You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Remaining Moderate Vulnerabilities (not fixed in this PR)
19 moderate vulnerabilities remain in deep transitive dev-tool dependencies (Jest/Babel toolchain). These require major version upgrades with breaking changes and only affect the development toolchain, not the runtime firewall. They will be tracked separately.
Verification
All tests pass (3210 passing, 1 pre-existing DNS flake unrelated to these changes)
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
Protected files
package-lock.json
package.json
The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.
Create the pull request manually
# Download the patch from the workflow run
gh run download 28222853470 -n agent -D /tmp/agent-28222853470
# Create a new branch
git checkout -b deps/safe-updates-2026-06-26-2a5c817aa8283c3c main
# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-28222853470/aw-deps-safe-updates-2026-06-26.patch
# Push the branch and create the pull request
git push origin deps/safe-updates-2026-06-26-2a5c817aa8283c3c
gh pr create --title '[Deps] Safe dependency updates (2026-06-26)' --base main --head deps/safe-updates-2026-06-26-2a5c817aa8283c3c --repo github/gh-aw-firewall
Automated Safe Dependency Updates
This PR contains safe patch/minor-level dependency updates that have been verified to:
Security Fixes Included
js-yaml^4.1.1→^4.2.0(Quadratic-complexity DoS via merge key aliases)markdown-it(viamarkdownlint-cli2)markdownlint-cli2 ^0.21.0→^0.22.1(Quadratic-complexity DoS in smartquotes)@babel/core^7.29.0→^7.29.7(Arbitrary File Read via sourceMappingURL comment)Updated Dependencies
js-yaml^4.1.1^4.2.0markdownlint-cli2^0.21.0^0.22.1@babel/core^7.29.0^7.29.7@babel/preset-env^7.29.0^7.29.7@commitlint/cli^20.4.1^20.5.3@commitlint/config-conventional^20.4.1^20.5.3@eslint/compat^2.0.5^2.1.0@eslint/js^10.0.0^10.0.1@types/js-yaml^4.0.5^4.0.9@types/node^25.6.0^25.9.4ajv^8.18.0^8.20.0commander^12.0.0^12.1.0eslint^10.2.1^10.5.0glob^13.0.1^13.0.6globals^17.5.0^17.7.0jest^30.2.0^30.4.2ts-jest^29.4.9^29.4.11typescript^5.0.0^5.9.3typescript-eslint^8.58.2^8.62.0Skipped (major version changes / breaking)
chalk4.x → 5.x (ESM-only, requires code changes)commanderskipped beyond 12.x (major breaking changes)execa5.x → 9.x (major API changes)typescriptkept at 5.x (6.x breaking changes)eslint-plugin-security3.x → 4.x (potential rule changes)Remaining Moderate Vulnerabilities (not fixed in this PR)
19 moderate vulnerabilities remain in deep transitive dev-tool dependencies (Jest/Babel toolchain). These require major version upgrades with breaking changes and only affect the development toolchain, not the runtime firewall. They will be tracked separately.
Verification
npm auditshows: 0 critical, 0 high, 0 low (down from 1 low)Generated by Dependency Security Monitor Workflow
Warning
Protected Files — Push Permission Denied
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
Protected files
package-lock.jsonpackage.jsonCreate the pull request manually