Skip to content

Comments

Release/26.2.12#671

Open
skyflow-himanshu wants to merge 10 commits intomainfrom
release/26.2.12
Open

Release/26.2.12#671
skyflow-himanshu wants to merge 10 commits intomainfrom
release/26.2.12

Conversation

@skyflow-himanshu
Copy link
Collaborator

@skyflow-himanshu skyflow-himanshu commented Feb 13, 2026
edited
Loading

Why:
Address multiple security vulnerabilities identified by Dependabot.

Goal:
fix below non-breaking security updates.

Updated qs, @isaacs/brace-expansion, node-forge, webpack, js-yaml, lodash, on-headers.
The following vulnerabilities remain because fixing them requires npm audit fix --force, which introduces breaking changes to the build configuration.

elliptic and webpack-dev-server.

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

Gitleaks Findings: No secrets detected. Safe to proceed!

@github-actions
Copy link

github-actions bot commented Feb 13, 2026

Semgrep Findings: Issues with Error level severity are found (Error is Highest severity in Semgrep), Please resolve the issues before merging.

Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to address multiple security vulnerabilities by updating various dependencies including qs, @isaacs/brace-expansion, node-forge, webpack, js-yaml, lodash, and on-headers. The PR also updates the Node.js version used in CI/CD workflows from 14.17.6 to 14.18.0.

Changes:

  • Updated dependency versions to address security vulnerabilities identified by Dependabot
  • Updated Node.js version in GitHub Actions workflows from 14.17.6 to 14.18.0
  • Modified package version numbers in package.json and package-lock.json

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File Description
package.json Updated lodash to 4.17.23 and webpack to 5.105.1; modified package version to 2.7.3-dev.a67f974
package-lock.json Updated dependency versions and integrity hashes for security patches; modified package version to 2.7.2
.github/workflows/pr.yml Updated Node.js version from 14.17.6 to 14.18.0
.github/workflows/common-release.yml Updated Node.js version from 14.17.6 to 14.18.0

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"preferGlobal": true,
"analyze": false,
"version": "2.7.3",
"version": "2.7.3-dev.a67f974",
Copy link

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version in package.json is set to "2.7.3-dev.a67f974" which appears to be a development/pre-release version. However, the PR title is "Release/26.2.12" which suggests this should be a release version. This inconsistency between the PR title and the package version needs to be resolved. Either the PR title is incorrect or the version should be updated to match the intended release version.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@skyflow-bharti skyflow-bharti skyflow-bharti approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skyflow-himanshu @skyflow-bharti