Skip to content

fix remaining Dependabot security alerts#2923

Draft
UnArbosFive wants to merge 1 commit into
stagingfrom
codex/process-dependabot-alerts
Draft

fix remaining Dependabot security alerts#2923
UnArbosFive wants to merge 1 commit into
stagingfrom
codex/process-dependabot-alerts

Conversation

@UnArbosFive

Copy link
Copy Markdown
Contributor

Summary

Why

Dependabot previously opened separate pull requests per dependency and accumulated duplicate or non-reachable alerts. This PR processes the remaining actionable alerts as one reviewed change. The constrained Hickory alert is handled separately as documented tolerable risk because its fixed major/minor line is blocked by the pinned Polkadot SDK dependency graph.

Validation

  • yarn install --immutable
  • yarn turbo run build --filter=@raofoundation/bittensor-website (TypeScript and all 1,884 static pages)
  • SKIP_WASM_BUILD=1 cargo check -p node-subtensor --locked
  • SKIP_WASM_BUILD=1 cargo test -p pallet-subtensor --no-run --locked
  • git diff --check
  • local Skeptic security review: SAFE

The unskipped local node check reached the runtime WASM build and stopped because the installed Apple clang has no wasm32-unknown-unknown backend; CI should perform that platform-specific build.

@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Ready Ready Preview, Comment Jul 15, 2026 7:48pm

Request Review

@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

VERY HIGH account-age scrutiny, mitigated by repository admin permission; author/committer match, no Gittensor association; codex/process-dependabot-alerts → staging.

Static review found the manifest and lockfile changes consistent with the stated dependency-security upgrades. No trusted AI-review instructions or GitHub workflow files were modified.

Findings

No findings.

Conclusion

The dependency updates are narrowly scoped and show no malicious behavior or introduced security vulnerability.


🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor association UNKNOWN; author is a repository admin with established subtensor contributions, and the dependency-only diff received full domain scrutiny.

The manifest overrides and lockfiles consistently select the stated patched releases. No runtime code or spec-version-controlled branch is affected.

This PR is the better candidate than overlapping Dependabot PRs #2921 and #2922 because it consolidates both ecosystems, covers additional vulnerable packages, and documents broader validation. Recommend closing #2921 and #2922. Other lockfile overlaps are incidental to unrelated work.

Findings

No findings.

Conclusion

The dependency remediation is coherent, narrowly scoped, and adequately validated. No blocking correctness, compatibility, or repository-policy issue was found.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant