Skip to content

[tests] Chore: Update yaml-language-server in lexical-esm-astro-react integration fixture#8163

Merged
etrepum merged 2 commits into
mainfrom
fix/cookie-vulnerability
Feb 23, 2026
Merged

[tests] Chore: Update yaml-language-server in lexical-esm-astro-react integration fixture#8163
etrepum merged 2 commits into
mainfrom
fix/cookie-vulnerability

Conversation

@PikkaPikkachu

Copy link
Copy Markdown
Contributor

Test plan

  • Verified lodash is completely absent from the updated pnpm-lock.yaml
  • Verified astro check runs successfully with the overridden yaml-language-server@1.20.0
  • CI integration tests pass (pnpm run test-integration)
Override yaml-language-server to >=1.20.0 which dropped its lodash
dependency entirely, removing the vulnerable lodash (<= 4.17.22) from
the dependency tree.
@vercel

vercel Bot commented Feb 23, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 23, 2026 3:27am
lexical-playground Ready Ready Preview, Comment Feb 23, 2026 3:27am

Request Review

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 23, 2026
@etrepum

etrepum commented Feb 23, 2026

Copy link
Copy Markdown
Collaborator

It’s not really a vulnerability in any practical sense, this code only runs in CI. Probably a more useful approach would be to update the dependencies to versions where an override isn’t necessary, in case this code ever makes it to the examples folder.

@etrepum etrepum changed the title [vul-fix] Fix lodash security vulnerability in astro-react integration fixture [1/n] Feb 23, 2026
@etrepum

etrepum commented Feb 23, 2026

Copy link
Copy Markdown
Collaborator

Confirmed that @astrojs/check hasn't been updated yet so in the meantime this override is reasonable. Very low priority to worry about "vulnerabilities" in integration tests though.

@etrepum etrepum added this pull request to the merge queue Feb 23, 2026
Merged via the queue into main with commit cf707b6 Feb 23, 2026
42 checks passed
@PikkaPikkachu

Copy link
Copy Markdown
Contributor Author

thanks @etrepum for merging in! Makes sense to not update vulnerabilities in tests :)

will be putting up some more PRs for more critical vulnerabilities this week!

@etrepum etrepum mentioned this pull request Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

2 participants