Conversation
Updated packages: 0.14.0 Security fixes via overrides: 7.4.3 (resolves 4 high severity path traversal vulns) 1.8.0 (resolves 3 high severity CSRF/SSRF vulns) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the JS tooling dependencies for the crates/string-offsets/js package to remediate known vulnerabilities in transitive dependencies used by wasm-pack’s installer.
Changes:
- Bump
wasm-packdev dependency from^0.13.1to^0.14.0. - Add npm
overridesto force safe versions oftarandaxiosused transitively (viabinary-install). - Regenerate
package-lock.jsonto reflect the updated dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| crates/string-offsets/js/package.json | Updates wasm-pack version and adds overrides for vulnerable transitive dependencies. |
| crates/string-offsets/js/package-lock.json | Lockfile refresh to capture the new resolved versions (including axios@1.x and tar@7.x). |
Files not reviewed (1)
- crates/string-offsets/js/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "node_modules/tar": { | ||
| "version": "6.2.1", | ||
| "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz", | ||
| "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==", | ||
| "version": "7.5.11", | ||
| "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", | ||
| "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", | ||
| "dev": true, | ||
| "license": "ISC", | ||
| "license": "BlueOak-1.0.0", | ||
| "dependencies": { | ||
| "chownr": "^2.0.0", | ||
| "fs-minipass": "^2.0.0", | ||
| "minipass": "^5.0.0", | ||
| "minizlib": "^2.1.1", | ||
| "mkdirp": "^1.0.3", | ||
| "yallist": "^4.0.0" | ||
| "@isaacs/fs-minipass": "^4.0.0", | ||
| "chownr": "^3.0.0", | ||
| "minipass": "^7.1.2", | ||
| "minizlib": "^3.1.0", | ||
| "yallist": "^5.0.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=10" | ||
| "node": ">=18" | ||
| } |
There was a problem hiding this comment.
tar@7.x now requires Node.js >=18 (see the engines field). If this package is expected to be buildable/testable on older Node versions, this update will effectively raise the minimum supported Node version; consider documenting/enforcing the Node requirement (e.g., via package.json engines or CI/tooling docs).
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
Just to note, no version bump needed here for the npm package since this is just for dev tooling. |
Summary
Updates npm dependencies in
crates/string-offsets/jsto address security vulnerabilities.Updated packages
Security fixes (via overrides)
Both
tarandaxiosare transitive dependencies ofwasm-packviabinary-install. Sincebinary-installis deprecated and hasn't been updated, npmoverridesare used to force safe versions.tar (6.2.1 to ^7.4.3)
axios (0.21.4 to ^1.8.0)
Validation
npm auditpasses with 0 vulnerabilitiesmake build-jssucceeds (WASM compilation)Generated by the update-deps skill.