fix: override @azure/identity in docs to resolve msal-browser vulnerability#26847
fix: override @azure/identity in docs to resolve msal-browser vulnerability#26847frankmueller-msft wants to merge 2 commits intomainfrom
Conversation
…bility Override @azure/identity to ^4.13.0 in docs workspace. No patched @azure/msal-browser 3.x exists; the new identity version pulls msal-browser@5.6.1 which resolves the vulnerability. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the docs workspace dependency overrides to eliminate a transitive @azure/msal-browser@3.x vulnerability by forcing a newer @azure/identity version.
Changes:
- Add an override to pin
@azure/identityto^4.13.0indocs/package.json - Document the rationale for the override in the “why” comment list
Files not reviewed (1)
- docs/pnpm-lock.yaml: Language not supported
docs/package.json
Outdated
| "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", | ||
| "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support)." | ||
| "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", | ||
| "@azure/identity: overridden to ^4.13.0 to pull a patched @azure/msal-browser (no patched 3.x exists)." |
There was a problem hiding this comment.
Overriding @azure/identity to a higher major/minor than what upstream packages request can introduce runtime incompatibilities for any consumer that expects the older transitive @azure/identity API/behavior (even in docs tooling like @azure/static-web-apps-cli). Consider scoping the override to only the vulnerable chain (if your package manager supports targeted overrides), or also adding a short note in the override rationale/comments about which top-level dependency requires the older version and why ^4.13.0 is known to be compatible in this repo’s docs build.
| "@azure/identity: overridden to ^4.13.0 to pull a patched @azure/msal-browser (no patched 3.x exists)." | |
| "@azure/identity: overridden to ^4.13.0 to pull a patched @azure/msal-browser (no patched 3.x exists). ^4.13.0 has been verified to be API-compatible with all @azure/identity consumers in this docs build." |
There was a problem hiding this comment.
Good suggestion — updated the comment to note that @azure/static-web-apps-cli is the consumer and that ^4.13.0 is within its declared ^4.3.0 range.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🔗 No broken links found! ✅ Your attention to detail is admirable. linkcheck output |
Summary
@azure/identityto^4.13.0in docs workspace to resolve a known vulnerability in@azure/msal-browser@3.30.0@azure/msal-browser3.x exists — the newer identity version pullsmsal-browser@5.6.1which is patched3.30.0was a transitive dependency via@azure/static-web-apps-cli→@azure/identity@4.5.0Test plan
🤖 Generated with Claude Code