETqWPoGcfzrXb37E50NP0LXT8kAMu5ooZayhWWdgEY4lBEEcbQNXtkuKQsGduxiIcI4gOTsxTmuq/bSg==} engines: {node: '>= 14'} - concat-map@0.0.1: - resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} - concat-stream@1.4.11: resolution: {integrity: sha512-X3JMh8+4je3U1cQpG87+f9lXHDrqcb2MVLg9L7o8b1UZ0DzhRrUpdn65ttzu10PpJPPI3MQNkis+oha6TSA9Mw==} engines: {'0': node >= 0.8} @@ -3615,8 +3607,8 @@ packages: underscore.string@3.3.6: resolution: {integrity: sha512-VoC83HWXmCrF6rgkyxS9GHv8W9Q5nhMKho+OadDJGzL2oDYbYEppBaCMH6pFlwLeqj2QS+hhkw2kpXkSdD1JxQ==} - undici-types@5.26.5: - resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==} + undici-types@7.16.0: + resolution: {integrity: sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==} unicode-canonical-property-names-ecmascript@2.0.1: resolution: {integrity: sha512-dA8WbNeb2a6oQzAQ55YlT5vQAWGV9WXOsi3SskE3bcCdM0P4SDd+24zS/OCacdRq5BkdsRj9q3Pg6YyQoxIGqg==} @@ -4606,7 +4598,7 @@ snapshots: dependencies: '@types/http-cache-semantics': 4.2.0 '@types/keyv': 3.1.4 - '@types/node': 18.19.130 + '@types/node': 24.12.4 '@types/responselike': 1.0.3 '@types/chai@4.3.20': {} @@ -4617,19 +4609,19 @@ snapshots: '@types/keyv@3.1.4': dependencies: - '@types/node': 18.19.130 + '@types/node': 24.12.4 '@types/mocha@8.2.3': {} - '@types/node@18.19.130': + '@types/node@24.12.4': dependencies: - undici-types: 5.26.5 + undici-types: 7.16.0 '@types/parse-json@4.0.2': {} '@types/responselike@1.0.3': dependencies: - '@types/node': 18.19.130 + '@types/node': 24.12.4 '@typescript-eslint/parser@6.21.0(eslint@8.57.1)(typescript@5.9.3)': dependencies: @@ -4903,8 +4895,6 @@ snapshots: dependencies: '@babel/core': 7.29.0 - balanced-match@1.0.2: {} - balanced-match@4.0.4: {} bare-events@2.8.2: {} @@ -4977,12 +4967,7 @@ snapshots: boolify@1.0.1: {} - brace-expansion@1.1.14: - dependencies: - balanced-match: 1.0.2 - concat-map: 0.0.1 - - brace-expansion@5.0.5: + brace-expansion@5.0.6: dependencies: balanced-match: 4.0.4 @@ -5367,8 +5352,6 @@ snapshots: normalize-path: 3.0.0 readable-stream: 4.7.0 - concat-map@0.0.1: {} - concat-stream@1.4.11: dependencies: inherits: 2.0.4 @@ -6873,11 +6856,11 @@ snapshots: minimatch@10.2.5: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 minimatch@3.1.5: dependencies: - brace-expansion: 1.1.14 + brace-expansion: 5.0.6 minimist@1.2.8: {} @@ -7939,7 +7922,7 @@ snapshots: sprintf-js: 1.1.3 util-deprecate: 1.0.2 - undici-types@5.26.5: {} + undici-types@7.16.0: {} unicode-canonical-property-names-ecmascript@2.0.1: {} From 5f032ada404c0f4bf1476f39b82feb8bfebc4510 Mon Sep 17 00:00:00 2001 From: Alex Lavrov <36633600+alexslavr@users.noreply.github.com> Date: Mon, 25 May 2026 12:13:45 +0400 Subject: [PATCH 2/2] Update brace-expansion without overrides --- package.json | 3 +-- pnpm-lock.yaml | 21 +++++++++++++++++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 205dce7dc..64b43266b 100644 --- a/package.json +++ b/package.json @@ -153,8 +153,7 @@ "picomatch": "^2.3.2", "lodash": "~4.18.1", "@babel/plugin-transform-modules-systemjs": "^7.29.4", - "diff": "^8.0.3", - "brace-expansion": "~5.0.6" + "diff": "^8.0.3" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 027c85791..72b838a5b 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -19,7 +19,6 @@ overrides: lodash: ~4.18.1 '@babel/plugin-transform-modules-systemjs': ^7.29.4 diff: ^8.0.3 - brace-expansion: ~5.0.6 importers: @@ -1052,6 +1051,9 @@ packages: peerDependencies: '@babel/core': ^7.0.0 + balanced-match@1.0.2: + resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} + balanced-match@4.0.4: resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==} engines: {node: 18 || 20 || >=22} @@ -1128,6 +1130,9 @@ packages: boolify@1.0.1: resolution: {integrity: sha512-ma2q0Tc760dW54CdOyJjhrg/a54317o1zYADQJFgperNGKIKgAUGIcKnuMiff8z57+yGlrGNEt4lPgZfCgTJgA==} + brace-expansion@1.1.14: + resolution: {integrity: sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==} + brace-expansion@5.0.6: resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==} engines: {node: 18 || 20 || >=22} @@ -1361,6 +1366,9 @@ packages: resolution: {integrity: sha512-6FqVXeETqWPoGcfzrXb37E50NP0LXT8kAMu5ooZayhWWdgEY4lBEEcbQNXtkuKQsGduxiIcI4gOTsxTmuq/bSg==} engines: {node: '>= 14'} + concat-map@0.0.1: + resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} + concat-stream@1.4.11: resolution: {integrity: sha512-X3JMh8+4je3U1cQpG87+f9lXHDrqcb2MVLg9L7o8b1UZ0DzhRrUpdn65ttzu10PpJPPI3MQNkis+oha6TSA9Mw==} engines: {'0': node >= 0.8} @@ -4895,6 +4903,8 @@ snapshots: dependencies: '@babel/core': 7.29.0 + balanced-match@1.0.2: {} + balanced-match@4.0.4: {} bare-events@2.8.2: {} @@ -4967,6 +4977,11 @@ snapshots: boolify@1.0.1: {} + brace-expansion@1.1.14: + dependencies: + balanced-match: 1.0.2 + concat-map: 0.0.1 + brace-expansion@5.0.6: dependencies: balanced-match: 4.0.4 @@ -5352,6 +5367,8 @@ snapshots: normalize-path: 3.0.0 readable-stream: 4.7.0 + concat-map@0.0.1: {} + concat-stream@1.4.11: dependencies: inherits: 2.0.4 @@ -6860,7 +6877,7 @@ snapshots: minimatch@3.1.5: dependencies: - brace-expansion: 5.0.6 + brace-expansion: 1.1.14 minimist@1.2.8: {}