Fix Dependabot security alerts for trix, playwright, and brace-expansion#2142
Open
Fix Dependabot security alerts for trix, playwright, and brace-expansion#2142
Conversation
- Upgrade trix 2.1.17 → 2.1.18 (XSS via drag-and-drop deserialization) - Upgrade playwright 1.45.0 → 1.55.1 (SSL certificate verification) - Add resolution for brace-expansion ^2.0.3 (ReDoS process hang) - Dismiss mjml directory traversal alert as tolerable risk (no patch available, mj-include not used in this project)
Member
|
In the past when bumping playwright we also needed to update capybara-playwright-driver to mitigate system test failures. |
The playwright npm package bump to 1.55.1 broke system tests with "timeout: expected float, got undefined" errors. Updating the capybara-playwright-driver gem (0.5.6 → 0.5.9) and its dependency playwright-ruby-client (1.51.0 → 1.58.1) fixes the compatibility. Hat tip to Jim for flagging this.
Contributor
Author
|
Good call! Bumped capybara-playwright-driver (0.5.6 → 0.5.9) and playwright-ruby-client (1.51.0 → 1.58.1) in 647c549. The system tests were hitting |
The minimum_start_distance test used bare 4.days.from_now which includes the current time-of-day, causing the day count to wobble across the policy boundary depending on when CI runs. Pinning to beginning_of_day makes the comparison deterministic, matching the pattern already used in the maximum_duration test above.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What it does
Sweeps through the open Dependabot security alerts and closes out the ones we can fix right now. Three packages get version bumps: trix (XSS fix), playwright (SSL certificate verification), and brace-expansion (ReDoS hang). The fourth alert — an mjml directory traversal — has been dismissed as tolerable risk since there's no patch available and we don't use the affected
mj-includefeature.Why it is important
These are security advisories flagged by Dependabot. The trix and playwright fixes address a low-severity XSS and a high-severity SSL verification bypass respectively. The brace-expansion fix prevents a moderate-severity denial of service via crafted input. Getting these merged clears the security dashboard down to zero actionable alerts.
UI Change Screenshot
No UI changes.
Implementation notes
The brace-expansion vulnerability lives deep in the transitive dependency chain (
mjml → mjml-cli → minimatch → brace-expansion), so we used a yarnresolutionsentry to force it to^2.0.3rather than waiting on upstream to update. The playwright bump is a bigger jump (1.45.0 → 1.55.1) since it's a pinned dev dependency — system tests use it viacapybara-playwright-driverwhich should be compatible with the newer version. The mjml alert (CVE-2025-67898) was dismissed on GitHub with a note explaining the rationale — no fix exists in the 4.x line, and 5.x is still in beta.