Skip to content

Fix: high severity Dependabot vulnerabilities#752

Draft
Copilot wants to merge 5 commits intodevfrom
copilot/fix-high-severity-vulnerabilities
Draft

Fix: high severity Dependabot vulnerabilities#752
Copilot wants to merge 5 commits intodevfrom
copilot/fix-high-severity-vulnerabilities

Conversation

Copy link
Contributor

Copilot AI commented Mar 3, 2026
edited
Loading

Addresses all open high severity Dependabot alerts across the Python and JavaScript packages in both content-gen and archive-doc-gen.

Changes

  • archive-doc-gen/src/requirements.txt: Bump aiohttp 3.13.23.13.3 (fixes CVE-2025-69223–69230)
  • content-gen/src/app/frontend/package-lock.json: npm audit fix — resolves rollup < 4.59.0 (GHSA-mw96-cpmx-2vgc, arbitrary file write) and minimatch ReDoS (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74)
  • archive-doc-gen/src/frontend/package.json + lock: npm audit fix for rollup; adds overrides to pin minimatch ≥ 9.0.7, avoiding a breaking @typescript-eslint v6→v8 major bump: 
    "overrides": {
  "minimatch": "^9.0.7"
}

Moderate severity issues (prismjs via react-syntax-highlighter, undici, lodash) are out of scope per the problem statement.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@Ayaz-Microsoft
Fix high severity security vulnerabilities: aiohttp, minimatch, rollup
22e4fa1 
Co-authored-by: Ayaz-Microsoft <234034413+Ayaz-Microsoft@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix high severity vulnerabilities from dependabot report Fix high severity Dependabot vulnerabilities: aiohttp, minimatch, rollup Mar 3, 2026
@Ayaz-Microsoft Ayaz-Microsoft changed the base branch from main to dev March 3, 2026 09:43
@Ayaz-Microsoft Ayaz-Microsoft changed the title Fix high severity Dependabot vulnerabilities: aiohttp, minimatch, rollup Fix: high severity Dependabot vulnerabilities Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft will be requested when the pull request is marked ready for review Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft will be requested when the pull request is marked ready for review Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft will be requested when the pull request is marked ready for review Prajwal-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft will be requested when the pull request is marked ready for review aniaroramsft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft will be requested when the pull request is marked ready for review Vinay-Microsoft is a code owner

@malrose07 malrose07 Awaiting requested review from malrose07 malrose07 will be requested when the pull request is marked ready for review malrose07 is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft will be requested when the pull request is marked ready for review toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi will be requested when the pull request is marked ready for review nchandhi is a code owner

Assignees

Copilot code review Copilot

@Ayaz-Microsoft Ayaz-Microsoft

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Ayaz-Microsoft @Roopan-Microsoft @Ragini-Microsoft