Skip to content

Fix Snyk vulnerabilities in direct dependencies#512

Merged
sushmi21 merged 1 commit into
masterfrom
snyk-fix-131658
Apr 22, 2026
Merged

Fix Snyk vulnerabilities in direct dependencies#512
sushmi21 merged 1 commit into
masterfrom
snyk-fix-131658

Conversation

@peyman-mashhadi

@peyman-mashhadi peyman-mashhadi commented Apr 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Upgrade axios 1.13.5 → 1.15.0 (fixes 1 Critical + 1 High: Confused Deputy, HTTP Response Splitting)
  • Upgrade dompurify 3.2.4 → 3.3.2 (fixes 5 Medium: XSS, Prototype Pollution, Permissive Inputs)
  • Upgrade immutable 4.2.2 → 4.3.8 (fixes 1 Critical: Prototype Pollution)
  • Upgrade lodash 4.17.23 → 4.18.1 (fixes 1 High + 1 Medium: Code Injection, Prototype Pollution)

All upgrades are backward compatible (patch/minor semver bumps, no breaking changes).

Resolves 10 of 14 Snyk vulnerabilities. The remaining 4 are transitive (follow-redirects, qs, socket.io-parser, yaml) and require upstream package updates.

Ref: 131658

Test plan

  • npm install succeeds
  • npm run build — all 18 bundles compile without errors
  • snyk test confirms 10 vulnerabilities resolved (14 → 4 remaining)
  • Smoke test webchat widget in browser

🤖 Generated with Claude Code

@peyman-mashhadi @claude
Fix Snyk vulnerabilities by upgrading direct dependencies
67e77aa 
Upgrade axios (1.13.5→1.15.0), dompurify (3.2.4→3.3.2),
immutable (4.2.2→4.3.8), and lodash (4.17.23→4.18.1) to
resolve 10 security vulnerabilities including 2 critical,
3 high, and 5 medium severity issues.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
Copilot AI review requested due to automatic review settings April 14, 2026 11:22
@graymalkin77

graymalkin77 commented Apr 14, 2026
edited
Loading

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI reviewed Apr 14, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates a set of direct npm dependencies to address Snyk-reported vulnerabilities, keeping the lockfile aligned so CI (npm ci) installs deterministically.

Changes:

  • Bump axios to ^1.15.0 and update its resolved lockfile entries (including proxy-from-env).
  • Bump dompurify to 3.3.2 and refresh lockfile metadata (incl. engines/license fields from upstream).
  • Bump immutable to ^4.3.8 and lodash to ^4.18.1, updating corresponding lockfile resolutions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Updates direct dependency version specs to the intended patched/minor releases.
package-lock.json Synchronizes resolved versions/integrity for the bumped dependencies to keep npm ci consistent.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sushmi21 sushmi21 merged commit 946832b into master Apr 22, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@sushmi21 sushmi21 sushmi21 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@peyman-mashhadi @graymalkin77 @sushmi21