fix(deps): resolve all Dependabot security alerts#253
Merged
Conversation
Upgrade transitive dependencies to patched versions via npm audit fix and add an override to force handlebars >= 4.7.9 (grpc_tools_node_protoc_ts pins handlebars 4.7.7 exactly). Resolves the following Dependabot alerts: - protobufjs <=7.5.7 (critical: GHSA-xq3m-2v4x-88gg, GHSA-66ff-xgx4-vchm, GHSA-2pr8-phx7-x9h3, GHSA-fx83-v9x8-x52w, GHSA-75px-5xx7-5xc7, GHSA-jvwf-75h9-cwgg, GHSA-685m-2w69-288q, GHSA-q6x5-8v7m-xcrf, GHSA-jggg-4jg4-v7c6) -> 7.6.0 - @protobufjs/utf8 <=1.1.0 -> 1.1.1 - fast-xml-parser <=5.6.0 (GHSA-8gc5-j5rx-235r, GHSA-jp2q-39xq-3w4g, GHSA-gh4j-gqv2-49f6) -> 5.8.0 - fast-xml-builder <=1.1.6 (GHSA-5wm8-gmm8-39j9) -> 1.2.0 - flatted <=3.4.1 (GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh) -> 3.4.2 - handlebars 4.0.0-4.7.8 (8 advisories incl. GHSA-3mfm-83xf-c92r, GHSA-2w6w-674q-4c4q critical) -> 4.7.9 (via overrides) - picomatch <=2.3.1 and 4.0.0-4.0.3 (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj) -> 2.3.2 / 4.0.4 - brace-expansion <1.1.13 / 2.0.0-2.0.2 (GHSA-f886-m6hf-6m8v) -> 1.1.14 / 2.1.0 - yaml 2.0.0-2.8.2 (GHSA-48c2-rrv3-qjmp) -> 2.9.0 `npm audit` now reports 0 vulnerabilities. All 1033 unit tests pass; build succeeds across all workspaces. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
YunchuWang
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves all open Dependabot alerts at https://github.com/microsoft/durabletask-js/security/dependabot.
Changes
npm audit fixto upgrade transitive dependencies to patched versions.overridesentry to forcehandlebars >= 4.7.9sincegrpc_tools_node_protoc_ts@5.3.3pinshandlebarsto an exact4.7.7(vulnerable). Upgradinggrpc_tools_node_protoc_tsitself would be a major breaking change (5.x → 2.x pernpm audit fix --force), so the override is the safer fix.Resolved alerts
Validation
npm audit→ 0 vulnerabilitiesnpm run build→ all workspaces build successfullynpm run test:unit→ 1033/1033 tests pass across all three packagesNo source code changes were required; this is purely a dependency update.