Skip to content

build(deps): combine security updates for labextension dependencies#589

Closed
ederign wants to merge 3 commits intokubeflow:mainfrom
ederign:combined-security-updates
Closed

build(deps): combine security updates for labextension dependencies#589
ederign wants to merge 3 commits intokubeflow:mainfrom
ederign:combined-security-updates

Conversation

@ederign
Copy link
Member

@ederign ederign commented Feb 3, 2026

Summary

This PR combines three Dependabot security updates into a single PR to reduce CI overhead and simplify the merge process:

  • @isaacs/brace-expansion 5.0.0 → 5.0.1
  • lodash 4.17.21 → 4.17.23 (fixes prototype pollution vulnerability)
  • tar 7.5.2 → 7.5.7 (fixes hard link sanitization issue)

All are indirect dependencies in /labextension.

Why combine?

Each Dependabot PR triggers a full CI run. Combining them:

  1. Reduces CI resource usage
  2. Makes the git history cleaner
  3. Ensures all security updates land together

Closes

Closes #588
Closes #549
Closes #567

dependabot bot added 3 commits February 3, 2026 15:53
@dependabot @ederign
build(deps): bump @isaacs/brace-expansion in /labextension
d858440 
Bumps @isaacs/brace-expansion from 5.0.0 to 5.0.1.

---
updated-dependencies:
- dependency-name: "@isaacs/brace-expansion"
  dependency-version: 5.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Eder Ignatowicz <ignatowicz@gmail.com>
@dependabot @ederign
build(deps): bump lodash from 4.17.21 to 4.17.23 in /labextension
4d39ecd 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Eder Ignatowicz <ignatowicz@gmail.com>
@dependabot @ederign
build(deps): bump tar from 7.5.2 to 7.5.7 in /labextension
490c82b 
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.2 to 7.5.7.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.2...v7.5.7)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Eder Ignatowicz <ignatowicz@gmail.com>
@google-oss-prow
Copy link

google-oss-prow bot commented Feb 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from ederign. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ederign ederign closed this Feb 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StefanoFioravanzo StefanoFioravanzo Awaiting requested review from StefanoFioravanzo

Assignees

No one assigned

Labels

size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ederign