Skip to content

fix(deps): resolve all 18 Dependabot alerts#59

Merged
khaosdoctor merged 1 commit into
mainfrom
fix/dependabot-vulns
Jul 11, 2026
Merged

fix(deps): resolve all 18 Dependabot alerts#59
khaosdoctor merged 1 commit into
mainfrom
fix/dependabot-vulns

Conversation

@khaosdoctor

Copy link
Copy Markdown
Member

Fixes all 18 Dependabot alerts GitHub flagged on main (1 critical, 3 high, 10 moderate, 4 low). All of them were transitive build tooling deps, nothing in the worker runtime.

What changed:

  1. Bumped wrangler to 4.110.0 and @cloudflare/workers-types to 5.x together, the old pair was blocking the rest of the fixes from resolving
  2. Bumped all @docusaurus/* packages to 3.10.2
  3. Added an overrides block for serialize-javascript, uuid, and esbuild, those three were still pinned to old versions deep inside Docusaurus own dependency tree and npm audit fix wanted to downgrade Docusaurus itself to get rid of them, which is backwards

npm audit now reports 0 vulnerabilities. Typecheck, full test suite, full build (all 3 locales plus the worker bundle), and lint all pass clean.

Copilot AI review requested due to automatic review settings July 11, 2026 18:12

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates build/tooling dependencies to eliminate Dependabot/audit vulnerabilities, primarily around Docusaurus and Cloudflare Workers tooling, and introduces npm overrides to force patched transitive versions.

Changes:

  • Bumped wrangler and @cloudflare/workers-types together.
  • Updated all @docusaurus/* packages to 3.10.2.
  • Added npm overrides for serialize-javascript, uuid, and esbuild.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
@khaosdoctor
khaosdoctor merged commit a1b32c2 into main Jul 11, 2026
2 checks passed
@khaosdoctor
khaosdoctor deleted the fix/dependabot-vulns branch July 11, 2026 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants