GRAL-5798 update dependencies and add overrides in package.json#197
Open
GRAL-5798 update dependencies and add overrides in package.json#197
Conversation
- Updated body-parser from 1.20.0 to 1.20.3 - Updated express from 4.19.2 to 4.22.1 - Updated jsonwebtoken from 8.5.1 to 9.0.3 - Added overrides for several packages to ensure compatibility and resolve vulnerabilities
There was a problem hiding this comment.
Pull request overview
Maintenance-focused PR to remediate dependency vulnerabilities across multiple example apps by upgrading key packages, adding overrides, and migrating deprecated HTTP clients (request/request-promise) to axios. It also modernizes the Remix example to Remix v2 + React 18 streaming and bumps Node to 18 in affected apps.
Changes:
- Updated dependencies (e.g.,
express,body-parser,tar,sqlite3,jsonwebtoken,axios,next, Remix/Vercel adapters) and introducedoverridesto pin vulnerable transitive packages. - Replaced deprecated
request/request-promiseusage withaxiosin the Caller and Messaging Playground apps. - Upgraded
remix-cars-serviceto Remix v2 / React 18 streaming entrypoints and updated Node versions (.nvmrc+engines).
Reviewed changes
Copilot reviewed 16 out of 24 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| apps/todo/package.json | Bumps server deps and adds overrides for vulnerable transitive packages. |
| apps/remix-cars-service/server.js | Switches to @vercel/remix request handler import. |
| apps/remix-cars-service/remix.config.js | Removes serverBuildTarget for updated Remix/Vercel setup. |
| apps/remix-cars-service/package.json | Upgrades Remix/React/Vercel deps, adds overrides, bumps Node engine to 18+. |
| apps/remix-cars-service/app/entry.server.jsx | Migrates to React 18 streaming SSR with bot/browser split and abort delay. |
| apps/remix-cars-service/app/entry.client.jsx | Migrates to hydrateRoot + startTransition + StrictMode. |
| apps/remix-cars-service/.nvmrc | Bumps Node from 16 to 18. |
| apps/pipedrive-hello-world-glitch/package.json | Updates dependencies and adds overrides. |
| apps/messaging-app-extn-playground/package.json | Removes request deps, adds axios, bumps dependencies, adds overrides. |
| apps/messaging-app-extn-playground/api/util.js | Replaces request-promise calls with axios and returns response.data. |
| apps/fifty-fifty-php/package.json | Updates axios and adds overrides (incl. rollup). |
| apps/fifty-fifty-php/package-lock.json | Updates lockfile content to reflect new dependency graph. |
| apps/custom-ui-floating-window-demo/package.json | Upgrades Next to 15.x and adds overrides. |
| apps/custom-ui-floating-window-demo/.nvmrc | Bumps Node from 16 to 18. |
| apps/custom-ui-app-docusign/package.json | Updates deps and adds overrides. |
| apps/custom-ui-app-docusign/package-lock.json | Updates lockfile (notably introduces packages with higher Node engine requirements). |
| apps/caller/server/utils/pipedrive_handler.js | Replaces request-promise with axios. |
| apps/caller/package.json | Removes request deps, adds axios, bumps dependencies, adds overrides. |
Files not reviewed (1)
- apps/fifty-fifty-php/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Tickets & Documents
https://pipedrive.atlassian.net/browse/GRAL-5798
Description
Summary
caller ✅ 0 vulnerabilities
- Removed deprecated request/request-promise (critical SSRF) → replaced with axios
- Updated: express ^4.22.1, body-parser ^1.20.3, tar ^7.5.12, @twilio/voice-sdk ^2.18.1, twilio ^4.20.0, sqlite3 ^6.0.1,
@vscode/sqlite3 ^5.1.12-vscode
- Added overrides: minimatch, tar-fs, ws
custom-ui-app-docusign ✅ 0 vulnerabilities
- Updated: axios ^1.7.9, express ^4.22.1, body-parser ^1.20.3, jsonwebtoken ^9.0.3, sequelize ^6.37.8, sqlite3 ^6.0.1,
tar ^7.5.12
- Added overrides: minimatch, tar-fs
custom-ui-floating-window-demo ✅ 0 vulnerabilities
- Upgraded next from 13.5.11 → 15.5.14 (fixes SSRF, auth bypass, DoS, HTTP smuggling)
- Updated: socket.io/socket.io-client ^4.8.3, cookies-next ^6.1.1, eslint-config-next 15.5.14
- Updated .nvmrc to Node 18
fifty-fifty-php ✅ 0 critical/high
- Updated: axios ^1.8.2
- Added overrides: minimatch, rollup ^3.30.0
messaging-app-extn-playground ✅ 0 vulnerabilities
- Removed deprecated request/request-promise → replaced with axios
- Updated: express ^4.22.1, body-parser ^1.20.3, tar ^7.5.12, sqlite3 ^6.0.1
- Added overrides: minimatch, tar-fs
pipedrive-hello-world-glitch ✅ 0 vulnerabilities
- Updated: express ^4.22.1, axios ^1.7.9, tar ^7.5.12, sqlite3 ^6.0.1
- Added overrides: minimatch, tar-fs
remix-cars-service⚠️ 0 critical, 1 high remaining
- Upgraded Remix 1.x → 2.x (fixes critical Path Traversal in File Session Storage)
- Updated @vercel/node ^5.6.18, sqlite3 ^6.0.1, tar ^7.5.12
- Replaced @remix-run/vercel with @vercel/remix
- Updated entry.client.jsx and entry.server.jsx for React 18 streaming
- Updated .nvmrc and engines to Node 18
- Remaining: 1 HIGH in undici <6.24.0 via @vercel/node (WebSocket-only vulnerability, not exploitable via @vercel/node's
HTTP usage)
todo ✅ 0 critical/high
- Updated: express ^4.22.1, body-parser ^1.20.3, jsonwebtoken ^9.0.3
- Added overrides: minimatch, flatted, serialize-javascript, and others for react-scripts transitive depsJot something down
Type of PR?
Manual testing
Automated tests added?