Skip to content

Bump npm dependencies for security alerts#18518

Closed
IEvangelist wants to merge 5 commits into
mainfrom
dapine/security/bump-npm-deps-multi
Closed

Bump npm dependencies for security alerts#18518
IEvangelist wants to merge 5 commits into
mainfrom
dapine/security/bump-npm-deps-multi

Conversation

@IEvangelist

Copy link
Copy Markdown
Member

Addresses the open npm security alerts in the touched Aspire manifests by bumping the affected dependency graph to patched releases.

Changed areas:

  • extension package/resolution updates
  • playground/AspireWithJavaScript/AspireJavaScript.Angular package + lockfile updates
  • tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests package + lockfile updates

Validation:

  • extension tests passed (yarn test)
  • codegen TypeScript tests passed (pnpm test)
  • Angular sample build still fails on an existing @angular/common/http resolution error unrelated to the dependency bump

Copilot AI review requested due to automatic review settings June 26, 2026 11:14
@IEvangelist IEvangelist requested a review from adamint as a code owner June 26, 2026 11:14
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18518

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18518"

@github-actions

This comment has been minimized.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR bumps several npm dependency graphs to patched releases in order to resolve open npm security alerts across three areas of the repo. The changes are concentrated in dependency manifests and their generated lockfiles; no product/runtime source code is modified.

Changes:

  • Extension: bumps ws to 8.21.0 and pins @nevware21/ts-utils, fast-uri, qs, ws via resolutions, with matching yarn.lock updates.
  • Angular playground: adds hono/ws pins to overrides (note: its package-lock.json is not included in the PR).
  • Codegen TypeScript tests: major bump of vitest ^3.2.1 → ^4.1.0, regenerating package-lock.json (pulls in vite 8, rolldown replacing rollup, chai 6, etc.).

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
extension/package.json Bumps ws to 8.21.0 and adds @nevware21/ts-utils, fast-uri, qs, ws resolutions for security pins.
extension/yarn.lock Consolidates/updates @nevware21/ts-utils, fast-uri, qs, ws lock entries to the pinned versions (dnceng feed).
playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json Adds hono/ws to overrides; corresponding package-lock.json regeneration is missing from the PR.
tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package.json Major bump of vitest to ^4.1.0.
tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package-lock.json Regenerated lockfile for the vitest 4 / vite 8 / rolldown dependency tree.
Files not reviewed (1)
  • tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package-lock.json: Generated file

Comment on lines +50 to +51
"hono": "4.12.21",
"ws": "8.21.0"
@radical radical requested a review from sebastienros June 26, 2026 23:09
@radical radical added the dependencies Pull requests that update a dependency file label Jun 26, 2026
@IEvangelist IEvangelist force-pushed the dapine/security/bump-npm-deps-multi branch from 038dae5 to e6c262f Compare July 1, 2026 11:08
Copilot AI review requested due to automatic review settings July 1, 2026 11:08
@github-actions

This comment has been minimized.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

Comment on lines +18 to +25
"@angular/animations": "^21.2.17",
"@angular/common": "^21.2.17",
"@angular/compiler": "^21.2.17",
"@angular/core": "^21.2.17",
"@angular/forms": "^21.2.17",
"@angular/platform-browser": "^21.2.17",
"@angular/platform-browser-dynamic": "^21.2.17",
"@angular/router": "^21.2.17",
@github-actions

This comment has been minimized.

@adamint adamint left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found one supply-chain issue and am checking whether I can push the focused fix.

Comment thread playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json Outdated
Copilot AI review requested due to automatic review settings July 1, 2026 23:19
@github-actions

This comment has been minimized.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review details

  • Files reviewed: 2/3 changed files
  • Comments generated: 0 new
  • Review effort level: Medium

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@IEvangelist IEvangelist force-pushed the dapine/security/bump-npm-deps-multi branch from fbd5a79 to 41704b8 Compare July 3, 2026 11:15
@github-actions

This comment has been minimized.

Copilot AI review requested due to automatic review settings July 5, 2026 11:05
@IEvangelist IEvangelist force-pushed the dapine/security/bump-npm-deps-multi branch from 41704b8 to 4cd6149 Compare July 5, 2026 11:05
@github-actions

This comment has been minimized.

