Skip to content

chore: bump deps and add overrides to address security alerts#165

Open
vredchenko wants to merge 1 commit intomainfrom
chore/security-deps-bump-2026-04
Open

chore: bump deps and add overrides to address security alerts#165
vredchenko wants to merge 1 commit intomainfrom
chore/security-deps-bump-2026-04

Conversation

@vredchenko
Copy link
Copy Markdown
Contributor

@vredchenko vredchenko commented Apr 29, 2026

Summary

Resolves all 47 open GitHub code scanning alerts on pnpm-lock.yaml for sci-react-ui. After these changes pnpm audit reports no known vulnerabilities, and build, type check, lint, all 205 tests, and storybook build still succeed.

Branched fresh off main (separate from existing PR #141).

What changed

Direct devDep bumps

  • @babel/core 7.26.0 → 7.29.0
  • @babel/preset-env 7.26.0 → 7.29.2
  • @babel/preset-react 7.25.9 → 7.28.5
  • @babel/preset-typescript 7.26.0 → 7.28.5
  • @storybook/* 8.4.4 → 8.6.18 (fixes CVE-2026-27148, CVE-2025-68429 in storybook itself)
  • eslint 9.17.0 → 9.39.0 (pulls patched @eslint/plugin-kit)
  • rollup 4.27.3 → 4.60.2

pnpm.overrides added

For transitive deps that cannot be reached via direct bumps:

Package Range Pinned to Fixes
postcss ^8.0.0 8.5.12 CVE-2026-41305
vite ^7.0.0 7.3.2 CVE-2026-39363 / 39364 / 39365, CVE-2025-62522
brace-expansion ^1.1.0, ^2.0.0 1.1.14, 2.1.0 CVE-2026-33750, CVE-2025-5889
picomatch ^2.0.0, ^4.0.0 2.3.2, 4.0.4 CVE-2026-33671 / 33672
yaml ^1.0.0, ^2.0.0 1.10.3, 2.8.3 CVE-2026-33532
flatted ^3.0.0 3.4.2 CVE-2026-32141, CVE-2026-33228
minimatch ^3.0.0, ^9.0.0 3.1.5, 9.0.9 CVE-2026-26996 / 27903 / 27904
rollup ^4.0.0 4.60.2 CVE-2026-27606
ajv ^6.0.0, ^8.0.0 6.15.0, 8.20.0 CVE-2025-69873
markdown-it ^14.0.0 14.1.1 CVE-2026-2327
qs >=6.13.0 <6.14.0, ^6.14.0 6.14.2, 6.15.1 CVE-2025-15284, CVE-2026-2391
js-yaml ^4.1.0 4.1.1 CVE-2025-64718
@babel/runtime, @babel/helpers ^7.0.0 7.29.2 CVE-2025-27789
webpack ^5.0.0 5.106.2 CVE-2025-68157, CVE-2025-68458
esbuild >=0.24.0 <0.25.0 0.25.12 GHSA-67mh-4wv8-2f99
serialize-javascript ^6.0.0 7.0.5 GHSA-5c6j-r48x-rmvq, CVE-2026-34043
@tootallnate/once ^2.0.0 3.0.1 CVE-2026-3449
uuid ^9.0.0 14.0.0 GHSA-w5hq-g745-h8pq
svgo ^2.0.0 3.3.3 CVE-2026-29074

The pre-existing lodash override is kept.

Test plan

  • pnpm install resolves cleanly (only pre-existing @mui/x-date-pickers / @jsonforms/material-renderers peer warnings remain — unrelated to this PR)
  • pnpm lint:tsc passes
  • pnpm lint passes
  • pnpm build succeeds
  • pnpm test — 205 passing, 1 skipped (unchanged)
  • pnpm storybook:build succeeds
  • pnpm audit reports no known vulnerabilities
  • CI green

@vredchenko
chore: bump deps and add overrides to address security alerts
8805b71 
Resolves all 47 GitHub code scanning alerts on pnpm-lock.yaml.

Direct devDep bumps:
- @babel/core, preset-env/react/typescript -> 7.29.x
- @storybook/* and storybook -> 8.6.18
- eslint -> 9.39.x
- rollup -> 4.60.2

pnpm overrides for transitive dependencies that direct bumps cannot
resolve:
- postcss, vite, brace-expansion (1.x and 2.x), picomatch (2.x and
  4.x), yaml (1.x and 2.x), flatted, minimatch (3.x and 9.x), rollup,
  ajv (6.x and 8.x), markdown-it, qs, js-yaml, @babel/runtime,
  @babel/helpers, webpack, esbuild, serialize-javascript,
  @tootallnate/once, uuid, svgo

pnpm audit now reports no vulnerabilities. Build, type check, lint,
tests (205 passing), and storybook build all succeed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vredchenko