Skip to content

fix(deps): lock undici to fix 3 high and 4 medium vulnerabilities#1805

Open
guoda-puidokaite wants to merge 1 commit into
mainfrom
guoda-lock-undici
Open

fix(deps): lock undici to fix 3 high and 4 medium vulnerabilities#1805
guoda-puidokaite wants to merge 1 commit into
mainfrom
guoda-lock-undici

Conversation

@guoda-puidokaite

@guoda-puidokaite guoda-puidokaite commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fixed 3 high and 4 medium from 1 package - jsdom.
  • No upgrade for jsdom (devDependency last published 2 months ago).
  • Locked undici transitive dependency causing the issue.

Related Issues

Checklist

  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • I have made corresponding changes to the documentation (if applicable).
  • My changes generate no new warnings or errors.
  • I have created a changeset for my changes.

PR Manifesto

Review the PR Manifesto for best practises.

Signed-off-by: I531348 <guoda.puidokaite@sap.com>
@guoda-puidokaite guoda-puidokaite self-assigned this Jul 3, 2026
Copilot AI review requested due to automatic review settings July 3, 2026 07:03
@guoda-puidokaite guoda-puidokaite requested a review from a team as a code owner July 3, 2026 07:03
@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: f2e54c3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to remediate reported jsdom-related vulnerabilities by forcing a safer undici version via pnpm overrides, and updating the lockfile to reflect the new resolution.

Changes:

  • Added a pnpm override for undici in the root package.json.
  • Updated pnpm-lock.yaml to resolve undici to 8.6.0 (and associated dependency graph adjustments).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.

File Description
package.json Adds a pnpm override intended to pin/raise undici to address transitive vulnerabilities.
pnpm-lock.yaml Applies the override in the resolved dependency graph, updating undici and other affected resolutions.
Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

Comment thread package.json
"shell-quote": ">=1.8.4",
"esbuild": ">=0.28.1"
"esbuild": ">=0.28.1",
"undici": ">=8.6.0"
Comment thread pnpm-lock.yaml
fast-uri: '>=3.1.2'
shell-quote: '>=1.8.4'
esbuild: '>=0.28.1'
undici: '>=8.6.0'
Comment thread pnpm-lock.yaml
Comment on lines +6883 to +6885
undici@8.6.0:
resolution: {integrity: sha512-l2FlC6I510GawyEd1qgcE/okihKrzy+BRTEBlu6T0fdbM9m5yxtIH5Oa3ysRsH0zC4EhmWUEaSDsy2QngBeRlw==}
engines: {node: '>=22.19.0'}
Comment thread pnpm-lock.yaml
Comment on lines 752 to +754
eslint-plugin-prettier:
specifier: 5.5.6
version: 5.5.6(eslint-config-prettier@10.1.8(eslint@10.3.0(jiti@2.7.0)))(eslint@10.3.0(jiti@2.7.0))(prettier@3.8.3)
version: 5.5.6(eslint-config-prettier@10.1.8(eslint@10.3.0(jiti@2.7.0)))(eslint@10.3.0(jiti@2.7.0))(prettier@3.8.4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants