fix(deps): clear open Dependabot alerts (Go binary + docs); migrate docs to Yarn 4#518
Merged
Conversation
Address open Dependabot alerts affecting the compiled binary: - golang.org/x/net 0.52.0 -> 0.56.0 (GHSA-5cv4-jp36-h3mw, HTML parser DoS) - github.com/ethereum/go-ethereum 1.16.9 -> 1.17.4 (indirect) - github.com/opencontainers/runc 1.2.3 -> 1.3.6 (indirect; not linked into the binary, transitive build/test dep) Also refreshes co-resolved modules (grpc, gjson, aws-sdk, x/crypto/sys/ text/term) and pins shannon-sdk to 4b210e0d (adds SignerContext ring caching; retains SignWithRing so signer.go compiles unchanged). portal-db TypeScript SDK: lockfile-only bump of js-yaml + minimatch clears all 3 npm alerts there (3 -> 0). Docusaurus transitive alerts handled separately. go build ./... and go test ./... -short both pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The site deploys to https://pokt-network.github.io/path/ (project Pages, no custom domain / CNAME configured), but the config declared url=https://grove.city and baseUrl="/". With baseUrl "/", every asset was emitted as /assets/... which resolves to the domain root on github.io and 404s -> the site rendered unstyled/broken. It has been misconfigured since the initial docs setup. Point the config at the actual deploy target: - url: https://pokt-network.github.io - baseUrl: /path/ Verified with a full `yarn build`: emitted HTML now references /path/assets/... which returns 200 at the live URL. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Resolve all outstanding Dependabot alerts on docusaurus/yarn.lock (1 critical, 3 high, plus mediums/lows) via a resolutions block, and migrate the docs workspace from Yarn Classic (v1) to Yarn 4 (Berry) so the lockfile can carry the pinned transitive versions deterministically. Alerts cleared (transitive, docs build tooling only — not in the production gateway binary): - shell-quote 1.8.3 -> 1.9.0 (CRITICAL, GHSA-w7jw-789q-3m8p) - ws <8.21 -> 8.21.0 (HIGH, GHSA-96hv-2xvq-fx4p) - undici 6.19.5 -> 6.27.0 (HIGH, GHSA-vxpw-j846-p89q) - qs, joi, launch-editor, serialize-javascript, http-proxy-middleware, dompurify, webpack-dev-server, uuid, js-yaml (4.1.0 -> 4.3.0; 3.x consumer gray-matter lands on patched 3.15.0) Yarn 4 migration: - package.json: add packageManager + resolutions - .yarnrc.yml: nodeLinker: node-modules (Yarn 4 defaults to PnP, which Docusaurus does not support) - yarn.lock converted to Berry format (__metadata v8) - .gitignore: ignore .yarn/* and .pnp.* - CI (upload-pages-artifact.yml): `corepack enable` before setup-node in both jobs — the runner's bundled Yarn is Classic and cannot read a Berry lockfile. js-yaml is intentionally NOT globally forced to 4.x: gray-matter (a Docusaurus core dep) calls the removed js-yaml.safeLoad and requires the 3.x line, which resolves to the patched 3.15.0. Verified: `yarn install` + `yarn build` succeed; static site generates. Residual: @ai-sdk/provider-utils (low) has no patched release upstream. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The misspell check flagged 4 "optimise" (British spelling) hits inside docusaurus/yarn.lock — third-party dependency metadata strings we don't control and shouldn't spell-check. Exclude yarn.lock / package-lock.json. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
oten91
added a commit
that referenced
this pull request
Jul 7, 2026
