Skip to content

security bumps #8752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Zasa-san wants to merge 6 commits into
base: production
Choose a base branch
from
Draft

security bumps #8752

Zasa-san wants to merge 6 commits into from

Conversation

@Zasa-san
Copy link
Collaborator

@Zasa-san Zasa-san commented Jan 26, 2026

fixes #

PR checklist:

  • Update READ.me ?
  • Update API documentation ?

QA checklist:

  • Smoke test the functionality described in the issue
  • Test for side effects
  • UI responsiveness
  • Cross browser testing
  • Code review

@Zasa-san Zasa-san marked this pull request as ready for review January 26, 2026 19:15
Copilot AI review requested due to automatic review settings January 26, 2026 19:15
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR performs security-related dependency updates across multiple packages, upgrading Express, various TypeScript types, and associated libraries to newer versions.

Changes:

  • Updated Express framework from 4.21.2 to 4.22.0
  • Upgraded express-prom-bundle from v7 to v8
  • Updated client-side libraries including react-router (7.5.2 → 7.13.0), superagent (10.1.1 → 10.3.0), lodash (4.17.21 → 4.17.23), and qs (6.14.0 → 6.14.1)
  • Removed body-parser as a direct dependency (now included within Express)
  • Reorganized and updated TypeScript type definitions

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.

File Description
package.json Updated dependency versions for security patches; removed body-parser dependency; moved @types/lodash to devDependencies; added @types/react-router
yarn.lock Lock file updates reflecting all package version changes and their transitive dependencies

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"express": "4.22.0",
"express-http-proxy": "^2.1.1",
"express-prom-bundle": "^7.0.0",
"express-prom-bundle": "^8.0.0",
Copy link

Copilot AI Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The express-prom-bundle package has been upgraded from v7 to v8, which now requires @types/express ^5.0.0 as a dependency (see yarn.lock line 9076). However, the project's devDependencies specify @types/express ^4.17.25 (line 283). This creates a type definition conflict where two incompatible versions of Express types coexist in the dependency tree.

While this may not cause runtime issues since express-prom-bundle is only used in app/server.js (a non-TypeScript file), it could cause:

  1. TypeScript compilation issues if server.js is converted to TypeScript in the future
  2. IDE type inference problems
  3. Confusion about which Express types are the canonical ones

Consider either:

  • Upgrading @types/express in devDependencies to ^5.0.0 to match express-prom-bundle's requirement, or
  • Verifying that @types/express v4 and v5 are compatible for your use case
Suggested change
"express-prom-bundle": "^8.0.0",
"express-prom-bundle": "^7.0.0",

Copilot uses AI. Check for mistakes.
@Zasa-san Zasa-san marked this pull request as draft January 27, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Zasa-san @daneryl