strapi-webtools icon indicating copy to clipboard operation
strapi-webtools copied to clipboard
verified publisher icon pluginpal

Chore/security updates

Open MSACC opened this issue 2 months ago • 2 comments

MSACC avatar Nov 24 '25 21:11 MSACC

🦋 Changeset detected

Latest commit: fd95074ecf936b77f2e58ee1b3b3e131a510935f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages
Name Type
webtools-cli Patch
strapi-plugin-webtools Patch
docs Patch
webtools-addon-sitemap Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

changeset-bot[bot] avatar Nov 24 '25 21:11 changeset-bot[bot]

Thanks for the thorough review @boazpoolman! I've addressed all your feedback in commits 920564b and fd95074:

✅ Fixed Issues:

1. Peer dependencies reverted to generic versions

  • All peer dependencies now use ^5.0.0 instead of ^5.31.2
  • styled-components reverted to ^6.0.0
  • This allows the plugin to work with any Strapi v5.x version

2. Redux removed from direct dependencies

  • Removed redux from sitemap addon dependencies (it's already a peer dependency)

3. Dependencies reverted to original versions

  • react-intl: 6.8.96.4.1
  • xml2js: 0.6.20.5.0
  • redux-thunk: 2.4.22.3.0

4. Test file changes reverted

  • Reverted all test configuration changes to match master
  • Restored disable.test.js again
  • Removed duplicate helpers.js (the .ts file is the source)
  • Reverted unnecessary Babel/Jest configuration changes

5. Cleaned up dependency updates

  • Removed Babel packages that were added but not needed
  • Reverted other dependency version bumps to match master
  • Only kept the security fixes via package resolutions

🔒 Security Fixes (Still in Place):

The core security improvements remain functional via Yarn resolutions:

  • 9 CVE vulnerabilities resolved (vite, ai, glob, on-headers, tmp, brace-expansion, esbuild, js-yaml, koa)
  • 0 high/critical vulnerabilities remaining
  • Package resolutions force secure versions of transitive dependencies

⚠️ Important Note About Tests:

I discovered that the unit tests are currently failing on the master branch as well (before any of my changes). The same TypeError: The "original" argument must be of type function error occurs on master.

This appears to be a pre-existing issue unrelated to this PR. The test failures are not caused by the security updates.

Recommendation: The test failures should be addressed in a separate issue/PR, as they're a pre-existing problem on master.

Let me know if you need any other changes!

MSACC avatar Nov 27 '25 18:11 MSACC