## Summary Follow-up to #518. That PR only pinned the ~13 packages visible on the **first page** of the Dependabot API (the call was unpaginated, 30/page). A full paginated scan showed **48 open alerts**, all in `docusaurus/yarn.lock` — 0 critical, docs build tooling only, **not in the production gateway binary** (go.mod and portal-db are clean). This clears the rest via `resolutions`. ## Approach Multi-major packages (several majors coexist in the tree) use **descriptor-scoped resolution keys** so each major is bumped to its own patched line — a global override would force older-major consumers across a major boundary and break them: | package | fix | |---------|-----| | glob | 10.x → 10.5.0 (7.x untouched, not in vuln range) | | minimatch | 3.x/5.x/9.x → 3.1.4 / 5.1.8 / 9.0.7 | | ajv | 6.x/8.x → 6.14.0 / 8.18.0 | | brace-expansion | 1.x/2.x → 1.1.13 / 2.0.3 | | picomatch | 2.x → 2.3.2 (4.x safe) | | mdast-util-to-hast | 13.x → 13.2.1 (12.x safe) | | mermaid | 11.x → 11.15.0 | Single-major globals: `lodash`, `lodash-es`, `immutable`, `svgo`, `postcss`, `fast-uri`, `follow-redirects`, `diff`, `@babel/plugin-transform-modules-systemjs`, `yaml`. ## Known residuals (all docs-only, documented in the commit) - **mermaid 9.4.3 (HIGH)** — pulled by `remark-mermaid-plugin@1.0.2`, imported in `src/components/RemoteMarkdown.jsx`. The plugin is abandoned (last publish 2022, pinned to mermaid `^9.1.5`); forcing mermaid 10/11 under it risks breaking runtime diagram rendering (mermaid 10 = ESM + API change). **Proper fix = rework `RemoteMarkdown` to drop the dead plugin** — a separate, feature-level change. Low real exploitability: client-side, author-controlled `src`. - **webpack (LOW)** — the patched line (≥5.104) breaks docusaurus 3.9.1's ProgressPlugin schema. Pinned to the tested `5.99.9`. Clearing it needs a docusaurus bump. - **@ai-sdk/provider-utils (LOW)** — no upstream patch published. ## Verification - `yarn install` + `yarn build` succeed; static site generates - Every fixed package confirmed resolving to ≥ its patched version in the lockfile Net: 48 open → 3 residual (1 high needing a component rework, 2 low with no clean fix). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clears the open Dependabot alerts across the two affected manifests and migrates the docs workspace to Yarn 4 so its lockfile can carry pinned transitive versions deterministically. Rebased on
main(picks up #517's ring-go hash-cache signing path).Three commits:
fix(deps)— Go modules (compiled gateway binary)golang.org/x/net0.55.0 → 0.56.0 (GHSA-5cv4-jp36-h3mw, HTML parser DoS)github.com/opencontainers/runc1.2.3 → 1.3.6 (indirect build/test dep; not linked into the binary)go-ethereumalready at 1.17.4 onmainmain's perf(signing): ring-go hash-cache off-chain path + bounded per-session caches #517 versions — the security bumps are re-applied on top.fix(docs)— GitHub Pages url/baseUrl so assets load.fix(deps)— docusaurus npm alerts + Yarn 4 migrationClears 1 critical + 3 high + mediums/lows on
docusaurus/yarn.lock(transitive docs-build tooling only — not in the production binary):shell-quote1.8.3 → 1.9.0 (CRITICAL)ws<8.21 → 8.21.0 (HIGH)undici6.19.5 → 6.27.0 (HIGH)gray-matterlands on patched 3.15.0)Yarn 4 migration (docs only)
The docs lockfile was Yarn Classic v1, which could not deterministically pin the transitive versions above. Migrated to Yarn 4 (Berry):
package.json:packageManager: yarn@4.13.0+resolutions.yarnrc.yml:nodeLinker: node-modules(Yarn 4 defaults to PnP, which Docusaurus does not support)yarn.lockconverted to Berry format (__metadatav8) — this is the large diff.gitignore: ignore.yarn/*and.pnp.*upload-pages-artifact.yml):corepack enablebeforesetup-nodein both jobs — the runner's bundled Yarn is Classic and cannot read a Berry lockfile. Required, or the docs deploy breaks.js-yamlis intentionally NOT globally forced to 4.x:gray-matter(a Docusaurus core dep) calls the removedjs-yaml.safeLoadand requires the 3.x line.Verification
go build ./...passesyarn install+yarn buildsucceed; static site generates ([SUCCESS] Generated static files)Residual
@ai-sdk/provider-utils(low) — no patched release published upstream.SECURITY_AUDIT.mdfindings (C1–C7 etc.) are not addressed here — this PR is dependency alerts only.🤖 Generated with Claude Code