Update packages to address vulnerabilities #2648
Merged
+755
−687
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR updates various dependencies and example configurations to address security vulnerabilities and ensure compatibility with newer library versions.
- Bump core and devbox dependencies (typeid, pkg, envsec, extract, Drupal core, Docusaurus).
- Refactor identity provider to use
typeid/v2and add aparseAPITokenhelper. - Refresh Drupal example files with updated URLs, settings, and documentation comments.
Reviewed Changes
Copilot reviewed 9 out of 12 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| internal/devbox/providers/identity/identity.go | Switch to typeid/v2 and add parseAPIToken helper for API tokens |
| go.mod | Update go.jetify.com modules and bump indirect dependencies |
| examples/stacks/drupal/web/sites/example.sites.php | Update multi-site documentation link |
| examples/stacks/drupal/web/sites/development.services.yml | Add clarifying comments for development service overrides |
| examples/stacks/drupal/web/sites/default/default.settings.php | Refine database example names, update documentation URLs, add state caching setting |
| examples/stacks/drupal/web/sites/default/default.services.yml | Introduce security.enable_super_user and name_suffix parameters |
| examples/stacks/drupal/composer.json | Bump Drupal core package versions |
| examples/stacks/drupal/.gitattributes | Include PHPStan baseline in gitattributes |
| docs/app/package.json | Upgrade Docusaurus dependencies |
Comments suppressed due to low confidence (4)
internal/devbox/providers/identity/identity.go:37
- [nitpick] Doc comments are typically only required for exported functions. Consider removing or repurposing this comment since
parseAPITokenis unexported.
// parseAPIToken parses an API token string following the same pattern as other Parse functions
internal/devbox/providers/identity/identity.go:45
- [nitpick] For consistency and clarity, capitalize 'API' in the error message (e.g., "invalid API token ID: %s").
return zero, fmt.Errorf("invalid api_token ID: %s", s)
examples/stacks/drupal/web/sites/default/default.settings.php:358
- The original comment included 'statistics' alongside logging and access management. Verify that dropping 'statistics' was intentional to keep documentation accurate.
* to Drupal's logging and access management systems. In the most simple
go.mod:278
- The indirect requirement of the v1
typeidmodule alongsidetypeid/v2may lead to confusion. If v1 is no longer used, consider removing this indirect dependency.
go.jetify.com/typeid v1.3.1-0.20250708200829-05dce5112f3d // indirect
savil
approved these changes
Jul 14, 2025
|
🤔 CICD tests did pass |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Update packages in devbox repo to address any vulnerabilities:
How was it tested?
Ran all tests but ... tests do seem to be hanging and timing out. Hoping someone has run into this issue to help debug and make sure the tests do pass.
Community Contribution License
All community contributions in this pull request are licensed to the project
maintainers under the terms of the
Apache 2 License.
By creating this pull request, I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 License as stated in
the
Community Contribution License.