mirror of
https://github.com/makeplane/plane.git
synced 2026-06-14 03:30:00 +00:00
fix: bump npm deps to resolve Dependabot advisories (#9191)
* fix: bump npm deps to resolve Dependabot advisories
Resolve 8 open Dependabot alerts (all npm, in pnpm-lock.yaml) by bumping
the affected packages in pnpm-workspace.yaml and regenerating the lockfile:
- axios 1.15.2 -> 1.16.0 (catalog): CVE-2026-44494/44492/44490/44489
- tmp -> 0.2.6 (override): CVE-2026-44705 path traversal
- ws 8.x -> 8.20.1 (catalog + scoped override): CVE-2026-45736
- qs 6.14.2 -> 6.15.2 (override): CVE-2026-8723 DoS
- brace-expansion 5.0.5 -> 5.0.6 (override): CVE-2026-45149 DoS
brace-expansion and qs were pinned to their vulnerable versions in the
overrides block, so the pins had to be bumped directly. ws is scoped to
the 8.x major (ws@7.5.10 is below the vulnerable >=8.0.0 floor). All bumps
are semver-compatible patch/minor upgrades; no source changes required.
* fix: use named axios `create` import after 1.16.0 bump
axios 1.16.0 newly exposes `create` as a named export, so oxlint's
import/no-named-as-default-member rule now flags `axios.create(...)`.
That added one warning to @plane/services (7 > its --max-warnings=6
baseline) and to apps/web and apps/live, failing check:lint — surfaced
on this PR because the lockfile change busts Turbo's lint cache.
Switch the three `axios.create(...)` call sites to a named `{ create }`
import. `create` is a real value+type export in axios 1.16.0 (verified
via tsc). isCancel/CancelToken are left as `axios.*`: CancelToken is
only a type export (cannot be a value import under verbatimModuleSyntax)
and both were already counted within the existing baselines.
Verified locally: full `pnpm check:lint` (16/16) and `check:types`
(15/15) pass.
This commit is contained in:
sriram veeraghanta
committed by
GitHub
GitHub
parent
e388cb9125
commit
7ec8d4990f
+6
-4
@@ -95,7 +95,7 @@ catalog:
|
||||
"@vitest/coverage-v8": "^4.0.8"
|
||||
"ast-types": "0.14.2"
|
||||
"autoprefixer": "^10.4.19"
|
||||
"axios": "1.15.2"
|
||||
"axios": "1.16.0"
|
||||
"buffer": "^6.0.3"
|
||||
"chroma-js": "^3.2.0"
|
||||
"class-variance-authority": "0.7.1"
|
||||
@@ -187,7 +187,7 @@ catalog:
|
||||
"vite-tsconfig-paths": "^5.1.4"
|
||||
"vitest": "^4.0.8"
|
||||
"winston": "^3.17.0"
|
||||
"ws": "^8.18.3"
|
||||
"ws": "8.20.1"
|
||||
"y-indexeddb": "^9.0.12"
|
||||
"y-prosemirror": "^1.3.7"
|
||||
"y-protocols": "^1.0.6"
|
||||
@@ -199,7 +199,7 @@ overrides:
|
||||
mdast-util-to-hast: 13.2.1
|
||||
valibot: 1.2.0
|
||||
glob: 11.1.0
|
||||
brace-expansion: 5.0.5
|
||||
brace-expansion: 5.0.6
|
||||
nanoid: 3.3.8
|
||||
esbuild: 0.25.0
|
||||
"@babel/helpers": 7.26.10
|
||||
@@ -209,7 +209,7 @@ overrides:
|
||||
"@types/express": 4.17.23
|
||||
typescript: "catalog:"
|
||||
vite: "catalog:"
|
||||
qs: 6.14.2
|
||||
qs: 6.15.2
|
||||
diff: 5.2.2
|
||||
webpack: 5.104.1
|
||||
lodash-es: "catalog:"
|
||||
@@ -233,6 +233,8 @@ overrides:
|
||||
follow-redirects: 1.16.0
|
||||
uuid: "catalog:"
|
||||
"fast-uri@<3.1.2": ">=3.1.2"
|
||||
tmp: 0.2.6
|
||||
"ws@8": 8.20.1
|
||||
|
||||
allowBuilds:
|
||||
"@parcel/watcher": true
|
||||
|
||||
Reference in New Issue
Block a user