Skip to content

fix(deps): update vulnerable npm transitive deps in docusaurus#81370

Draft
devin-ai-integration[bot] wants to merge 1 commit into
masterfrom
devin/1782943842-fix-docusaurus-vulnerable-deps
Draft

fix(deps): update vulnerable npm transitive deps in docusaurus#81370
devin-ai-integration[bot] wants to merge 1 commit into
masterfrom
devin/1782943842-fix-docusaurus-vulnerable-deps

Conversation

@devin-ai-integration

Copy link
Copy Markdown
Contributor

What

Resolves https://github.com/airbytehq/airbyte-internal-issues/issues/16679:

Fixes 24 high-severity npm transitive dependency vulnerabilities in the docusaurus lockfile by adding pnpm overrides to force patched versions.

How

Added pnpm.overrides to docusaurus/package.json to pin vulnerable transitive deps to their patched versions:

Package Vulnerable Patched Parent CVE/GHSA
axios 1.13.1 1.18.1 @rsdoctor/core (via @docusaurus/plugin-rsdoctor) GHSA-35jp-ww65-95wh (CVSS 9.4)
node-forge 1.3.1 1.4.0 selfsigned (via webpack-dev-server)
undici 7.16.0 7.28.0 cheerio (via @cmfcmf/docusaurus-search-local)
ws 7.5.10 7.5.11 webpack-bundle-analyzer (via @docusaurus/core)

All patched versions fall within the parent packages' declared semver ranges (axios: ^1.7.9, node-forge: ^1, undici: ^7.12.0, ws: ^7.3.1), so no compatibility issues are expected. All patched versions were published >= 7 days ago.

Regenerated pnpm-lock.yaml to reflect the overrides.

Review guide

  1. docusaurus/package.json — new pnpm.overrides section
  2. docusaurus/pnpm-lock.yaml — regenerated lockfile with patched versions

User Impact

No user-facing impact. This only affects the docs build toolchain — the published documentation site is unchanged.

Can this PR be safely reverted and rolled back?

  • YES 💚

Devin session

Add pnpm overrides to force patched versions of 4 vulnerable transitive
dependencies in the docusaurus lockfile:

- axios: 1.13.1 → 1.18.1 (GHSA-35jp-ww65-95wh, CVSS 9.4)
- node-forge: 1.3.1 → 1.4.0
- undici: 7.16.0 → 7.28.0
- ws: 7.5.10 → 7.5.11

All patched versions are within their parent packages' semver ranges.
Docs build verified locally.

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration devin-ai-integration Bot added the hyd-fix Hydra: ai-fix stage has run label Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

💡 Show Tips and Tricks

PR Slash Commands

Airbyte Maintainers (that's you!) can execute the following slash commands on your PR:

  • 🛠️ Quick Fixes
    • /format-fix - Fixes most formatting issues.
    • /bump-version - Bumps connector versions, scraping changelog description from the PR title.
      • Bump types: patch (default), minor, major, major_rc, rc, promote.
      • The rc type is a smart default: applies minor_rc if stable, or bumps the RC number if already RC.
      • The promote type strips the RC suffix to finalize a release.
      • Example: /bump-version type=rc or /bump-version type=minor
    • /bump-progressive-rollout-version - Alias for /bump-version type=rc. Bumps with an RC suffix and enables progressive rollout.
  • ❇️ AI Testing and Review (internal link: AI-SDLC Docs):
    • /ai-prove-fix - Runs prerelease readiness checks, including testing against customer connections.
    • /ai-canary-prerelease - Rolls out prerelease to 5-10 connections for canary testing.
    • /ai-review - AI-powered PR review for connector safety and quality gates.
  • 📝 AI Documentation:
    • /ai-docs-review - AI-powered documentation review for PRs with connector changes.
    • /ai-create-docs-pr - Creates a documentation PR for connector changes, stacked on the current PR.
  • 🚀 Connector Releases:
    • /publish-connectors-prerelease - Publishes pre-release connector builds (tagged as {version}-preview.{git-sha}) for all modified connectors in the PR.
  • ☕️ JVM connectors:
    • /update-connector-cdk-version connector=<CONNECTOR_NAME> - Updates the specified connector to the latest CDK version.
      Example: /update-connector-cdk-version connector=destination-bigquery
  • 🐍 Python connectors:
    • /poe connector source-example lock - Run the Poe lock task on the source-example connector, committing the results back to the branch.
    • /poe source example lock - Alias for /poe connector source-example lock.
    • /poe source example use-cdk-branch my/branch - Pin the source-example CDK reference to the branch name specified.
    • /poe source example use-cdk-latest - Update the source-example CDK dependency to the latest available version.
  • ⚙️ Admin commands:
    • /force-merge reason="<REASON>" - Force merges the PR using admin privileges, bypassing CI checks. Requires a reason.
      Example: /force-merge reason="CI is flaky, tests pass locally"
📚 Show Repo Guidance

Helpful Resources

📝 Edit this welcome message.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Deploy preview for airbyte-docs ready!

Project:airbyte-docs
Status: ✅  Deploy successful!
Preview URL:https://airbyte-docs-9raqh9pmh-airbyte-growth.vercel.app
Latest Commit:9b96cf3

Deployed with vercel-action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

hyd-fix Hydra: ai-fix stage has run

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants