chore(deps): fix all open dependabot security alerts#3388
Conversation
- tools/da-debug: bump golang.org/x/crypto to v0.52.0 and golang.org/x/net to v0.55.0 (7 critical SSH advisories, plus high/medium DoS fixes) - root, apps/testapp, apps/evm, test/e2e: bump quic-go to v0.59.1 (HTTP/3 QPACK trailer expansion memory exhaustion) - apps/loadgen: bump filippo.io/edwards25519 to v1.1.1 - docs: force patched vite ^6.4.3, esbuild ^0.25.0, lodash-es ^4.18.0 via yarn resolutions (vitepress 1.x pins EOL vite 5; vitepress 2 is still alpha) - docs: remove stale package-lock.json — CI workflows only use yarn, the npm lockfile just generated duplicate alerts Co-Authored-By: Claude Fable 5 <[email protected]>
Co-Authored-By: Claude Fable 5 <[email protected]>
|
The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).
|
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (2)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughUpdates indirect Go dependencies across multiple modules, refreshes selected DA debug tool dependencies, and adds frontend dependency resolutions for the documentation package. ChangesDependency updates
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Co-Authored-By: Claude Fable 5 <[email protected]>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3388 +/- ##
==========================================
- Coverage 62.34% 62.32% -0.02%
==========================================
Files 120 120
Lines 13452 13452
==========================================
- Hits 8386 8384 -2
Misses 4126 4126
- Partials 940 942 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Overview
Clears all 30 open Dependabot alerts across the Go modules and the docs site.
Go modules (all indirect deps, bumped via
go get+go mod tidy)tools/da-debuggolang.org/x/cryptov0.49.0 → v0.52.0,golang.org/x/netv0.52.0 → v0.55.0apps/testapp,apps/evm,test/e2equic-gov0.59.0 → v0.59.1apps/loadgenfilippo.io/edwards25519v1.1.0 → v1.1.1Docs site
resolutions:vite ^6.4.3,esbuild ^0.25.0,lodash-es ^4.18.0. All three vulns are dev-server-only;yarn buildverified passing with the forced versions.docs/package-lock.json— the docs CI workflows only use yarn, so the npm lockfile just generated duplicate alerts.Verification
just test, all go.mods) passesgovulncheckclean on bumped modulesyarn buildindocs/passesNot actionable
govulncheckalso flags GO-2024-3218 (Kademlia DHT content-censorship advisory ingo-libp2p-kad-dht, reachable frompkg/p2p). No fixed version exists — it is a protocol-design issue every kad-dht consumer carries.🤖 Generated with Claude Code
Summary by CodeRabbit