Skip to content

fix(security): resolve rollup and minimatch audit vulnerabilities#333

Merged
jamesbhobbs merged 1 commit intomainfrom
fix/security-audit-vulnerabilities
Mar 2, 2026
Merged

fix(security): resolve rollup and minimatch audit vulnerabilities#333
jamesbhobbs merged 1 commit intomainfrom
fix/security-audit-vulnerabilities

Conversation

@jamesbhobbs
Copy link
Contributor

@jamesbhobbs jamesbhobbs commented Mar 2, 2026
edited by coderabbitai bot
Loading

Bump minimatch override from >=10.2.1 to >=10.2.3 (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) and add rollup override >=4.59.0 (GHSA-mw96-cpmx-2vgc).

Summary by CodeRabbit

Chores

  • Updated framework and build tool dependencies to the latest stable versions. These routine maintenance updates improve project stability, security, and overall compatibility with current development standards and best practices. The updates ensure the build pipeline and development environment continue to operate reliably while maintaining alignment with industry standards.

@jamesbhobbs @claude
fix(security): resolve rollup and minimatch audit vulnerabilities
0fc7f7a 
Bump minimatch override from >=10.2.1 to >=10.2.3 (GHSA-7r86-cg39-jmmj,
GHSA-23c5-xmqv-rm74) and add rollup override >=4.59.0 (GHSA-mw96-cpmx-2vgc).

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@jamesbhobbs jamesbhobbs requested a review from a team as a code owner March 2, 2026 11:30
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 2, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Package.json dependency overrides are updated. The minimatch override version constraint is bumped from >=10.2.1 to >=10.2.3, and a new pnpm override for rollup >=4.59.0 is added. These are configuration-level changes to enforce specific dependency versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Updates Docs ❓ Inconclusive PR updates dependency versions for security fixes in package.json, but external changelog and internal repo documentation cannot be verified. Check deepnote.com/changelog for updates needed and verify deepnote-internal repo roadmap documentation for security patch entries.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title accurately describes the main change: updating dependency overrides to resolve security vulnerabilities in rollup and minimatch.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Mar 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.42%. Comparing base (99a0edf) to head (0fc7f7a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #333   +/-   ##
=======================================
  Coverage   83.42%   83.42%           
=======================================
  Files         122      122           
  Lines        7355     7355           
  Branches     2040     1979   -61     
=======================================
  Hits         6136     6136           
  Misses       1219     1219

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai bot requested changes Mar 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 72-73: Change the unbounded >= ranges for minimatch and rollup to
semver ranges that prevent automatic major-version upgrades; specifically update
the package.json entries for "minimatch" and "rollup" from ">=10.2.3" and
">=4.59.0" to bounded ranges like ">=10.2.3 <11.0.0" and ">=4.59.0 <5.0.0" (or
equivalent caret ranges such as "^10.2.3" and "^4.59.0") so future lockfile
refreshes cannot pull incompatible major releases.
ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 99a0edf and 0fc7f7a.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json

@jamesbhobbs jamesbhobbs enabled auto-merge (squash) March 2, 2026 11:35
@jamesbhobbs jamesbhobbs merged commit 7bd3bf5 into main Mar 2, 2026
21 checks passed
@jamesbhobbs jamesbhobbs deleted the fix/security-audit-vulnerabilities branch March 2, 2026 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@tkislan tkislan tkislan approved these changes

@dinohamzic dinohamzic Awaiting requested review from dinohamzic

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamesbhobbs @tkislan