Skip to content

[codex] resolve DevRev dependency advisories#297

Open
shriram-devrev wants to merge 1 commit into
mainfrom
codex/resolve-devrev-dependency-issues
Open

[codex] resolve DevRev dependency advisories#297
shriram-devrev wants to merge 1 commit into
mainfrom
codex/resolve-devrev-dependency-issues

Conversation

@shriram-devrev

@shriram-devrev shriram-devrev commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • upgrade vulnerable tar, js-yaml, and brace-expansion dependency chains
  • upgrade Electron and Puppeteer to remove the unpatched public extract-zip package
  • constrain the nested semantic-release npm dependency so its bundled tar is fixed
  • align the supported Node range with the upgraded npm runtime

Root cause

The reported Snyk advisories were introduced through direct and transitive npm dependencies. extract-zip has no patched public release, so its parent packages are upgraded to versions that no longer depend on it.

Validation

  • npx nx run-many --target=build --all --parallel
  • node@24.15.0 node_modules/nx/bin/nx.js run-many --target=test --all --exclude=benchmarking-app --parallel=3
  • targeted npm audit check confirms no findings for tar, js-yaml, extract-zip, or brace-expansion

work-item: ISS-331766

ISS-331766
ISS-331767
ISS-335950
ISS-336523

@shriram-devrev shriram-devrev marked this pull request as ready for review July 14, 2026 08:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant