Update packages from dependabot alerts#1051
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward dependency version bumps for dependabot security alerts, no source code changes.
Extended reasoning...
Overview
This PR updates four package files (package.json, package-lock.json, scripts/package.json, scripts/package-lock.json) to address dependabot security alerts. The direct dependency changes are:
js-yaml: ^4.1.0 → ^4.1.1 (patch, devDependency)speccy: ^0.8.7 → ^0.11.0 (minor, devDependency)axios: ^1.7.2 → ^1.13.2 (minor, scripts dependency)form-data: ^4.0.0 → ^4.0.5 (patch, scripts dependency)
The lockfile reflects numerous transitive dependency updates including security-relevant packages like express, body-parser, dompurify, minimatch, ajv, and webpack.
Security risks
This PR reduces security risk by updating packages flagged by dependabot. No new security concerns are introduced — all changes are version bumps to well-known packages from the npm registry with valid integrity hashes.
Level of scrutiny
This is a low-risk, mechanical change. No application logic, configuration, or source code is modified. The only files touched are dependency manifests and lockfiles. The speccy jump from 0.8.7 to 0.11.0 is the largest version change but it is a dev-only tool used for OpenAPI spec resolution.
Other factors
No bugs were found by the automated bug hunting system. There are no prior reviewer comments or outstanding discussions. The PR title and content clearly indicate this is a dependabot-driven update.
|
@luke-hagar-sp @tyler-mairose-sp why is slinky failing? |
|
It was mid migration from a package released by my own personal github account, and an official SailPoint repo so it was more acceptable to use internally |
|
I will get that finished up, and make sure its migrated over, and fixed. |
4 participants
No description provided.