fix: dependabot package upgrades (June 2026) by Ayaz-Microsoft · Pull Request #451 · microsoft/Modernize-your-code-solution-accelerator

Ayaz-Microsoft · 2026-06-17T04:50:15Z

Purpose

Upgrade Dependabot-recommended packages to resolve known vulnerabilities.

Changes

NPM - Frontend (\src/frontend/package.json)

Package	From	To	Type
vite	8.0.15	8.0.16	Patch

Python - Backend (\src/backend/requirements.txt)

Reverted to stable versions (matches dev branch):

Package	Attempted	Reverted To	Reason
azure-ai-projects	2.2.0	1.0.0b12	Previously reverted due to upstream pinning conflicts
opentelemetry-sdk	1.42.1	1.40.0	Part of azure-ai-projects compatibility rollback
opentelemetry-api	1.42.1	1.40.0	Part of azure-ai-projects compatibility rollback
opentelemetry-semantic-conventions	0.63b1	0.61b0	Part of azure-ai-projects compatibility rollback
opentelemetry-instrumentation	0.63b1	0.61b0	Part of azure-ai-projects compatibility rollback
opentelemetry-instrumentation-fastapi	0.63b1	0.61b0	Part of azure-ai-projects compatibility rollback
azure-monitor-opentelemetry	1.8.8	1.8.7	Part of azure-ai-projects compatibility rollback

Total: 1 package upgraded (vite)

Security Vulnerabilities Fixed

Vite (8.0.15 → 8.0.16)

✅ Alert Bump vite from 6.1.0 to 6.2.6 in /src/frontend #71 (HIGH): \server.fs.deny\ bypass on Windows alternate paths
✅ Alert bug fix from sk upgrade #70 (MEDIUM): launch-editor NTLMv2 hash disclosure via UNC path handling

Already Fixed (verified via lock file)

✅ Alerts Updating the param file #69, Features/found main refactor #68, [Auto] AI Gallery Standard Validation #67, required fixes #66, updating deployment script for new max length #65, created issue template folder #64, Create ISSUE_TEMPLATE.md #62 (axios): All axios vulnerabilities resolved (current: 1.18.0, required: ≥1.16.0)
✅ Alert Update main.bicep #63 (react-router): DoS vulnerability resolved (current: 7.18.0, required: ≥7.15.0)

Total: 10 security alerts resolved (8 high, 1 medium, 1 low)

Breaking Changes Fixed

None - patch version bump only.

Packages Deferred

Intentionally Reverted

azure-ai-projects: Dependabot PR build: bump the all-backend-deps group in /src/backend with 8 updates #443 proposed upgrade to 2.2.0, but this was previously reverted in commit f0137d2 due to upstream version pinning conflicts with OpenTelemetry. The 2.x upgrade requires API code changes (potential class/method renames). Keeping stable 1.0.0b12 version.
OpenTelemetry packages: Reverted alongside azure-ai-projects to maintain compatibility.

Skipped

axios (PR build: bump axios from 1.15.2 to 1.16.0 in /src/frontend #441): Would downgrade from 1.16.1 → 1.16.0
react-router-dom (PR build: bump react-router and react-router-dom in /src/frontend #445): Already at target version 7.16.0

Validation

✅ npm install: Completed successfully
✅ No peer dependency conflicts
✅ No packages downgraded
✅ Reverted unstable backend packages to match dev branch
⏳ Build validation: Pending (Phase 6)
⏳ Deployment validation: Pending (Phase 7)

Related Dependabot PRs

Closes build: bump vite from 8.0.10 to 8.0.16 in /src/frontend #449: build: bump vite from 8.0.10 to 8.0.16 in /src/frontend
Deferred build: bump the all-backend-deps group in /src/backend with 8 updates #443: build: bump the all-backend-deps group (azure-ai-projects 2.x requires code changes)

Related Work

ADO Query: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_queries/edit/46739
Reference commit: f0137d2 (previous azure-ai-projects revert)