@IEvangelist

Copy link
Copy Markdown
Member Author

Refreshed this PR branch with the latest broader security-remediation commit set from dapine/security/open-alerts-2026-06-27 and force-updated dapine/security/bump-npm-deps-multi so the existing PR stays current.\n\nBranch is up to date with main (behind_by=0) and mergeable. CI is actively running; I also re-queued failed VS Code extension unit-test checks from previous runs to keep signal current.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@radical radical mentioned this pull request Jul 6, 2026
IEvangelist and others added 5 commits July 7, 2026 06:08
Address remaining vulnerabilities not resolved by automated pass:

Angular (AspireJavaScript.Angular):
- Bump hono override: 4.12.21 -> 4.12.27 (GHSA-wwfh-h76j-fc44, GHSA-j6c9-x7qj-28xf, etc.)
- Bump vite override: 7.3.2 -> 7.3.6 (GHSA-fx2h-pf6j-xcff, GHSA-v6wh-96g9-6wx3)
- Add undici override: 7.28.0 (GHSA-vmh5-mc38-953g and others)
- Add http-proxy-middleware override: 3.0.7 (GHSA-gcq2-9pq2-cxqm, GHSA-64mm-vxmg-q3vj)
- Add @babel/core override: 7.29.7 (GHSA-4x5r-pxfx-6jf8)

NodeFrontend (AspireWithNode):
- Bump protobufjs override: 8.2.0 -> ^8.6.0 (GHSA-f38q-mgvj-vph7, etc.)
- Add @opentelemetry/core override: 2.8.0 (GHSA-8988-4f7v-96qf)
- Apply to both npm and pnpm overrides

BrowserTelemetry.Web:
- Add @opentelemetry/core override: 2.8.0 (GHSA-8988-4f7v-96qf)

PolyglotAppHosts TypeScript (5 dirs) + ts-starter + py-starter:
- Add esbuild override: ^0.28.1 (GHSA-g7r4-m6w7-qqqr)

TypeScript.PackageManagers.Yarn:
- Add esbuild resolution: ^0.28.1 (GHSA-g7r4-m6w7-qqqr)
- Update yarn.lock via 'yarn install'

extension/yarn.lock:
- Bump undici resolution: 7.27.0 -> 7.28.0 (GHSA-vmh5-mc38-953g)
- Bump tmp resolution: 0.2.6 -> 0.2.7
- Add brace-expansion: 5.0.6
- Add diff: 8.0.3
- Add form-data: 4.0.6
- Add js-yaml: 4.2.0
- Add linkify-it: 5.0.1
- Add markdown-it: 14.2.0

.gitignore:
- Add **/.yarn/install-state.gz pattern (Yarn Berry cache file)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@IEvangelist IEvangelist force-pushed the dapine/security/bump-npm-deps-multi branch from 4cd6149 to 0a90590 Compare July 7, 2026 11:08
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Tests selector (audit mode)

The full test matrix and all jobs still run in audit mode. The tests and jobs below are what selective CI would run under enforcement.

4 / 99 test projects · 7 jobs, from 142 changed files.

Selected test projects (4 / 99)

Aspire.Cli.EndToEnd.Tests, Aspire.Cli.Tests, Aspire.Playground.Tests, Aspire.Templates.Tests

Selected jobs (7)

cli-starter, deployment-e2e, extension-e2e, extension-unit, polyglot, typescript-api-compat, typescript-sdk


How these were chosen — grouped by what changed

📦 affected project Aspire.Cli
1 test: Aspire.Cli.EndToEnd.Tests

📄 playground/AspireWithBun/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Vite/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithJavaScript/AspireJavaScript.Vue/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithNode/NodeFrontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithNode/NodeFrontend/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/AspireWithNode/NodeFrontend/pnpm-lock.yaml (changed)
1 directly: Aspire.Playground.Tests

📄 playground/BrowserTelemetry/BrowserTelemetry.Web/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/BrowserTelemetry/BrowserTelemetry.Web/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/FoundryAgentBasic/app/uv.lock (changed)
1 directly: Aspire.Playground.Tests

