Skip to content

npm audit fix: address non-breaking security vulnerabilities#2337

Merged
connor4312 merged 1 commit into
mainfrom
copilot/run-npm-audit-fix
Apr 3, 2026
Merged

npm audit fix: address non-breaking security vulnerabilities#2337
connor4312 merged 1 commit into
mainfrom
copilot/run-npm-audit-fix

Conversation

Copilot AI commented Apr 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Ran npm audit fix to address security vulnerabilities that can be fixed without breaking changes.

This reduced the number of vulnerabilities from 26 to 18. The remaining 18 vulnerabilities require --force (breaking changes) to fix, such as downgrading vsce, mocha, or gulp-cli, which are out of scope for a safe audit fix.

Changes

  • Updated package-lock.json with patched dependency versions for non-breaking fixes

Remaining vulnerabilities (require breaking changes to fix)

  • braces < 3.0.3 (via chokidar 2.x / gulp)
  • lodash.template (via gulp-util)
  • picomatch ≤ 2.3.1 (no fix available)
  • serialize-javascript (via mocha 8–12)
  • xml2js < 0.5.0 (via vsce)

@rzhao271 rzhao271 marked this pull request as ready for review April 3, 2026 16:08
@rzhao271 rzhao271 added this to the 1.115.0 milestone Apr 3, 2026
@connor4312 connor4312 enabled auto-merge (squash) April 3, 2026 16:09
@connor4312 connor4312 merged commit c3715e0 into main Apr 3, 2026
7 checks passed
@connor4312 connor4312 deleted the copilot/run-npm-audit-fix branch April 3, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants