Skip to content

fix(deps): bump devalue to 5.8.1 to resolve GHSA-77vg-94rm-hx3p#15

Merged
kanywst merged 1 commit into
mainfrom
fix/audit-devalue-advisory
May 18, 2026
Merged

fix(deps): bump devalue to 5.8.1 to resolve GHSA-77vg-94rm-hx3p#15
kanywst merged 1 commit into
mainfrom
fix/audit-devalue-advisory

Conversation

@kanywst
Copy link
Copy Markdown
Member

@kanywst kanywst commented May 18, 2026

Summary

Test plan

  • npm auditfound 0 vulnerabilities
  • npm run lint
  • npm run typecheck
  • npm run test
  • npm run build

@kanywst
fix(deps): bump devalue to 5.8.1 to resolve GHSA-77vg-94rm-hx3p
e921829 
devalue 5.6.3-5.8.0 has a high-severity DoS vulnerability via
sparse array deserialization. Pulled in transitively via astro
and @astrojs/react. Bump the lockfile entry to 5.8.1 to unblock
`npm audit` (and therefore CI) on all open PRs.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 18, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 34e378c9-62d1-45e0-ba0d-381298ca1a93

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/audit-devalue-advisory

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@kanywst kanywst merged commit dbcc24e into main May 18, 2026
2 checks passed
@kanywst kanywst deleted the fix/audit-devalue-advisory branch May 18, 2026 10:23
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the devalue dependency in package-lock.json from version 5.7.1 to 5.8.1. The reviewer recommends adding this dependency to the overrides section in package.json to ensure the security fix for GHSA-77vg-94rm-hx3p remains persistent and to prevent potential regressions during future lockfile regenerations.

Comment thread package-lock.json
},
"node_modules/devalue": {
"version": "5.7.1",
"version": "5.8.1",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

To ensure the security fix for devalue (GHSA-77vg-94rm-hx3p) is robust and persistent, consider adding it to the overrides section in package.json. This aligns with the existing project pattern of using overrides for transitive dependencies like yaml and vite, preventing accidental regressions if the lockfile is regenerated or if upstream dependencies are updated in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kanywst