#50680: chore: resolve dependabot security alerts
Merged
Created: Apr 4, 2026, 3:54:27 AM
Merged: Apr 4, 2026, 1:56:48 PM
7 comments
Target: main
Safe-only sweep of open Dependabot security alerts. All changes are lockfile-only (yarn up -R within existing semver ranges) — no package.json ranges were modified, no resolutions were added.
Resolved
| Package | Strategy | Version change |
|---|---|---|
simple-git |
yarn up -R |
3.16.0 → 3.33.0 |
fast-xml-parser |
yarn up -R |
5.2.5 / 5.5.6 → 5.5.9 |
flatted |
yarn up -R |
3.4.1 → 3.4.2 |
glob (10.x) |
yarn up -R |
10.4.5 → 10.5.0 |
glob (11.x) |
yarn up -R |
11.0.3 → 11.1.0 |
minimatch (5.x) |
yarn up -R |
5.1.6 → 5.1.9 |
minimatch (8.x) |
yarn up -R |
8.0.4 → 8.0.7 |
minimatch (9.x) |
yarn up -R |
9.0.5 → 9.0.9 |
minimatch (10.x) |
yarn up -R |
10.1.1 → 10.2.4 |
picomatch (2.x) |
yarn up -R |
2.0.7 / 2.2.2 / 2.3.1 → 2.3.2 |
picomatch (4.x) |
yarn up -R |
4.0.3 → 4.0.4 |
tar (7.x) |
yarn up -R |
7.5.1 → 7.5.13 |
diff (4.x) |
yarn up -R |
4.0.2 → 4.0.4 |
diff (5.x) |
yarn up -R |
5.2.0 → 5.2.2 |
js-yaml (3.x) |
yarn up -R |
3.13.1 → 3.14.2 |
js-yaml (4.x, ^4.1.0 consumers) |
yarn up -R |
4.1.0 → 4.1.1 |
qs |
yarn up -R (+ express refresh) |
6.13.0 → 6.14.2 / 6.15.0 |
path-to-regexp |
yarn up -R express (→ 4.22.1) |
0.1.12 → 0.1.13 |
serialize-javascript (via webpack) |
yarn up -R terser-webpack-plugin (→ 5.4.0, drops dep) |
removed |
yaml |
yarn up -R |
2.8.0 / 2.8.2 → 2.8.3 |
Flagged (not changed)
These require changes outside the safe-only constraints of this sweep and were left as-is:
@xmldom/xmldom0.8.11→0.8.12— patched version was published 2026-03-29 and is blocked bynpmMinimalAgeGate: 10080; revisit after 2026-04-05.lodash4.17.23→4.18.0— patched versions (4.18.0/4.18.1) were published 2026-03-31+ and are blocked bynpmMinimalAgeGate; revisit after 2026-04-07.serialize-javascript6.0.2(viamocha@10.8.2) — no6.xpatch exists and latestmocha(11.x) still depends on^6.0.2; fixing requires a cross-majorresolutionspin to7.x.tar6.2.1(viapdfjs-dist→canvas→@mapbox/node-pre-gyp) — notar@6patch exists and@mapbox/node-pre-gyp@1.xcaps at^6.1.11; fixing requires a cross-majorresolutionspin or apdfjs-dist/canvasupgrade.undici5.29.0(via@actions/cache→@actions/http-client@2.2.3) — noundici@5patch exists and latest@actions/http-clientstill depends on^5.25.4; fixing requires a cross-majorresolutionspin to6.x.js-yaml4.1.0(viamarkdownlint-cli2@0.18.0) — pinned exactly; fixing requires bumpingmarkdownlint-cli2across a0.xminor (^0.18.0→0.22.0).
yarn install --immutable passes. No new peer-dependency warnings were introduced (the pre-existing eslint-plugin-n / eslint-config-standard warning is unchanged).
Notes: none
Backports
39-x-y
PendingWaiting for a manual backport
40-x-y
PendingWaiting for a manual backport
41-x-y
PendingWaiting for a manual backport
42-x-y
PendingWaiting for a manual backport
Semver Impact
Major
Breaking changes
Minor
New features
Patch
Bug fixes
None
Docs, tests, etc.
Semantic Versioning helps users understand the impact of updates:
- Major (X.y.z): Breaking changes that may require code modifications
- Minor (x.Y.z): New features that maintain backward compatibility
- Patch (x.y.Z): Bug fixes that don't change the API
- None: Changes that don't affect using facing parts of Electron