Skip to content

fix: update vulnerable dependencies#1802

Open
AhmadFaour9 wants to merge 2 commits into
CorentinTh:mainfrom
AhmadFaour9:fix/security-dependency-updates
Open

fix: update vulnerable dependencies#1802
AhmadFaour9 wants to merge 2 commits into
CorentinTh:mainfrom
AhmadFaour9:fix/security-dependency-updates

Conversation

@AhmadFaour9
Copy link
Copy Markdown

@AhmadFaour9 AhmadFaour9 commented May 21, 2026

Summary

Updates vulnerable dependencies reported in the existing security issue while keeping the change focused and low-risk.

Updated dependencies

  • crypto-js: 4.1.1 -> 4.2.0
  • dompurify: 3.0.6 -> 3.4.0
  • vue-i18n: 9.9.1 -> 9.14.5
  • @intlify/core-base/message-compiler/shared: 9.9.1 -> 9.14.5
  • yaml: 2.2.1 -> 2.8.3

Validation

  • pnpm install
  • pnpm audit
  • pnpm lint
  • pnpm test
  • pnpm build

Notes

This PR intentionally focuses only on dependency updates to make review easier and reduce regression risk.

pnpm audit still reports vulnerabilities outside the dependency scope of this PR. The targeted packages updated here are no longer reported by audit.

@AhmadFaour9
Copy link
Copy Markdown
Author

AhmadFaour9 commented May 21, 2026

The main CI passed successfully.

The required E2E jobs are failing before tests start, during:

pnpm exec playwright install --with-deps

The error seems related to Ubuntu 24.04 package availability on the GitHub runner:

  • libasound2 has no installation candidate
  • libffi7 cannot be located
  • libx264-163 cannot be located

Since this PR only updates pnpm-lock.yaml, I believe this is unrelated to the dependency updates here. Could you please rerun the required E2E checks, or let me know if you prefer a separate workflow compatibility fix?

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 21, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@AhmadFaour9
Copy link
Copy Markdown
Author

AhmadFaour9 commented May 21, 2026

I pinned the E2E workflow runner to ubuntu-22.04 because the current Playwright version fails during playwright install --with-deps on Ubuntu 24.04 due to unavailable packages (libasound2, libffi7, libx264-163).

No application code or tests were changed.

@sharevb
Copy link
Copy Markdown
Contributor

sharevb commented May 30, 2026

Hi @AhmadFaour9, if you are interested in an up to date version of it-tools, with many improvements, new tools, and bug fixes, as this repo is almost no more maintained, I made a fork here : https://github.com/sharevb/it-tools (https://sharevb-it-tools.vercel.app/ and docker images https://github.com/sharevb/it-tools/pkgs/container/it-tools)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AhmadFaour9 @sharevb