[compliance] Update dependencies with vulnerabilities by loreto · Pull Request #2749 · jetify-com/devbox
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull request overview
This PR updates dependencies across multiple projects to address security vulnerabilities, as indicated by the "[compliance]" prefix in the title. The changes include updates to JavaScript/Node.js dependencies in the VS Code extension and test scripts, as well as PHP/Composer dependencies in the Drupal example stack.
Key changes:
- Added
js-yaml@^4.1.1to the VS Code extension dependencies - Updated Node.js packages in test scripts, including major updates to
less(4.1.3→4.4.2),shelljs(0.8.5→0.10.0), and numerous transitive dependencies - Updated Symfony components and other PHP packages in the Drupal stack to their latest patch versions
- Added a new
devbox.lockfile for the Node.js test environment
Reviewed changes
Copilot reviewed 1 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| vscode-extension/package.json | Added js-yaml@^4.1.1 as a new direct dependency for vulnerability mitigation |
| vscode-extension/yarn.lock | Added corresponding lock entry for js-yaml@4.1.1 |
| testscripts/shellenv/node/package-lock.json | Updated multiple dependencies including less, shelljs, and their transitive dependencies; replaced older glob-based packages with modern alternatives |
| testscripts/shellenv/node/devbox.lock | New lock file for Node.js 18 environment with package resolution metadata |
| examples/stacks/drupal/composer.lock | Updated Drupal core (10.5.1→10.5.6), Symfony components, and various PHP packages to latest patch versions for security and bug fixes |
Files not reviewed (1)
- testscripts/shellenv/node/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.