fix remaining Dependabot security alerts#2923
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🛡️ AI Review — Skeptic (security review)VERDICT: SAFE VERY HIGH account-age scrutiny, mitigated by repository admin permission; author/committer match, no Gittensor association; codex/process-dependabot-alerts → staging. Static review found the manifest and lockfile changes consistent with the stated dependency-security upgrades. No trusted AI-review instructions or GitHub workflow files were modified. FindingsNo findings. ConclusionThe dependency updates are narrowly scoped and show no malicious behavior or introduced security vulnerability. 🔍 AI Review — Auditor (domain review)VERDICT: 👍 Gittensor association UNKNOWN; author is a repository admin with established subtensor contributions, and the dependency-only diff received full domain scrutiny. The manifest overrides and lockfiles consistently select the stated patched releases. No runtime code or spec-version-controlled branch is affected. This PR is the better candidate than overlapping Dependabot PRs #2921 and #2922 because it consolidates both ecosystems, covers additional vulnerable packages, and documents broader validation. Recommend closing #2921 and #2922. Other lockfile overlaps are incidental to unrelated work. FindingsNo findings. ConclusionThe dependency remediation is coherent, narrowly scoped, and adequately validated. No blocking correctness, compatibility, or repository-policy issue was found. |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
Summary
svgo,minimatch,js-yaml,postcss,@babel/runtime, andprismjsto patched releasestracing-subscriberandrpasswordto patched Rust releasesWhy
Dependabot previously opened separate pull requests per dependency and accumulated duplicate or non-reachable alerts. This PR processes the remaining actionable alerts as one reviewed change. The constrained Hickory alert is handled separately as documented tolerable risk because its fixed major/minor line is blocked by the pinned Polkadot SDK dependency graph.
Validation
yarn install --immutableyarn turbo run build --filter=@raofoundation/bittensor-website(TypeScript and all 1,884 static pages)SKIP_WASM_BUILD=1 cargo check -p node-subtensor --lockedSKIP_WASM_BUILD=1 cargo test -p pallet-subtensor --no-run --lockedgit diff --checkThe unskipped local node check reached the runtime WASM build and stopped because the installed Apple clang has no
wasm32-unknown-unknownbackend; CI should perform that platform-specific build.