Skip to content

Fix dompurify 3.3.1 in yarn.lock to close reopened GHSA-v2wj-7wpq-c8vv#1636

Merged
TalZaccai merged 3 commits into
mainfrom
copilot/fix-dependabot-alert-reopen
Mar 19, 2026
Merged

Fix dompurify 3.3.1 in yarn.lock to close reopened GHSA-v2wj-7wpq-c8vv#1636
TalZaccai merged 3 commits into
mainfrom
copilot/fix-dependabot-alert-reopen

Conversation

Copilot AI commented Mar 17, 2026

Copy link
Copy Markdown
Contributor

PR #1634 updated the npm overrides to dompurify 3.3.3 but regenerated yarn.lock from scratch (new file mode), reverting the dompurify entry back to 3.3.1 — undoing dependabot PR #1617's fix. Yarn v1 ignores npm overrides and resolves from yarn.lock, so dependabot still sees the vulnerable version.

  • Manually updated the dompurify entry in yarn.lock from 3.3.1 → 3.3.3
  • All other overridden packages (lodash-es, minimatch, serialize-javascript, on-headers, webpack-dev-server) already have correct versions — no previous alerts will reopen

Note: yarn upgrade [email protected] is unsafe here — it reverts minimatch to 3.1.2, serialize-javascript to 6.0.2, and lodash-es to 4.17.21 (all vulnerable). The manual yarn.lock edit is intentional.

@TalZaccai TalZaccai marked this pull request as ready for review March 17, 2026 22:11
Copilot AI review requested due to automatic review settings March 17, 2026 22:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@TalZaccai TalZaccai merged commit ac82984 into main Mar 19, 2026
12 checks passed
@TalZaccai TalZaccai deleted the copilot/fix-dependabot-alert-reopen branch March 19, 2026 18:31
@github-actions github-actions Bot locked and limited conversation to collaborators May 19, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants