Skip to content

Fix Dependabot security alerts: aiohttp, Pygments, esbuild, ws, js-yaml, @babel/core, flatted, react-router-dom#4951

Open
ChrisChapman-gh with Copilot wants to merge 5 commits into
mainfrom
copilot/update-dependencies-aiohttp
Open

Fix Dependabot security alerts: aiohttp, Pygments, esbuild, ws, js-yaml, @babel/core, flatted, react-router-dom#4951
ChrisChapman-gh with Copilot wants to merge 5 commits into
mainfrom
copilot/update-dependencies-aiohttp

Conversation

Copilot AI commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Multiple packages flagged by Dependabot with high/moderate severity vulnerabilities across Python and npm ecosystems.

What is being addressed

Security vulnerabilities in the following packages:

How is this addressed

Python (api_app/requirements.txt, resource_processor/vmss_porter/requirements.txt, cli/requirements.txt, cli/setup.py):

  • aiohttp: 3.13.4 → 3.14.1
  • Pygments: 2.19.2 → 2.20.0

npm (ui/app/package.json):

  • vite: 7.3.5 → 7.3.6 — required to allow esbuild 0.28.x
  • esbuild: forced to 0.28.1 via overrides (vite still resolves 0.27.x without the override)
  • vitest / @vitest/coverage-v8 / @vitest/ui: 4.1.0 → 4.1.10 — resolves nested flatted ≤3.4.1
  • react-router-dom: 6.30.3 → 6.30.4
  • ws, js-yaml, @babel/core — resolved via npm audit fix

npm audit now reports 0 vulnerabilities.

  • Updated CHANGELOG.md

Copilot AI linked an issue Jul 10, 2026 that may be closed by this pull request
…, js-yaml, @babel/core, flatted, react-router-dom
Copilot AI changed the title [WIP] Update aiohttp to version 3.14.1 and other packages Fix Dependabot security alerts: aiohttp, Pygments, esbuild, ws, js-yaml, @babel/core, flatted, react-router-dom Jul 10, 2026
Copilot AI requested a review from ChrisChapman-gh July 10, 2026 08:50
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown

Unit Test Results

919 tests   919 ✅  36s ⏱️
 28 suites    0 💤
  2 files      0 ❌

Results for commit 49cc403.

♻️ This comment has been updated with latest results.

…count scenario

Fixes warning:
Warning: A vi.mock("@azure/msal-react") call in "/workspaces/AzureTRE/ui/app/src/components/shared/UserMenu.test.tsx" is not at the top level of the module. Although it appears nested, it will be hoisted and executed before any tests run. Move it to the top level to reflect its actual execution order. This will become an error in a future version.
See: https://vitest.dev/guide/mocking/modules#how-it-works

which causes "Test: UI" (build_docker_images) to fail
@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator

/test-extended

@github-actions

Copy link
Copy Markdown

🤖 pr-bot 🤖

⚠️ When using /test-extended on external PRs, the SHA of the checked commit must be specified

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator

/test-extended 49cc403

@github-actions

Copy link
Copy Markdown

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/29093618760 (with refid 7fa25d64)

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh ChrisChapman-gh left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - extended tests done.

@ChrisChapman-gh ChrisChapman-gh marked this pull request as ready for review July 11, 2026 13:13
@ChrisChapman-gh ChrisChapman-gh requested a review from a team as a code owner July 11, 2026 13:13
Copilot AI review requested due to automatic review settings July 11, 2026 13:13

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Python and npm dependencies across Azure TRE (API, resource processor, CLI, and UI) to remediate multiple Dependabot-reported security vulnerabilities, and aligns a UI unit test to better handle MSAL “no account” scenarios.

Changes:

  • Bump aiohttp and Pygments in Python dependency sets (API, resource processor, CLI).
  • Update UI dependencies (vite, vitest, react-router-dom) and add an npm overrides entry to force patched esbuild.
  • Simplify the UserMenu unit test MSAL mocking to support account/no-account cases without re-mocking modules.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
ui/app/src/components/shared/UserMenu.test.tsx Adjusts MSAL mocks to support toggling between account/no-account scenarios per test.
ui/app/package.json Updates UI deps and adds overrides to force patched esbuild.
ui/app/package-lock.json Locks updated transitive dependency graph after npm audit fix / upgrades.
resource_processor/vmss_porter/requirements.txt Bumps aiohttp to the patched version for the resource processor.
resource_processor/_version.py Patch version bump for resource processor release tracking.
cli/setup.py Bumps CLI runtime deps (pygments, aiohttp) in install_requires.
cli/requirements.txt Bumps CLI deps to match the patched versions.
CHANGELOG.md Documents the dependency/security updates in Unreleased enhancements.
api_app/requirements.txt Bumps aiohttp to the patched version for the API.
api_app/_version.py Patch version bump for API release tracking.
Files not reviewed (1)
  • ui/app/package-lock.json: Generated file

Comment thread cli/setup.py

@marrobi marrobi left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, see copilot comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

dependabot: update packages

4 participants