Skip to content

Refresh frontend lockfile for security advisories#1308

Open
IEvangelist wants to merge 1 commit into
mainfrom
dapine/security/aspire-dev-dompurify-esbuild
Open

Refresh frontend lockfile for security advisories#1308
IEvangelist wants to merge 1 commit into
mainfrom
dapine/security/aspire-dev-dompurify-esbuild

Conversation

@IEvangelist

Copy link
Copy Markdown
Member

Summary

Refresh the frontend dependency graph in src/frontend to clear the currently open Dependabot alerts for dompurify and esbuild.

What changed

  • Added pnpm overrides that force patched dompurify and esbuild releases.
  • Regenerated src/frontend/pnpm-lock.yaml so the patched transitive versions are resolved everywhere in the site build.

Alerts addressed

  • dompurify advisories in src/frontend/pnpm-lock.yaml
  • esbuild advisory in src/frontend/pnpm-lock.yaml

Validation

  • pnpm install --frozen-lockfile
  • pnpm lint
  • pnpm test:unit
  • pnpm build

@aspire-repo-bot

Copy link
Copy Markdown
Contributor

Frontend HTML artifact ready

The latest frontend build uploaded the frontend-dist artifact for PR #1308. Use the VS Code button below to open this PR with GitHub Artifacts Explorer and browse the built HTML locally.

VS Code: Open PR #1308 artifacts

This comment updates automatically when a new frontend build artifact is uploaded.

@IEvangelist IEvangelist marked this pull request as ready for review June 30, 2026 08:38
Copilot AI review requested due to automatic review settings June 30, 2026 08:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refreshes the src/frontend dependency graph to resolve Dependabot security alerts by forcing patched versions of dompurify and esbuild via pnpm overrides and regenerating the lockfile accordingly.

Changes:

  • Updated pnpm overrides to require dompurify >= 3.4.11 (for < 3.4.11).
  • Added a pnpm override to require esbuild >= 0.28.1 (for < 0.28.1).
  • Regenerated src/frontend/pnpm-lock.yaml so the resolved graph consistently uses the patched versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
src/frontend/package.json Updates pnpm overrides to enforce patched dompurify and esbuild versions.
src/frontend/pnpm-lock.yaml Regenerates the lockfile so patched dompurify/esbuild versions are resolved across the graph.
Files not reviewed (1)
  • src/frontend/pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@IEvangelist IEvangelist force-pushed the dapine/security/aspire-dev-dompurify-esbuild branch from a1006ed to 1f3a285 Compare July 1, 2026 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants