Skip to content

Fix braces transitive dependency vulnerability (< 3.0.3)#752

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/update-braces-dependency
Draft

Fix braces transitive dependency vulnerability (< 3.0.3)#752
Copilot wants to merge 2 commits intomainfrom
copilot/update-braces-dependency

Conversation

Copy link
Contributor

Copilot AI commented Mar 4, 2026
edited
Loading

braces < 3.0.3 has a known vulnerability introduced transitively via @vue/cli-plugin-eslint@5.0.8 and @vue/cli-service@5.0.8 in the 13-meaningful-visualizations project.

Changes

  • starter/package.json / solution/package.json: Added "braces": ">=3.0.3" to the existing overrides block to pin the transitive dependency to the patched version: 
    "overrides": {
  "qs": "6.14.2",
  "braces": ">=3.0.3"
}
  • starter/package-lock.json: Regenerated — nested braces@3.0.2 entries under micromatch and webpack-dev-server replaced by a single hoisted braces@3.0.3
  • solution/package-lock.json: Regenerated to reflect the new override and confirm braces@3.0.3 is the sole resolved version

Track translation progress by opening a draft PR using this template and checking off the translations completed

Each lesson includes a translation of the README.md and the Assignment.md file, if available. Only mark the lesson complete if both those files are translated per lesson, please.

  • 1

  • 1-1

  • 1-2

  • 1-3

  • 2

  • 2-1

  • 2-2

  • 2-3

  • 2-4

  • 3

  • 3-1

  • 3-2

  • 3-3

  • 4

  • 4-1

  • 5

  • 5-1

  • 5-2

  • 5-3

  • 6

  • 6-1

  • 6-2

  • 6-3

  • 6-4

  • 6-5

  • 6-6

  • 7

  • 7-1

  • 7-2

  • 7-3

  • 7-4

  • Quiz (add a file in the quiz-app with all localizations)

Original prompt

This section details on the original issue you should resolve

<issue_title>Braces update</issue_title>
<issue_description>The latest possible version that can be installed is 3.0.2 because of the following conflicting dependency:

The lockfile might be out of sync?
The earliest fixed version is 3.0.3.

Transitive dependency braces 3.0.2 is introduced via
@vue/cli-plugin-eslint 5.0.8 ... braces 3.0.2
@vue/cli-service 5.0.8 ... braces 3.0.2
Package
braces
(npm)
Affected versions
< 3.0.3
Patched version
3.0.3
</issue_description>

Comments on the Issue (you are @copilot in this section)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@leestott
Fix braces vulnerability: add override for braces >= 3.0.3 and regene…
76e3b95 
…rate lockfiles

Co-authored-by: leestott <2511341+leestott@users.noreply.github.com>
Copilot AI changed the title [WIP] Update braces dependency to version 3.0.3 Fix braces transitive dependency vulnerability (< 3.0.3) Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@leestott leestott

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Braces update

2 participants

@leestott