Skip to content

Chore(deps): Fix multiple CVEs in dev and docs dependencies#1050

Open
Pierre-Sassoulas wants to merge 1 commit into
pytest-dev:masterfrom
Pierre-Sassoulas:fix-cve-dependency-bumps
Open

Chore(deps): Fix multiple CVEs in dev and docs dependencies#1050
Pierre-Sassoulas wants to merge 1 commit into
pytest-dev:masterfrom
Pierre-Sassoulas:fix-cve-dependency-bumps

Conversation

@Pierre-Sassoulas

Copy link
Copy Markdown
Member

Address open security alerts:

  • serialize-javascript RCE + DoS: force ^7.0.7 via overrides (mocha pins 6.0.2)
  • pygments GUID ReDoS: 2.19.1 -> 2.20.0
  • requests extract_zipped_paths temp file reuse: 2.32.4 -> 2.34.2
  • urllib3 decompression bomb + cross-origin header leak: 2.6.3 -> 2.7.0
  • glob CLI command injection, js-yaml merge-key DoS, @babel/core file read, and related transitive advisories resolved via npm audit fix

elliptic (GHSA-848j-6mx2-7j84) has no patched release and is a build-time-only bundler dependency (browserify), not shipped in the published wheel; left for alert dismissal.

Address open security alerts:
- serialize-javascript RCE + DoS: force ^7.0.7 via overrides (mocha pins 6.0.2)
- pygments GUID ReDoS: 2.19.1 -> 2.20.0
- requests extract_zipped_paths temp file reuse: 2.32.4 -> 2.34.2
- urllib3 decompression bomb + cross-origin header leak: 2.6.3 -> 2.7.0
- glob CLI command injection, js-yaml merge-key DoS, @babel/core file
  read, and related transitive advisories resolved via npm audit fix

elliptic (GHSA-848j-6mx2-7j84) has no patched release and is a
build-time-only bundler dependency (browserify), not shipped in the
published wheel; left for alert dismissal.
@Pierre-Sassoulas Pierre-Sassoulas force-pushed the fix-cve-dependency-bumps branch from 89e14da to 5bf0857 Compare July 14, 2026 08:56
@Pierre-Sassoulas Pierre-Sassoulas marked this pull request as ready for review July 14, 2026 09:06

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates JavaScript and documentation build dependencies to remediate multiple reported security advisories, including forcing a patched serialize-javascript version via npm overrides and bumping pinned Python doc dependencies.

Changes:

  • Add an npm overrides entry to force serialize-javascript to ^7.0.7 despite transitive pinning.
  • Refresh package-lock.json to reflect npm audit fix and updated transitive dependency graph.
  • Update pinned doc-build Python dependencies (pygments, requests, urllib3) in docs/requirements.txt.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
package.json Adds an npm override to force a patched serialize-javascript version.
package-lock.json Updates the resolved dependency tree to incorporate security fixes and transitive upgrades.
docs/requirements.txt Bumps pinned Python dependencies used for building documentation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment on lines +10 to 13
"overrides": {
"serialize-javascript": "^7.0.7"
},
"devDependencies": {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants