Conversation
There was a problem hiding this comment.
Pull request overview
Mitigates reported NPM transitive vulnerabilities by forcing patched dependency versions via overrides and updating the lockfile accordingly.
Changes:
- Add
overridesinpackage.jsonforserialize-javascriptanddiff. - Update
package-lock.jsonto reflect the overridden resolved versions and remove no-longer-needed transitive entries. - Document the preferred vulnerability remediation approach (use
overrides, avoidnpm audit fix --force) in Copilot instructions.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Adds overrides to pin/raise vulnerable transitive dependencies to patched versions. |
| package-lock.json | Refreshes resolved dependency tree to match the new overrides (notably diff and serialize-javascript). |
| .github/copilot-instructions.md | Updates guidance on handling vulnerabilities via npm audit and overrides. |
| "overrides": { | ||
| "serialize-javascript": "^7.0.5", | ||
| "diff": "^8.0.3" | ||
| }, |
There was a problem hiding this comment.
The new global overrides force diff to ^8.0.3 and serialize-javascript to ^7.0.5, but mocha@11.7.5 in the lockfile declares dependencies on diff ^7.0.0 and serialize-javascript ^6.0.2 (see package-lock.json:4687-4699). This bypasses upstream semver constraints and risks runtime/test failures if Mocha isn’t compatible with the new major versions. Prefer upgrading the dependency that brings in Mocha (or Mocha itself) to a version that officially depends on these secure versions; if that’s not possible, consider an override strategy that stays within Mocha’s supported major ranges and only bumps to a patched release.
| "overrides": { | |
| "serialize-javascript": "^7.0.5", | |
| "diff": "^8.0.3" | |
| }, |
Last round.