fix(security): close all open dependabot + codeql alerts#111
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR is a security hardening sweep intended to close outstanding Dependabot and CodeQL alerts by (1) forcing patched undici resolutions across the workspace, (2) fixing a CodeQL ReDoS finding in CLI terminal markdown rendering, and (3) tightening GitHub Actions GITHUB_TOKEN permissions to least privilege.
Changes:
- Broadened the pnpm override selector to ensure
undiciversions<6.24.0resolve to6.24.0, and regenerated the lockfile to evictundici@5.x. - Updated the markdown table-separator regex in the CLI terminal renderer to avoid catastrophic backtracking; added a regression test.
- Added explicit workflow-level
permissionsto CI and token-check workflows to address CodeQL permission findings.
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
pnpm-workspace.yaml |
Broadens the undici override selector to cover all <6.24.0 versions. |
pnpm-lock.yaml |
Regenerates lockfile to reflect new undici resolution and remove undici@5.29.0 and its transitives. |
packages/cli/src/lib/terminal-render.ts |
Replaces the table-separator detection regex with a non-ReDoS pattern. |
packages/cli/src/lib/terminal-render.test.ts |
Adds a test for separator-row stripping + attempted pathological input guard. |
.github/workflows/token-check.yml |
Declares workflow permissions (contents: read, issues: write) for issue creation behavior. |
.github/workflows/ci.yml |
Declares workflow permission (contents: read) to satisfy least-privilege guidance. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dubscode
added a commit
that referenced
this pull request
May 25, 2026
Per Copilot review on #111: prior pathological input did not end with `|`, so isTableLine() rejected it and formatTable() never ran. New input is a valid table-shaped line that reaches the separator-filter regex, and uses performance.now() for monotonic timing. Refs DUB-0
- broaden undici override to <6.24.0 to evict transitive undici@5.29.0 - fix ReDoS in markdown table separator regex (terminal-render) - add explicit permissions blocks to ci.yml and token-check.yml Refs DUB-0
Per Copilot review on #111: prior pathological input did not end with `|`, so isTableLine() rejected it and formatTable() never ran. New input is a valid table-shaped line that reaches the separator-filter regex, and uses performance.now() for monotonic timing. Refs DUB-0
dubscode
force-pushed
the
fix-security-alerts
branch
from
b9a33f3 to
cddee7c
Compare
|
🎉 This PR is included in version 1.10.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
pnpm-workspace.yaml: broaden undici override from>=6.0.0 <6.24.0to<6.24.0, evicting transitiveundici@5.29.0pulled in by@actions/core@1.11.1 → @actions/http-client@2.2.3inpackages/retarget-action. Lockfile regenerated;pnpm why undicinow shows only6.24.0+7.24.0.packages/cli/src/lib/terminal-render.ts: fixjs/redos(CodeQL feat(sync): add graphite parity navigation and sync workflows #3) in the GFM table separator filter — replace/^\|\s*[: -]+(\|\s*[: -]+)+\|$/with/^\|[ \t:-]+(\|[ \t:-]+)+\|$/to remove the\s*/[: -]overlap that allowed exponential backtracking. Regression test added..github/workflows/ci.yml: add top-levelpermissions: { contents: read }(CodeQL docs(agents): add patterns and ai-sdk skill docs #6)..github/workflows/token-check.yml: add top-levelpermissions: { contents: read, issues: write }— the workflow opens a rotation issue near expiry (CodeQL docs: add AGENTS guidance file #2).packages/retarget-action/dist/index.js: rebuilt bynccafter the undici resolution change.Closes Dependabot #11 #16 #18 #20 #90, CodeQL #2 #3 #6.
Behavior Impact
undiciis newer.Testing
pnpm test— 1688/1688 passing (incl. new ReDoS regression test)pnpm typecheckpnpm checksterminal-render.test.ts)pnpm --filter dubstack-retarget-action build— ncc bundle rebuilds cleanlyCoding Agent Checklist (if used)
AGENTS.mdand relevant.agents/*docssrc/)Docs
.agentsdocs updated (if needed) — n/aRisks / Follow-Ups
undici@6.24.0onto@actions/http-client@2.2.3; that consumer uses only the stablerequest()surface, and the retarget-action bundle still builds + the action's vitest suite still passes. Fallback if any regression appears: bump@actions/corefrom^1.11.1to^3.0.0inpackages/retarget-action/package.json(v3 is already in the tree via semantic-release and uses@actions/http-client@4 → undici@6.24.0natively).gh api repos/wiseiodev/dubstack/dependabot/alerts --jq '[.[]|select(.state=="open")]|length'and same for code-scanning both return0.