Skip to content

chore: resolve open dependabot security alerts#165

Draft
jonathannorris wants to merge 2 commits into
mainfrom
fix/dependabot-alerts
Draft

chore: resolve open dependabot security alerts#165
jonathannorris wants to merge 2 commits into
mainfrom
fix/dependabot-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 28, 2026

Summary

  • Resolved all open Dependabot security alerts by bumping addressable to 2.9.0 and json to 2.19.4 across openfeature-flagsmith-provider, openfeature-go-feature-flag-provider, and openfeature-meta_provider

@jonathannorris jonathannorris requested a review from a team as a code owner April 28, 2026 20:44
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates dependency versions in several Gemfile.lock files across different providers. The reviewer identified multiple critical issues: the specified Bundler version (4.0.10) is invalid as it has not been released, and the versions for the 'public_suffix' (7.0.5) and 'json' (2.19.4) gems do not exist on RubyGems, which will lead to build failures.

Comment thread providers/openfeature-flagsmith-provider/Gemfile.lock Outdated
Comment thread providers/openfeature-go-feature-flag-provider/Gemfile.lock Outdated
Comment thread providers/openfeature-go-feature-flag-provider/Gemfile.lock Outdated
Comment thread providers/openfeature-meta_provider/Gemfile.lock
Comment thread providers/openfeature-meta_provider/Gemfile.lock Outdated
@jonathannorris
Copy link
Copy Markdown
Member Author

jonathannorris commented Apr 28, 2026

The test_flagd_provider failures are pre-existing and unrelated to this PR — the flagd provider lockfile is unchanged. The failing test checks fractional targeting output for the color-palette-experiment flag, and targeting key "1234" now resolves to #4b5563 (grey) instead of the expected #b91c1c (red). The last passing run was April 1st, so this breakage predates this PR. Looks like it's related to the fractional evaluation hashing change tracked in #73.

@jonathannorris jonathannorris mentioned this pull request Apr 28, 2026
Open
@jonathannorris
chore: resolve open dependabot security alerts
bb80110 
- addressable 2.8.7/2.8.9 -> 2.9.0 (high, Dependabot alert 34, 35)
- json 2.19.0 -> 2.19.4 (high, Dependabot alert 29)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris
chore: resolve open dependabot security alerts
921cc67 
- addressable 2.8.7/2.8.9 -> 2.9.0 (high, Dependabot alert 34, 35)
- json 2.19.0 -> 2.19.4 (high, Dependabot alert 29)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris force-pushed the fix/dependabot-alerts branch from 3727b1e to 921cc67 Compare May 4, 2026 20:35
@jonathannorris jonathannorris marked this pull request as draft May 8, 2026 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dabeeeenster dabeeeenster Awaiting requested review from dabeeeenster

@matthewelwell matthewelwell Awaiting requested review from matthewelwell

@maxveldink maxveldink Awaiting requested review from maxveldink

@thomaspoignant thomaspoignant Awaiting requested review from thomaspoignant

@Zaimwa9 Zaimwa9 Awaiting requested review from Zaimwa9

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@dabeeeenster dabeeeenster

@maxveldink maxveldink

@matthewelwell matthewelwell

@thomaspoignant thomaspoignant

@Zaimwa9 Zaimwa9

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@jonathannorris @dabeeeenster @maxveldink @matthewelwell @thomaspoignant @Zaimwa9