Fix critical dependabot alert #288
Conversation
dxvladislavvolkov
added
the
dependencies
There was a problem hiding this comment.
Pull request overview
This PR addresses Dependabot security alert #65 by removing the deprecated protractor package and upgrading form-data from version 2.3.3 to 2.5.5 to fix a security vulnerability.
Key Changes:
- Removed
protractorfrom devDependencies (a deprecated E2E testing framework) - Added npm overrides section to enforce
form-dataversion ~2.5.4 - Updated package-lock.json to reflect the form-data upgrade to 2.5.5 and mark protractor-related dependencies as optional/peer
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Removed deprecated protractor dependency and added overrides to enforce secure form-data version |
| package-lock.json | Upgraded form-data to 2.5.5 (security fix), marked all protractor and its transitive dependencies as optional/peer to prevent installation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "typescript": "~5.8.0" | ||
| }, | ||
| "overrides": { | ||
| "form-data": "~2.5.4" |
There was a problem hiding this comment.
The override constraint "~2.5.4" only allows patch version updates (2.5.4 to 2.5.x), but the package-lock.json shows form-data version 2.5.5 is being installed. This works currently because 2.5.5 is within the tilde range, but the constraint should either:
- Use the exact version "2.5.5" if that's the specific security-patched version needed
- Use "^2.5.4" to allow minor version updates within 2.x if any future 2.5.x or 2.x versions are acceptable
- Keep "~2.5.4" if only patch updates to 2.5.x are desired
Since this is a security fix, it would be clearer to specify the exact version or use a more explicit range that matches the actual installed version.
| "form-data": "~2.5.4" | |
| "form-data": "2.5.5" |
https://github.com/DevExpress/ThemeBuilder/security/dependabot/65