📄 playground/FoundryAgentEnterprise/frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/JavaAppHost/frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/PythonAppHost/frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptAppHost/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptAppHost/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptAppHost/vite-frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/AzureFunctionsSample/AppHost/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/RpsArena/arena-frontend/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/RpsArena/node-player/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/RpsArena/node-player/package.json (changed)
1 directly: Aspire.Playground.Tests

📄 playground/TypeScriptApps/RpsArena/package-lock.json (changed)
1 directly: Aspire.Playground.Tests

🔧 src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json (changed source)
1 via the project graph: Aspire.Cli.Tests

🔧 src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json (changed source)
1 directly: Aspire.Templates.Tests

Job reasons

Job Triggered by
cli-starter • affected project Aspire.Cli
• selected test Aspire.Cli.Tests
deployment-e2e src/Aspire.ProjectTemplates/templates/aspire-ts-cs-starter/frontend/package-lock.json
• affected project Aspire.Cli
extension-e2e extension/package.json, extension/yarn.lock, src/Aspire.Cli/Templating/Templates/java-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/py-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/py-starter/package-lock.json, src/Aspire.Cli/Templating/Templates/py-starter/package.json, src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/package.json
• affected project Aspire.Cli
extension-unit extension/package.json, extension/yarn.lock
polyglot tests/PolyglotAppHosts/Aspire.Hosting.Azure.AppConfiguration/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.AppConfiguration/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.AppContainers/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.AppContainers/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.AppService/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.AppService/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.ApplicationInsights/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.ApplicationInsights/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.CognitiveServices/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.CognitiveServices/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.ContainerRegistry/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.ContainerRegistry/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.CosmosDB/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.EventHubs/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.EventHubs/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Functions/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Functions/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.KeyVault/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.KeyVault/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Kusto/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Kusto/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Network/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.OperationalInsights/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.OperationalInsights/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.PostgreSQL/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.PostgreSQL/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Redis/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Redis/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Search/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Search/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.ServiceBus/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.ServiceBus/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.SignalR/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.SignalR/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Sql/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Sql/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Storage/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.Storage/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure.WebPubSub/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Azure/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.DevTunnels/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.DevTunnels/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Docker/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Docker/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.EntityFrameworkCore/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Foundry/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Foundry/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Garnet/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Garnet/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.GitHub.Models/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.GitHub.Models/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Go/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.JavaScript/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.JavaScript/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Kafka/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Kafka/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Keycloak/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Keycloak/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Kubernetes/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Kubernetes/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Maui/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Maui/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Milvus/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Milvus/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.MongoDB/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.MongoDB/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.MySql/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.MySql/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Nats/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Nats/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.OpenAI/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.OpenAI/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Oracle/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Oracle/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Orleans/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Orleans/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.PostgreSQL/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.PostgreSQL/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Python/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Python/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Qdrant/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Qdrant/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.RabbitMQ/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.RabbitMQ/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Redis/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Redis/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Seq/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Seq/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.SqlServer/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.SqlServer/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Valkey/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Valkey/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting.Yarp/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting.Yarp/TypeScript/package.json, tests/PolyglotAppHosts/Aspire.Hosting/TypeScript/package-lock.json, tests/PolyglotAppHosts/Aspire.Hosting/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package-lock.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Npm/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Pnpm/TypeScript/pnpm-lock.yaml, tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn/TypeScript/package.json, tests/PolyglotAppHosts/TypeScript.PackageManagers.Yarn/TypeScript/yarn.lock
• affected project Aspire.Cli
typescript-api-compat affected project Aspire.Cli
typescript-sdk src/Aspire.Cli/Templating/Templates/ts-starter/frontend/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/package-lock.json, src/Aspire.Cli/Templating/Templates/ts-starter/package.json

Selection computed for commit 0a90590.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt.

@IEvangelist

Copy link
Copy Markdown
Member Author

Superseded by #18735, which consolidates these dependency security remediations in the canonical [auto-sec] PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants