Bump npm dependencies for security alerts#18518
Conversation
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18518Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18518" |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Pull request overview
This PR bumps several npm dependency graphs to patched releases in order to resolve open npm security alerts across three areas of the repo. The changes are concentrated in dependency manifests and their generated lockfiles; no product/runtime source code is modified.
Changes:
- Extension: bumps
wsto8.21.0and pins@nevware21/ts-utils,fast-uri,qs,wsviaresolutions, with matchingyarn.lockupdates. - Angular playground: adds
hono/wspins tooverrides(note: itspackage-lock.jsonis not included in the PR). - Codegen TypeScript tests: major bump of
vitest^3.2.1 → ^4.1.0, regeneratingpackage-lock.json(pulls in vite 8, rolldown replacing rollup, chai 6, etc.).
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
extension/package.json |
Bumps ws to 8.21.0 and adds @nevware21/ts-utils, fast-uri, qs, ws resolutions for security pins. |
extension/yarn.lock |
Consolidates/updates @nevware21/ts-utils, fast-uri, qs, ws lock entries to the pinned versions (dnceng feed). |
playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json |
Adds hono/ws to overrides; corresponding package-lock.json regeneration is missing from the PR. |
tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package.json |
Major bump of vitest to ^4.1.0. |
tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package-lock.json |
Regenerated lockfile for the vitest 4 / vite 8 / rolldown dependency tree. |
Files not reviewed (1)
- tests/Aspire.Hosting.CodeGeneration.TypeScript.JsTests/package-lock.json: Generated file
| "hono": "4.12.21", | ||
| "ws": "8.21.0" |
038dae5 to
e6c262f
Compare
This comment has been minimized.
This comment has been minimized.
| "@angular/animations": "^21.2.17", | ||
| "@angular/common": "^21.2.17", | ||
| "@angular/compiler": "^21.2.17", | ||
| "@angular/core": "^21.2.17", | ||
| "@angular/forms": "^21.2.17", | ||
| "@angular/platform-browser": "^21.2.17", | ||
| "@angular/platform-browser-dynamic": "^21.2.17", | ||
| "@angular/router": "^21.2.17", |
This comment has been minimized.
This comment has been minimized.
adamint
left a comment
There was a problem hiding this comment.
I found one supply-chain issue and am checking whether I can push the focused fix.
This comment has been minimized.
This comment has been minimized.
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
fbd5a79 to
41704b8
Compare
This comment has been minimized.
This comment has been minimized.
41704b8 to
4cd6149
Compare
This comment has been minimized.
This comment has been minimized.
|
Refreshed this PR branch with the latest broader security-remediation commit set from dapine/security/open-alerts-2026-06-27 and force-updated dapine/security/bump-npm-deps-multi so the existing PR stays current.\n\nBranch is up to date with main (behind_by=0) and mergeable. CI is actively running; I also re-queued failed VS Code extension unit-test checks from previous runs to keep signal current. |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
Address remaining vulnerabilities not resolved by automated pass: Angular (AspireJavaScript.Angular): - Bump hono override: 4.12.21 -> 4.12.27 (GHSA-wwfh-h76j-fc44, GHSA-j6c9-x7qj-28xf, etc.) - Bump vite override: 7.3.2 -> 7.3.6 (GHSA-fx2h-pf6j-xcff, GHSA-v6wh-96g9-6wx3) - Add undici override: 7.28.0 (GHSA-vmh5-mc38-953g and others) - Add http-proxy-middleware override: 3.0.7 (GHSA-gcq2-9pq2-cxqm, GHSA-64mm-vxmg-q3vj) - Add @babel/core override: 7.29.7 (GHSA-4x5r-pxfx-6jf8) NodeFrontend (AspireWithNode): - Bump protobufjs override: 8.2.0 -> ^8.6.0 (GHSA-f38q-mgvj-vph7, etc.) - Add @opentelemetry/core override: 2.8.0 (GHSA-8988-4f7v-96qf) - Apply to both npm and pnpm overrides BrowserTelemetry.Web: - Add @opentelemetry/core override: 2.8.0 (GHSA-8988-4f7v-96qf) PolyglotAppHosts TypeScript (5 dirs) + ts-starter + py-starter: - Add esbuild override: ^0.28.1 (GHSA-g7r4-m6w7-qqqr) TypeScript.PackageManagers.Yarn: - Add esbuild resolution: ^0.28.1 (GHSA-g7r4-m6w7-qqqr) - Update yarn.lock via 'yarn install' extension/yarn.lock: - Bump undici resolution: 7.27.0 -> 7.28.0 (GHSA-vmh5-mc38-953g) - Bump tmp resolution: 0.2.6 -> 0.2.7 - Add brace-expansion: 5.0.6 - Add diff: 8.0.3 - Add form-data: 4.0.6 - Add js-yaml: 4.2.0 - Add linkify-it: 5.0.1 - Add markdown-it: 14.2.0 .gitignore: - Add **/.yarn/install-state.gz pattern (Yarn Berry cache file) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
4cd6149 to
0a90590
Compare
Tests selector (audit mode)The full test matrix and all jobs still run in audit mode. The tests and jobs below are what selective CI would run under enforcement. 4 / 99 test projects · 7 jobs, from 142 changed files. Selected test projects (4 / 99)
Selected jobs (7)
How these were chosen — grouped by what changed📦 affected project 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 📄 🔧 🔧 Job reasons
Selection computed for commit |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
|
Superseded by #18735, which consolidates these dependency security remediations in the canonical [auto-sec] PR. |
Addresses the open npm security alerts in the touched Aspire manifests by bumping the affected dependency graph to patched releases.
Changed areas:
Validation:
yarn test)pnpm test)@angular/common/httpresolution error unrelated to the dependency bump