Bump node-forge from 1.3.1 to 1.3.2 in /documentation#849
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Bump node-forge from 1.3.1 to 1.3.2 in /documentation#849dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.1 to 1.3.2. - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.2) --- updated-dependencies: - dependency-name: node-forge dependency-version: 1.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
✅ Deploy Preview for opal-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
7 tasks
Contributor
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
zeevmoney
added a commit
that referenced
this pull request
Jun 24, 2026
…latest (PER-15242) (#925) * chore(deps): consolidate dependabot bumps for documentation site Consolidate the six open Dependabot updates for the /documentation Docusaurus site into one change, upgrading the security-relevant deps past the Dependabot-proposed versions to fully clear their known advisories: - axios 1.12.2 -> 1.18.1 (direct; clears proxy MITM, proxy credential leak, SSRF, ReDoS) - node-forge 1.3.1 -> 1.4.0 (resolutions; clears RSA/Ed25519 signature forgery, basicConstraints chain bypass) - lodash 4.17.21 -> 4.18.1 (resolutions; clears _.template code injection) - webpack 5.100.2 -> 5.105.0 (clears buildHttp SSRF) - altcha-lib 1.3.0 -> 1.4.1 (clears PoW challenge replay) - mdast-util-to-hast 13.1.0 -> 13.2.1 (clears unsanitized class attribute) Supersedes #879, #877, #868, #854, #851, #849. node-forge and lodash are transitive deps, pinned via yarn resolutions. yarn.lock regenerated with yarn 1.22.22; validated with --frozen-lockfile and a successful `yarn build`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore(deps): update remaining documentation deps to latest Bring the rest of the /documentation Docusaurus site dependencies up to latest, on top of the Dependabot security consolidation: - @docusaurus/* 3.9.1 -> 3.10.1 - react / react-dom 18.3.1 -> 19.2.7 (major; Docusaurus 3.10 supports React 19) - @inkeep/cxkit-docusaurus 0.5.100 -> 0.5.119 - prism-react-renderer 2.3.1 -> 2.4.1 - sass 1.93.2 -> 1.101.0 - webpack 5.105.0 -> 5.107.2 (transitive) axios (1.18.1), node-forge (1.4.0) and lodash (4.18.1) are already at latest from the prior commit. altcha-lib stays at 1.4.1: its consumer @inkeep declares ^1.2.0, so 2.x cannot be forced without overriding @inkeep. Validated with yarn install --frozen-lockfile, yarn build, and a local docusaurus dev server (compiles with webpack 5.107.2, serves HTTP 200). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore(deps): migrate documentation site from yarn to pnpm Replace yarn 1.22.22 with pnpm 11.9.0 as the documentation site's package manager: - packageManager -> pnpm@11.9.0 (with corepack integrity hash) - yarn.lock removed; pnpm-lock.yaml generated - yarn `resolutions` (node-forge 1.4.0, lodash 4.18.1) moved to pnpm-workspace.yaml `overrides` (pnpm v11 no longer reads the package.json `pnpm` field). The stale npm-style `overrides` block (got/trim) is dropped: it never applied under yarn (got resolves to 12.x) and trim is not in the tree. - pnpm-workspace.yaml `allowBuilds` permits @parcel/watcher (native file watcher) and blocks core-js (funding-only postinstall), since pnpm blocks dependency build scripts by default. - Makefile `docs-dev` target and documentation/.gitignore updated for pnpm. Validated: pnpm install, pnpm build (Docusaurus 3.10 + React 19 compile cleanly) and pnpm start (dev server serves HTTP 200, webpack 5.107.2). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs(contributing): update docs-site setup instructions for pnpm The CONTRIBUTING guide told contributors to use `npm install` / `npm run start` for the documentation site. Update it to pnpm (via Corepack) to match the package-manager migration, and fix the step that said "docs directory" while the command navigates to `documentation`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci: exclude pnpm-lock.yaml from codespell The codespell hook skipped *.json and *.lock, which covered yarn.lock but not the new pnpm-lock.yaml. codespell then tripped on false positives inside package hashes/metadata (e.g. "devlop", "trough"). Add *pnpm-lock.yaml to the skip list (wildcard prefix so it matches the nested documentation/ path, the same way *.lock did). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci(netlify): pin docs site build to pnpm via netlify.toml Netlify deploy previews are disabled for the repo, so the pnpm migration was never exercised on Netlify; the production deploy relied on the dashboard build command, which still referenced the old (yarn) setup. Add a netlify.toml that pins the build in-repo: base=documentation, command="pnpm build", publish=build. Netlify auto-runs `pnpm install` from the lockfile and provisions pnpm@11.9.0 via the packageManager field. COREPACK_INTEGRITY_KEYS=0 works around Corepack's signature-fetch failure for newer pnpm on Netlify's build image (the version is still hash-pinned by packageManager). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(make): use corepack pnpm in docs-dev target The docs-dev target called `pnpm` directly, which fails on machines that have Corepack but no globally installed pnpm (and haven't run `corepack enable`). Use `corepack pnpm start` so the target runs the pnpm version pinned in documentation/package.json without prior setup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci: add docs-build workflow for the pnpm/Docusaurus site Nothing in CI built or installed the documentation site; the only build was Netlify's production deploy (previews disabled), so docs build breakage was not caught on PRs. This matters now that the site uses pnpm and React 19. Add a documentation/**-scoped workflow that runs on pull requests and pushes to the default branch: corepack enable -> pnpm install --frozen-lockfile -> pnpm build. The frozen install also catches lockfile drift. Actions are SHA-pinned to their release tags, checkout uses persist-credentials: false, and permissions are contents: read. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps node-forge from 1.3.1 to 1.3.2.
Changelog
Sourced from node-forge's changelog.
Commits
235ad3eRelease 1.3.2.2598244Update changelog.0032dd0Fix typos.d75e08dRun new security test.a5ce91dUpdate changelog formatting.4652de6Cleanups.eb932d9Fix typo.db6954bFix style.afbf7d8Align error message style.6607445Revert minor changes.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.