Skip to content

pnpm dependency update 2026-07-03#205

Merged
pviti merged 2 commits into
mainfrom
chore/deps-update-202607031005
Jul 3, 2026
Merged

pnpm dependency update 2026-07-03#205
pviti merged 2 commits into
mainfrom
chore/deps-update-202607031005

Conversation

@commercelayer-ci

Copy link
Copy Markdown
Contributor

Dependency update

Closes #204
Branch: chore/deps-update-202607031005
Based on stable: v6.9.3
Prerelease tag: v6.9.4-auto-deps-202607031006.0
Node.js: 20.x
pnpm: 10.x

Automated dependency update via pnpm. Review the dependency diff and validation output before merging.

Dependency update results

  • Check: success
  • Build: success
  • Test: failure
Test output

Semver bump log

package.json
  @biomejs/biome              ^2.4.12  →    ^2.5.2
  @commercelayer/cli-dev       ^3.1.1  →    ^3.1.5
  @commercelayer/sdk          ^6.57.0  →   ^6.58.0
  @oclif/plugin-autocomplete  ^3.2.45  →   ^3.2.53
  @oclif/plugin-help          ^6.2.44  →   ^6.2.53
  @oclif/plugin-not-found     ^3.2.80  →   ^3.2.88
  @oclif/plugin-plugins       ^5.4.61  →   ^5.4.81  [cooldown] 5.4.82
  @types/inquirer             ^8.2.12  →   ^8.2.13
  @types/node                 ^25.6.0  →   ^25.9.4
  oclif                       ^4.23.0  →  ^4.23.24
  prettier                     ^3.8.3  →    ^3.9.4
  semantic-release            ^25.0.3  →   ^25.0.5
  tsx                         ^4.21.0  →   ^4.22.4  [cooldown] 4.22.5

Audit log

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Serialize JavaScript is Vulnerable to RCE via          │
│                     │ RegExp.flags and Date.prototype.toISOString()          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-5c6j-r48x-rmvq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Serialize JavaScript has CPU Exhaustion Denial of      │
│                     │ Service via crafted array-like objects                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <7.0.5                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qj8w-gfj5-8c6v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
2 vulnerabilities found
Severity: 1 moderate | 1 high

Major updates log not updated

package.json
  @commercelayer/sdk      ^6.58.0  →   ^7.12.0
  @oclif/core             ^3.27.0  →  ^4.11.14
  @oclif/plugin-plugins   ^5.4.81  →   ^5.4.82
  @oclif/test             ^3.2.15  →   ^4.1.20
  @types/configstore       ^4.0.0  →    ^6.0.2
  @types/inquirer         ^8.2.13  →   ^9.0.10
  @types/node             ^25.9.4  →   ^26.1.0
  @types/update-notifier   ^5.1.0  →    ^6.0.8
  configstore              ^5.0.1  →    ^8.0.0
  inquirer                 ^8.2.7  →   ^14.0.2
  mocha                   ^10.8.2  →   ^11.7.6
  tsx                     ^4.22.4  →   ^4.22.5
  typescript               ^5.9.3  →    ^6.0.3

@commercelayer-ci commercelayer-ci added the dependencies Pull requests that update a dependency file label Jul 3, 2026
@commercelayer-ci commercelayer-ci self-assigned this Jul 3, 2026
@pviti pviti merged commit 1e9dc73 into main Jul 3, 2026
1 check passed
@pviti

pviti commented Jul 3, 2026

Copy link
Copy Markdown
Member

🎉 This PR is included in version 6.9.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

@commercelayer-ci commercelayer-ci deleted the chore/deps-update-202607031005 branch July 3, 2026 10:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file released on @latest

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[VANTA] [VULNERABILITY] <MEDIUM> CVE-2026-45149, fix before 2026-07-17

2 participants