mirror of
https://github.com/gradle/actions.git
synced 2026-06-10 05:37:39 +00:00
Daz DeBoer
9e2c1cc01d
## What Adds `overrides` to `sources/package.json` to force patched versions of transitively-pulled packages flagged by Dependabot, plus one moderate issue surfaced by `npm audit`: | Package | Severity | Patched to | Pulled in via | |---|---|---|---| | `shell-quote` | Critical | 1.8.4 | `npm-run-all` | | `fast-xml-builder` | High | 1.2.0 | `@actions/artifact` → `@azure/storage-blob` → `@azure/core-xml` → `fast-xml-parser` | | `fast-xml-parser` | Medium | 5.8.0 | `@actions/artifact` → `@azure/storage-blob` → `@azure/core-xml` | | `brace-expansion` | Moderate | 5.0.6 | `eslint` | ## Notes - All four are **transitive** dependencies, so they're pinned via the existing `overrides` block rather than direct version bumps. - The patched versions satisfy the parents' declared ranges (e.g. `@azure/core-xml` requires `fast-xml-parser ^5.0.7`; `fast-xml-parser` 5.8.0 requires `fast-xml-builder ^1.2.0`), so nothing is force-downgraded or broken. - `brace-expansion` is **scoped under `eslint`** rather than a blanket override — most copies in the tree were already on the patched 5.0.6, and only `eslint`'s was stuck at the vulnerable 5.0.5. A global override would have forced unrelated 1.x/2.x copies up a major version. ## Verification - `npm audit` → **0 vulnerabilities** - `npm ci` → clean install, 0 vulnerabilities - `npm test` → **352 passed, 14 suites** The root `dist/` directory is intentionally left for the CI workflow to update. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>