Skip to content

Atisa 120 update deps #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
not-fritos wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Atisa 120 update deps #2

not-fritos wants to merge 6 commits into from

Conversation

@not-fritos
Copy link
Member

@not-fritos not-fritos commented Jun 9, 2025

fixing vulnerabilities

@not-fritos
Copy link
Member Author

not-fritos commented Jun 10, 2025

Finished testing dependencies reducing vulnerabilities from

65 vulnerabilities (46 moderate, 18 high, 1 critical) to
48 vulnerabilities (38 moderate, 10 high)

The majority of the remaining vulnerabilities are require more refactoring and appear to be primarily DDOS-related openings.

Remaining vulnerability report attached below. I'll make some additional tickets for each of these.
https://docs.google.com/document/d/1RGxcVMIEbDx8I22q0WyE2MGA_ffwdnsQtwemZdoXu5Y/edit?tab=t.0

@not-fritos not-fritos requested review from Copilot and kylie-taitano and removed request for Copilot and kylie-taitano June 10, 2025 03:33
Copilot AI reviewed Jun 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses security vulnerabilities by updating dependency versions, adds a null check in a JSON string replacement utility, and refactors CLI markdown generation to include a generated-file header.

  • Added a null/undefined guard in replaceStringsInJsonBlob
  • Bumped project version and updated multiple dependencies to newer releases
  • Introduced a constant header and refactored summary/projects markdown generation in the CLI

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
pxtlib/main.ts Added a null check at the start of replaceStringsInJsonBlob
package.json Incremented version and updated several dependencies to patch vulnerabilities
cli/cli.ts Added GENERATED_FILE_DECLARATION and refactored markdown assembly
Comments suppressed due to low confidence (3)

pxtlib/main.ts:181

  • Consider adding unit tests for replaceStringsInJsonBlob that cover null and undefined inputs to verify the new guard behaves as expected.
if (blobPart == null) {

package.json:135

  • Gulp v5 is not yet officially released; this version bump may cause install failures. Verify that v5 exists or pin to a valid released version to avoid build breakage.
"gulp": "^5.0.1",

cli/cli.ts:1965

  • [nitpick] The array-based assembly of PROJECTS_MD_CONTENT could be simplified and made more readable by using a single template literal instead of multiple array entries and join calls.
const PROJECTS_MD_CONTENT = [

@not-fritos
Copy link
Member Author

not-fritos commented Jun 18, 2025

I think there's one more test that's failing here that I need to investigate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@not-fritos