mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
[codex] Fix high severity dependency alerts (#18167)
## Summary - Pin vulnerable npm dependencies through the existing root `resolutions` mechanism so the lockfile moves only to patched versions. - Refresh `pnpm-lock.yaml` for `@modelcontextprotocol/sdk`, `handlebars`, `path-to-regexp`, `picomatch`, `minimatch`, `flatted`, `rollup`, and `glob`. - Bump `quinn-proto` from `0.11.13` to `0.11.14` and refresh `MODULE.bazel.lock`. ## Testing - `corepack pnpm --store-dir .pnpm-store install --frozen-lockfile --ignore-scripts` - `corepack pnpm audit --audit-level high` (passes; remaining advisories are low/moderate) - `corepack pnpm -r --filter ./sdk/typescript run build` - `corepack pnpm exec eslint 'src/**/*.ts' 'tests/**/*.ts'` - `cargo check --locked` - `cargo build -p codex-cli` - `bazel --output_user_root=/tmp/bazel-codex-dependabot --ignore_all_rc_files mod deps --lockfile_mode=error` - `just fmt` Note: `corepack pnpm -r --filter ./sdk/typescript run test` was also attempted after building `codex`; it is blocked on this workstation by host-managed Codex MDM/auth state (`approval_policy` restrictions and ChatGPT/API-key mismatch), not by this dependency change.
This commit is contained in:
committed by
GitHub
Unverified
parent
4676cb5ff8
commit
fe04d75e0f
@@ -11,8 +11,18 @@
|
||||
"prettier": "^3.5.3"
|
||||
},
|
||||
"resolutions": {
|
||||
"@modelcontextprotocol/sdk": "1.26.0",
|
||||
"braces": "^3.0.3",
|
||||
"flatted": "3.4.2",
|
||||
"glob@10.4.5": "10.5.0",
|
||||
"handlebars": "4.7.9",
|
||||
"micromatch": "^4.0.8",
|
||||
"minimatch@3.1.2": "3.1.4",
|
||||
"minimatch@9.0.5": "9.0.7",
|
||||
"path-to-regexp": "8.4.0",
|
||||
"picomatch@2.3.1": "2.3.2",
|
||||
"picomatch@4.0.3": "4.0.4",
|
||||
"rollup": "4.59.0",
|
||||
"semver": "^7.7.1"
|
||||
},
|
||||
"overrides": {
|
||||
|
||||
Reference in New Issue
Block a user