Chore/security OSV triage safe upgrades#95
Conversation
There was a problem hiding this comment.
Pull request overview
Updates backend and frontend dependencies to incorporate security/stability fixes and keep the project aligned with upstream patch releases.
Changes:
- Bumps Go toolchain image/tag and refreshes Go module dependencies (
pgx,quic-go, etc.). - Updates UI dependencies including
axiosandvite, with correspondingpackage-lock.jsonrefresh. - Pulls in various indirect dependency updates (e.g.,
postcss,brace-expansion,follow-redirects,proxy-from-env).
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
api/go.mod |
Updates Go version directive and several indirect module versions. |
api/go.sum |
Updates module checksums to match refreshed dependencies. |
api/Dockerfile |
Bumps Go builder image patch version. |
ui/package.json |
Updates direct npm dependency versions (axios, vite). |
ui/package-lock.json |
Updates resolved npm dependency graph for the bumped packages. |
Files not reviewed (1)
- ui/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| module github.com/Devlaner/devlane/api | ||
|
|
||
| go 1.25.5 | ||
| go 1.25.9 |
There was a problem hiding this comment.
The go directive in go.mod should be major.minor only (e.g., go 1.25). Using a patch version (1.25.9) is not valid syntax for the go directive and can break go mod/CI. If you need to pin the exact toolchain patch level, keep go 1.25 and add a toolchain go1.25.9 directive instead.
| go 1.25.9 | |
| go 1.25 | |
| toolchain go1.25.9 |
…/security-osv-triage-safe-upgrades
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated no new comments.
Files not reviewed (1)
- ui/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This pull request updates both backend and frontend dependencies to address security, compatibility, and stability. The backend (
api) receives minor Go version and dependency upgrades, while the frontend (ui) updates several npm packages, including important libraries likeaxiosandvite. These changes help ensure the project stays current with upstream improvements and security patches.Backend (Go) dependency and environment updates:
api/go.modandapi/Dockerfilefrom 1.25.5/1.25-alpine to 1.25.9/1.25.9-alpine, ensuring the latest minor release is used. [1] [2]github.com/jackc/pgx/v5(v5.6.0 → v5.9.2),github.com/quic-go/qpack(v0.5.1 → v0.6.0), andgithub.com/quic-go/quic-go(v0.54.0 → v0.57.0). [1] [2]Frontend (npm) dependency updates:
axiosfrom^1.13.5to^1.15.2in bothui/package.jsonandui/package-lock.json, including its dependencyproxy-from-envandfollow-redirects, to address potential vulnerabilities and bugs. [1] [2] [3] [4] [5]vitefrom^7.3.1to^7.3.2for the build system, which may include bug fixes and performance improvements. [1] [2] [3]Other npm dependency bumps:
postcss(8.5.6 → 8.5.12) andbrace-expansion(multiple minor version bumps), which are indirect dependencies, to pull in upstream fixes and improvements. [1] [2] [3]