[security](deps-dev): bump ip-address from 10.1.0 to 10.2.0 in the npm_and_yarn group across 1 directory#56
Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [ip-address](https://github.com/beaugunderson/ip-address). Updates `ip-address` from 10.1.0 to 10.2.0 - [Commits](https://github.com/beaugunderson/ip-address/commits) --- updated-dependencies: - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Add a transitive npm override for basic-ftp so the Dependabot ip-address PR passes the high-severity npm audit gate. Validation: npm ci; npm audit --audit-level=high; npm run lint:types; npm run build; git diff --check. npm test was inconclusive locally after hanging beyond the CI runtime; the current GitHub Actions log for this head showed tests passed before npm audit failed. Pre-commit docs:lint is blocked by pre-existing markdownlint errors unrelated to this diff. Co-authored-by: Codex <noreply@openai.com>
Keep the aggregate check script on npm to match the GitHub Actions install path, and make the robot-mode search assertions deterministic by using a tiny data URL Atom feed instead of the live arXiv API. Validation: npm test; npm run check; npm run build; npm audit --audit-level=high; git diff --check. Local hooks remain blocked by pre-existing docs lint and pre-push docs-gate issues unrelated to this diff. Co-authored-by: Codex <noreply@openai.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6a0ba388fb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const emptySearchFeedUrl = | ||
| "data:text/xml,%3Cfeed%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2FAtom%22%20xmlns%3Aopensearch%3D%22http%3A%2F%2Fa9.com%2F-%2Fspec%2Fopensearch%2F1.1%2F%22%3E%3Copensearch%3AtotalResults%3E0%3C%2Fopensearch%3AtotalResults%3E%3C%2Ffeed%3E"; |
There was a problem hiding this comment.
The new emptySearchFeedUrl fixture is a data: URL, but buildQuery() always appends ?${params} (src/arxiv/query.ts), so the executed URL becomes data:text/xml,...</feed>?search_query=.... For data: URLs that suffix is treated as payload bytes, which makes the response body non‑well‑formed XML (</feed>?search_query=...) and can flip these robot-mode tests from deterministic to parser-dependent failures. Use a fixture endpoint that tolerates query params (or encode a complete URL template) so the CLI always receives valid Atom XML.
Useful? React with 👍 / 👎.
| "vitest": "^4.1.2" | ||
| }, | ||
| "overrides": { | ||
| "basic-ftp": "^6.0.1", |
There was a problem hiding this comment.
This override pins basic-ftp to ^6.0.1, but the lockfile still shows get-uri depending on basic-ftp ^5.0.2; forcing a transitive major outside the consumer’s declared range bypasses semver compatibility and can break markdown-link-check paths that resolve FTP URLs during docs:check-links. This security update should either keep a compatible major (5.x) or upgrade the dependent package chain that natively supports 6.x.
Useful? React with 👍 / 👎.
Co-authored-by: Codex <noreply@openai.com>
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Update the transitive fast-xml-builder lockfile entry so npm audit no longer reports the high-severity advisory blocking the Dependabot security PR. Co-authored-by: Codex <noreply@openai.com>
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Use the documented CLI API base URL flag in spawned CLI tests so fetch and robot-mode cases do not depend on live arXiv availability. This keeps the Dependabot audit fix from surfacing unrelated network flake in CI. Co-authored-by: Codex <noreply@openai.com>
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Resolve package and lockfile conflicts against main while preserving the security overrides required for a clean npm audit. Co-authored-by: Codex <noreply@openai.com>
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
1 participant
Summary
Updates
ip-addressfrom 10.1.0 to 10.2.0 via Dependabot.This is a security dependency maintenance PR for the npm package set.
Checklist
Testing
Analyze (javascript): passed in GitHub ActionsGreptile Review: passed in GitHub Actionsgitleaks: passed in GitHub Actionssemgrep: passed in GitHub ActionsSocket Security: Project Report: passed in GitHub checksSocket Security: Pull Request Alerts: passed in GitHub checkstest: currently failing in GitHub Actions and remains under investigationReview artifacts
ip-address10.1.0 to 10.2.0Notes
No linked issue. This PR was opened by Dependabot for dependency maintenance.
The previous failing
pr-templatecheck was caused by the generated Dependabotbody missing this repository's required PR body sections. The remaining
testfailure is separate and should be fixed from the exact GitHub Actions log.