Open
Conversation
Co-authored-by: Ilya Daraseliya <ilya.daraseliya@klarna.com>
…t browser is a Chromium-based browser
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.15.4 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [axios](https://github.com/axios/axios) from 1.3.6 to 1.6.1. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.3.6...v1.6.1) --- updated-dependencies: - dependency-name: axios dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…rmost, Notion, Postman, Rambox, Rocket.Chat, Teams, TikTok Lite, VS Code
…ail, SparkDesktop, Zimbra, ZohoMail-Desktop
…hBot, Claude-User, Coveobot, CriteoBot
…e, DeepSeekBot, DuckDuckGo-Favicons-Bot, Elastic, Zoombot
…ini-Deep-Research, kakaotalk-scrap, TikTokSpider
…n-bot, vercel-screenshot-bot, vercelflags, verceltracing
…rawlAgent, HuggingFace-Bot, Kangaroo Bot, PanguBot, Replicate-Bot, RunPod-Bot, Together-Bot, xAI-Bot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request addresses security vulnerabilities in the
ua-parser-jsdependency, which is currently pinned to version 0.7.33 in this repository. According to Snyk's security advisory, this version is subject to known security vulnerabilities that could impact applications using this library.Impact on Amplitude Platform
This outdated dependency affects upstream libraries such as
@amplitude/experiment-parser-js, which is used to provide feature flagging functionality for frontend projects on the Amplitude platform. As an Amplitude customer, this security vulnerability directly impacts our ability to safely use Amplitude's feature flagging capabilities in our production applications.Proposed Solution
This PR updates the
ua-parser-jsdependency from version 0.7.33 to 2.0.4, which includes:Why This Matters
As an Amplitude customer, we rely on your platform's libraries for critical functionality like feature flagging. Maintaining our own fork of your libraries creates additional maintenance burden and potential compatibility issues. By updating this dependency in the upstream repository, you'll be helping all your customers maintain secure and up-to-date implementations.
Testing
The update has been tested to ensure compatibility with existing functionality while providing the security improvements needed.
We would greatly appreciate if Amplitude could review and merge this PR to help maintain the security and reliability of your platform for all customers."