Skip to content

chore: fix 3 moderate CVEs via dep updates (2026-07-03)#5856

Merged
lpcox merged 2 commits into
mainfrom
copilot/deps-safe-dependency-updates
Jul 3, 2026
Merged

chore: fix 3 moderate CVEs via dep updates (2026-07-03)#5856
lpcox merged 2 commits into
mainfrom
copilot/deps-safe-dependency-updates

Conversation

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Resolves 3 moderate severity vulnerabilities (GHSA-h67p-54hq-rp68, GHSA-6v5v-wf23-fmfq, and a transitive js-yaml issue) all in dev-only toolchain dependencies.

Dependency updates

  • markdownlint-cli2: ^0.21.0^0.23.0 — pulls in patched js-yaml ≥4.1.2 and markdown-it ≥14.1.2, fixing both MODERATE CVEs
  • @typescript-eslint/{eslint-plugin,parser} + typescript-eslint: ^8.62.0^8.62.1 — patch bump
  • js-yaml transitive via @istanbuljs/load-nyc-config — resolved via npm audit fix

npm audit now reports 0 vulnerabilities. All affected packages are dev-only with no production firewall impact.

Copilot AI linked an issue Jul 3, 2026 that may be closed by this pull request
4 tasks
Copilot AI changed the title [WIP] Update safe dependencies to resolve vulnerabilities chore: fix 3 moderate CVEs via dep updates (2026-07-03) Jul 3, 2026
Copilot finished work on behalf of lpcox July 3, 2026 04:21
Copilot AI requested a review from lpcox July 3, 2026 04:21
@lpcox lpcox requested a review from Copilot July 3, 2026 05:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates dev-only dependencies to remediate three moderate security advisories reported by npm audit (including markdownlint-cli2 and TypeScript ESLint toolchain updates), aiming to bring the audit report to 0 vulnerabilities.

Changes:

  • Bump markdownlint-cli2 to ^0.23.0 (pulling in newer markdown-it, js-yaml, and related deps).
  • Patch-bump @typescript-eslint/{eslint-plugin,parser} and typescript-eslint to ^8.62.1.
  • Refresh package-lock.json per npm audit fix, updating transitive dependency versions.
Show a summary per file
File Description
package.json Updates devDependencies for markdown linting and TypeScript ESLint tooling to address reported CVEs.
package-lock.json Locks the new dependency graph, including updated transitive packages from audit remediation.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread package.json
Comment on lines 74 to +79
"husky": "^9.1.7",
"jest": "^30.4.2",
"markdownlint-cli2": "^0.21.0",
"markdownlint-cli2": "^0.23.0",
"ts-jest": "^29.4.11",
"typescript": "^5.9.3",
"typescript-eslint": "^8.62.0"
"typescript-eslint": "^8.62.1"
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

⏳ Copilot review left inline comments.

@copilot To proceed:

  1. Ask @copilot to address the review feedback (reply to this comment or the review thread)
  2. Once the fix is pushed, add the ready-for-aw label to trigger agentic CI smoke tests

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Chroot tests failed Smoke Chroot failed - See logs for details.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

Status: PASS

Running in direct BYOK mode via COPILOT_PROVIDER_API_KEY:

  • ✅ BYOK Inference: Agent → api-proxy sidecar → api.githubcopilot.com (confirmed by successful prompt response)
  • ✅ Agent sees placeholder credentials only; real key held by sidecar
  • ✅ Network traffic properly isolated through firewall

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) - sibling workflow covers COPILOT_GITHUB_TOKEN path

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this runner. Service containers are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: PAT Auth

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read ⚠️ template vars unexpanded

Overall: PASS — core connectivity confirmed.
Author: @lpcox | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Thanks for the dependency cleanup. One contribution-guideline issue to address before this is ready:

  • Development setup / PR checks: markdownlint-cli2 moves from 0.21.0 to 0.23.0, and the lockfile shows the new package requires node >=22. CONTRIBUTING.md lists Node.js v20.19.0+ and asks contributors to ensure lint/test/build remain valid, so this update appears to raise the effective lint tooling requirement beyond the documented/project-supported Node version. Please either use a compatible patched dependency path or update the Node requirement/documentation and CI expectations accordingly.

No tests or docs changes seem required for the dependency-only security update otherwise.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Contribution Check for #5856 · 58.5 AIC · ⊞ 19.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@lpcox
✅ GitHub MCP connectivity
✅ GitHub.com connectivity
✅ File write/read
✅ Direct BYOK inference
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🔍 Smoke Test Results

Test Status
GitHub MCP ✅ Connected (PR #5856 context available)
GitHub.com HTTP ⚠️ Pre-step data not expanded (template vars unresolved)
File Write/Read ⚠️ Pre-step data not expanded (template vars unresolved)

Overall: ⚠️ PARTIAL — Agent connectivity confirmed; pre-computed step outputs were not passed to agent context.

cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API status ✅ PASS
GH check ✅ PASS
File status ✅ PASS

Overall result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5856 · 55.5 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP connectivity: ✅
  • GitHub.com HTTP connectivity: ✅
  • File write/read test: ✅
  • BYOK inference test: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke test summary:

  • Merged PRs: Add host/sidecar parity guard for API proxy provider env constants
  • Merged PRs: Deduplicate provider auth header construction across runtime, validation, and model fetch paths
  • GitHub title check: ❌
  • File write: ✅
  • Build: ✅
    Overall: FAIL

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke test results: ❌ (Connectivity/MCP), ✅ (File/Bash). Overall: FAIL.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx all passed ✅ PASS
Node.js execa all passed ✅ PASS
Node.js p-limit all passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5856 · 52.7 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Status Notes
Module Loading otel.js loaded, isEnabled()=true, all expected functions exported
Test Suite 59/59 tests passed across 2 suites (otel.test.js, otel-fanout.test.js)
Env Var Forwarding ⚠️ Expected api-proxy-service.ts does not yet forward OTEL env vars — noted as expected during development
Token Tracker Integration onUsage callback present in token-tracker-http.js
OTEL Diagnostics ⚠️ Expected No spans emitted at runtime — follows from missing env var forwarding

Result: All scenarios pass or are expected-pending during development. The OTEL module is fully implemented and tested; the remaining gap (env var passthrough in api-proxy-service.ts) is a known in-progress item.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@lpcox lpcox marked this pull request as ready for review July 3, 2026 12:21
@lpcox lpcox merged commit 7bf6e00 into main Jul 3, 2026
89 of 91 checks passed
@lpcox lpcox deleted the copilot/deps-safe-dependency-updates branch July 3, 2026 12:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Deps] Safe dependency updates (2026-07-03)

3 participants