Fix Dependabot security alerts: aiohttp, Pygments, esbuild, ws, js-yaml, @babel/core, flatted, react-router-dom#4951
Fix Dependabot security alerts: aiohttp, Pygments, esbuild, ws, js-yaml, @babel/core, flatted, react-router-dom#4951ChrisChapman-gh with Copilot wants to merge 5 commits into
Conversation
…, js-yaml, @babel/core, flatted, react-router-dom
Unit Test Results919 tests 919 ✅ 36s ⏱️ Results for commit 49cc403. ♻️ This comment has been updated with latest results. |
…count scenario
Fixes warning:
Warning: A vi.mock("@azure/msal-react") call in "/workspaces/AzureTRE/ui/app/src/components/shared/UserMenu.test.tsx" is not at the top level of the module. Although it appears nested, it will be hoisted and executed before any tests run. Move it to the top level to reflect its actual execution order. This will become an error in a future version.
See: https://vitest.dev/guide/mocking/modules#how-it-works
which causes "Test: UI" (build_docker_images) to fail
|
/test-extended |
|
🤖 pr-bot 🤖
(in response to this comment from @ChrisChapman-gh) |
|
/test-extended 49cc403 |
|
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/29093618760 (with refid (in response to this comment from @ChrisChapman-gh) |
ChrisChapman-gh
left a comment
There was a problem hiding this comment.
LGTM - extended tests done.
There was a problem hiding this comment.
Pull request overview
This PR updates Python and npm dependencies across Azure TRE (API, resource processor, CLI, and UI) to remediate multiple Dependabot-reported security vulnerabilities, and aligns a UI unit test to better handle MSAL “no account” scenarios.
Changes:
- Bump
aiohttpandPygmentsin Python dependency sets (API, resource processor, CLI). - Update UI dependencies (
vite,vitest,react-router-dom) and add an npmoverridesentry to force patchedesbuild. - Simplify the
UserMenuunit test MSAL mocking to support account/no-account cases without re-mocking modules.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| ui/app/src/components/shared/UserMenu.test.tsx | Adjusts MSAL mocks to support toggling between account/no-account scenarios per test. |
| ui/app/package.json | Updates UI deps and adds overrides to force patched esbuild. |
| ui/app/package-lock.json | Locks updated transitive dependency graph after npm audit fix / upgrades. |
| resource_processor/vmss_porter/requirements.txt | Bumps aiohttp to the patched version for the resource processor. |
| resource_processor/_version.py | Patch version bump for resource processor release tracking. |
| cli/setup.py | Bumps CLI runtime deps (pygments, aiohttp) in install_requires. |
| cli/requirements.txt | Bumps CLI deps to match the patched versions. |
| CHANGELOG.md | Documents the dependency/security updates in Unreleased enhancements. |
| api_app/requirements.txt | Bumps aiohttp to the patched version for the API. |
| api_app/_version.py | Patch version bump for API release tracking. |
Files not reviewed (1)
- ui/app/package-lock.json: Generated file
Multiple packages flagged by Dependabot with high/moderate severity vulnerabilities across Python and npm ecosystems.
What is being addressed
Security vulnerabilities in the following packages:
aiohttp≤3.13.4 — used in API, resource processor, and CLIPygments≤2.19.2 — used in CLIesbuild0.27.3–0.28.0 — arbitrary file read on Windows (GHSA-g7r4-m6w7-qqqr)ws≤8.20.1 — memory exhaustion DoS (GHSA-96hv-2xvq-fx4p)js-yaml4.0.0–4.1.1 — DoS via merge key handling (GHSA-h67p-54hq-rp68)@babel/core≤7.29.0 — arbitrary file read via sourceMappingURL (GHSA-4x5r-pxfx-6jf8)flatted≤3.4.1 — prototype pollution (GHSA-rf6f-7fwh-wjgh)react-router6.7.0–6.30.3 — open redirect (GHSA-2j2x-hqr9-3h42)How is this addressed
Python (
api_app/requirements.txt,resource_processor/vmss_porter/requirements.txt,cli/requirements.txt,cli/setup.py):aiohttp: 3.13.4 → 3.14.1Pygments: 2.19.2 → 2.20.0npm (
ui/app/package.json):vite: 7.3.5 → 7.3.6 — required to allow esbuild 0.28.xesbuild: forced to 0.28.1 viaoverrides(vite still resolves 0.27.x without the override)vitest/@vitest/coverage-v8/@vitest/ui: 4.1.0 → 4.1.10 — resolves nestedflatted≤3.4.1react-router-dom: 6.30.3 → 6.30.4ws,js-yaml,@babel/core— resolved vianpm audit fixnpm auditnow reports 0 vulnerabilities.CHANGELOG.md