GRAL-5897 fix vulnerabilities in example apps#201
Open
Conversation
- undici 5.29.0 → 6.25.0 (CVE-2026-1526, CVE-2026-2229) in remix-cars-service - lodash 4.17.23 → 4.18.1 (CVE-2026-4800) in remix-cars-service, pipedrive-hello-world-glitch, todo, caller, messaging-app-extn-playground, custom-ui-app-docusign Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate dependency vulnerabilities across the example apps by upgrading lodash (via overrides) and updating the corresponding lockfiles; additionally it bumps undici in remix-cars-service and removes no-longer-needed transitive packages.
Changes:
- Add/adjust
overridesto forcelodashto^4.18.0across multiple apps, with lockfiles resolvinglodash@4.18.1from the internal registry proxy. - Upgrade
undiciinapps/remix-cars-service(lockfile now resolvesundici@6.25.0) and remove@fastify/busboy/ older nestedundicientries. - Update various
package-lock.jsonentries to reflect the new dependency resolutions.
Reviewed changes
Copilot reviewed 6 out of 12 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| apps/todo/package.json | Adds lodash to overrides to force a patched version. |
| apps/todo/package-lock.json | Updates resolved lodash tarball/version and related lock metadata. |
| apps/remix-cars-service/package.json | Updates @vercel/node override for undici and adds lodash override. |
| apps/remix-cars-service/package-lock.json | Removes old transitive packages and updates resolved lodash/undici versions. |
| apps/pipedrive-hello-world-glitch/package.json | Adds lodash to overrides. |
| apps/pipedrive-hello-world-glitch/package-lock.json | Updates resolved lodash tarball/version and related lock metadata. |
| apps/messaging-app-extn-playground/package.json | Adds lodash to overrides. |
| apps/messaging-app-extn-playground/package-lock.json | Updates resolved lodash tarball/version and related lock metadata. |
| apps/custom-ui-app-docusign/package.json | Adds lodash to overrides. |
| apps/custom-ui-app-docusign/package-lock.json | Updates resolved lodash tarball/version. |
| apps/caller/package.json | Adds lodash to overrides. |
| apps/caller/package-lock.json | Updates resolved lodash tarball/version and related lock metadata. |
Files not reviewed (6)
- apps/caller/package-lock.json: Language not supported
- apps/custom-ui-app-docusign/package-lock.json: Language not supported
- apps/messaging-app-extn-playground/package-lock.json: Language not supported
- apps/pipedrive-hello-world-glitch/package-lock.json: Language not supported
- apps/remix-cars-service/package-lock.json: Language not supported
- apps/todo/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@vercel/node": { | ||
| "path-to-regexp": "^6.3.0", | ||
| "undici": "^5.29.0" | ||
| "undici": "^6.24.0" |
| "tsx": "4.21.0", | ||
| "typescript": "npm:typescript@5.9.3", | ||
| "undici": "^5.29.0" | ||
| "undici": "^6.24.0" |
| "integrity": "sha512-dX8l6qUL6O+fYPtpNRideCFSpmWOUVx5QcaGLVqe/vlDiBSe4vYljDWDETwnyFzpl7By/WVIu6rcrniCgH9BqQ==", | ||
| "requires": { | ||
| "lodash": "^4.17.21", | ||
| "lodash": "^4.18.0", |
| "getopts": "2.3.0", | ||
| "interpret": "^2.2.0", | ||
| "lodash": "^4.17.21", | ||
| "lodash": "^4.18.0", |
| "getopts": "2.3.0", | ||
| "interpret": "^2.2.0", | ||
| "lodash": "^4.17.21", | ||
| "lodash": "^4.18.0", |
| "getopts": "2.3.0", | ||
| "interpret": "^2.2.0", | ||
| "lodash": "^4.17.21", | ||
| "lodash": "^4.18.0", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Tickets & Documents
https://pipedrive.atlassian.net/browse/GRAL-5897
Description
This pull request updates the
lodashdependency to version 4.18.1 across multiple applications and makes related dependency and lockfile adjustments. It also upgrades theundicipackage in theremix-cars-serviceapp and removes some now-unneeded dependencies. These changes help keep dependencies current and improve consistency across the codebase.Dependency upgrades and lockfile updates:
lodashto version 4.18.1 in all affectedpackage.jsonandpackage-lock.jsonfiles for the following apps:caller,custom-ui-app-docusign,messaging-app-extn-playground,pipedrive-hello-world-glitch,remix-cars-service, andtodo. Updated references to use the new version and changed the registry URL tonpm-registry-proxy.pipedrive.toolsfor internal consistency.lodash(e.g.,^4.17.21) to the new^4.18.0version.Remix Cars Service specific updates:
undicifrom6.24.1to6.25.0and updated all related references, including in the@vercel/nodedependency.@fastify/busboyand an older version ofundicithat were previously required by@vercel/node, as they are no longer needed with the newundiciversion.These changes ensure that all projects are using up-to-date and consistent versions of key dependencies, improving maintainability and security.
Type of PR?
Manual testing
Automated tests added?