Skip to content

fix: resolve Dependabot security alerts and upgrade Jest to v30 #8485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sarayev merged 1 commit into from
Jan 14, 2026
Merged

fix: resolve Dependabot security alerts and upgrade Jest to v30 #8485

sarayev merged 1 commit into from
Jan 14, 2026

Conversation

@sarayev
Copy link
Contributor

@sarayev sarayev commented Jan 14, 2026

Description of changes:

This PR resolves three critical security vulnerabilities identified by Dependabot by upgrading the Jest ecosystem and adding dependency resolutions.

Security Fixes:

  • glob CLI command injection vulnerability (CVE-2024-4067): Added resolution for glob@10.5.0 to address vulnerability in versions >= 10.2.0, < 10.5.0. Vulnerable version 10.3.10 was pulled in by @next/eslint-plugin-next@14.2.3
  • js-yaml prototype pollution vulnerabilities (CVE-2023-2251):
    • Resolved js-yaml@3.14.1 vulnerability by upgrading Jest ecosystem
    • Resolved js-yaml@4.1.0 vulnerability (>= 4.0.0, < 4.1.1)
    • All js-yaml versions now safe: 4.1.1 and 3.14.2

Dependency Updates:

  • jest: 29.7.0 → 30.2.0
  • jest-cli: 29.7.0 → 30.2.0
  • jest-environment-jsdom: 29.7.0 → 30.2.0
  • ts-jest: 29.1.2 → 29.4.6
  • @types/jest: 26.0.19 → 30.0.0

Configuration & Test Updates:

  • Updated jest.unit.config.js to use V8 coverage provider for Jest 30 compatibility
  • Fixed Callout component test CSS color assertion (expected rgb(255, 0, 0) vs "red")
  • Updated snapshots for Jest 30 format changes and copyright year update (2025 → 2026)

Results: All tests passing (54 suites, 195 tests) with no security vulnerabilities remaining. Development server starts successfully with no errors.

Related GitHub issue #, if available:

Fixes Dependabot security alerts for glob and js-yaml vulnerabilities

Instructions

If this PR should not be merged upon approval for any reason, please submit as a DRAFT

Which product(s) are affected by this PR (if applicable)?

  • amplify-cli
  • amplify-ui
  • amplify-studio
  • amplify-hosting
  • amplify-libraries

Which platform(s) are affected by this PR (if applicable)?

  • JS
  • Swift
  • Android
  • Flutter
  • React Native

Please add the product(s)/platform(s) affected to the PR title

Checks

  • Does this PR conform to the styleguide?
  • Does this PR include filetypes other than markdown or images? Please add or update unit tests accordingly.
  • Are any files being deleted with this PR? If so, have the needed redirects been created?
  • Are all links in MDX files using the MDX link syntax rather than HTML link syntax?
    ref: MDX: [link](https://docs.amplify.aws/) HTML: <a href="https://docs.amplify.aws/">link</a>

When this PR is ready to merge, please check the box below

  • Ready to merge

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sarayev sarayev requested review from a team and srquinn21 as code owners January 14, 2026 12:15
adrianjoshua-strutt
adrianjoshua-strutt reviewed Jan 14, 2026
View reviewed changes
@sarayev sarayev merged commit b967eb5 into main Jan 14, 2026
12 checks passed
@sarayev sarayev deleted the fix-dependabot-alerts branch January 14, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bobbor bobbor bobbor approved these changes

@adrianjoshua-strutt adrianjoshua-strutt adrianjoshua-strutt approved these changes

@srquinn21 srquinn21 Awaiting requested review from srquinn21 srquinn21 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sarayev @bobbor @adrianjoshua-strutt