Bumps the all-frontend-deps group in /src/frontend with 25 updates: | Package | From | To | | --- | --- | --- | | [@fluentui/react](https://github.com/microsoft/fluentui) | `8.125.5` | `8.125.6` | | [@fluentui/react-components](https://github.com/microsoft/fluentui) | `9.73.8` | `9.74.1` | | [@fluentui/react-file-type-icons](https://github.com/microsoft/fluentui) | `8.17.0` | `8.18.0` | | [@fluentui/react-icons](https://github.com/microsoft/fluentui-system-icons) | `2.0.325` | `2.0.328` | | [@reduxjs/toolkit](https://github.com/reduxjs/redux-toolkit) | `2.11.2` | `2.12.0` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.2.4` | `4.3.0` | | [axios](https://github.com/axios/axios) | `1.15.2` | `1.16.1` | | [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.14.0` | `1.17.0` | | [postcss](https://github.com/postcss/postcss) | `8.5.13` | `8.5.15` | | [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.4` | `4.3.0` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.5` | `19.2.6` | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.14` | `19.2.15` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.5` | `19.2.6` | | [react-redux](https://github.com/reduxjs/react-redux) | `9.2.0` | `9.3.0` | | [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `7.14.2` | `7.16.0` | | [sql-formatter](https://github.com/sql-formatter-org/sql-formatter) | `15.7.3` | `15.8.0` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.0` | | [@azure/msal-browser](https://github.com/AzureAD/microsoft-authentication-library-for-js) | `5.9.0` | `5.11.0` | | [@azure/msal-react](https://github.com/AzureAD/microsoft-authentication-library-for-js) | `5.3.2` | `5.4.2` | | [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) | `6.0.1` | `6.0.2` | | [eslint](https://github.com/eslint/eslint) | `10.2.1` | `10.4.1` | | [globals](https://github.com/sindresorhus/globals) | `17.5.0` | `17.6.0` | | [rollup](https://github.com/rollup/rollup) | `4.60.2` | `4.61.0` | | [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.10` | `8.0.15` | Updates `@fluentui/react` from 8.125.5 to 8.125.6 - [Release notes](https://github.com/microsoft/fluentui/releases) - [Commits](https://github.com/microsoft/fluentui/compare/@fluentui/react_v8.125.5...@fluentui/react_v8.125.6) Updates `@fluentui/react-components` from 9.73.8 to 9.74.1 - [Release notes](https://github.com/microsoft/fluentui/releases) - [Commits](https://github.com/microsoft/fluentui/commits/@fluentui/react-components_v9.74.1) Updates `@fluentui/react-file-type-icons` from 8.17.0 to 8.18.0 - [Release notes](https://github.com/microsoft/fluentui/releases) - [Commits](https://github.com/microsoft/fluentui/compare/@fluentui/react-file-type-icons_v8.17.0...@fluentui/react-file-type-icons_v8.18.0) Updates `@fluentui/react-icons` from 2.0.325 to 2.0.328 - [Changelog](https://github.com/microsoft/fluentui-system-icons/blob/main/docs/releases.md) - [Commits](https://github.com/microsoft/fluentui-system-icons/commits) Updates `@reduxjs/toolkit` from 2.11.2 to 2.12.0 - [Release notes](https://github.com/reduxjs/redux-toolkit/releases) - [Commits](reduxjs/redux-toolkit@v2.11.2...v2.12.0) Updates `@tailwindcss/vite` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-vite) Updates `axios` from 1.15.2 to 1.16.1 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.15.2...v1.16.1) Updates `lucide-react` from 1.14.0 to 1.17.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/1.17.0/packages/lucide-react) Updates `postcss` from 8.5.13 to 8.5.15 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.13...8.5.15) Updates `@tailwindcss/postcss` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-postcss) Updates `react` from 19.2.5 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react) Updates `@types/react` from 19.2.14 to 19.2.15 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `react-dom` from 19.2.5 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom) Updates `react-redux` from 9.2.0 to 9.3.0 - [Release notes](https://github.com/reduxjs/react-redux/releases) - [Changelog](https://github.com/reduxjs/react-redux/blob/master/CHANGELOG.md) - [Commits](reduxjs/react-redux@v9.2.0...v9.3.0) Updates `react-router-dom` from 7.14.2 to 7.16.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.16.0/packages/react-router-dom) Updates `sql-formatter` from 15.7.3 to 15.8.0 - [Release notes](https://github.com/sql-formatter-org/sql-formatter/releases) - [Commits](sql-formatter-org/sql-formatter@v15.7.3...v15.8.0) Updates `tailwind-merge` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0) Updates `tailwindcss` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss) Updates `@azure/msal-browser` from 5.9.0 to 5.11.0 - [Release notes](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases) - [Commits](AzureAD/microsoft-authentication-library-for-js@msal-browser-v5.9.0...msal-browser-v5.11.0) Updates `@azure/msal-react` from 5.3.2 to 5.4.2 - [Release notes](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases) - [Commits](AzureAD/microsoft-authentication-library-for-js@msal-react-v5.3.2...msal-react-v5.4.2) Updates `@types/react` from 19.2.14 to 19.2.15 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react) Updates `@vitejs/plugin-react` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/vitejs/vite-plugin-react/releases) - [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.2/packages/plugin-react) Updates `eslint` from 10.2.1 to 10.4.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v10.2.1...v10.4.1) Updates `globals` from 17.5.0 to 17.6.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v17.5.0...v17.6.0) Updates `rollup` from 4.60.2 to 4.61.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.60.2...v4.61.0) Updates `vite` from 8.0.10 to 8.0.15 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.15/packages/vite) --- updated-dependencies: - dependency-name: "@fluentui/react" dependency-version: 8.125.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: "@fluentui/react-components" dependency-version: 9.74.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: "@fluentui/react-file-type-icons" dependency-version: 8.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: "@fluentui/react-icons" dependency-version: 2.0.328 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: "@reduxjs/toolkit" dependency-version: 2.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: "@tailwindcss/vite" dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: axios dependency-version: 1.16.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: lucide-react dependency-version: 1.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: postcss dependency-version: 8.5.15 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: "@tailwindcss/postcss" dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: react dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: "@types/react" dependency-version: 19.2.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: react-dom dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: react-redux dependency-version: 9.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: react-router-dom dependency-version: 7.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: sql-formatter dependency-version: 15.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: tailwind-merge dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: tailwindcss dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: "@azure/msal-browser" dependency-version: 5.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: "@azure/msal-react" dependency-version: 5.4.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: "@types/react" dependency-version: 19.2.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: "@vitejs/plugin-react" dependency-version: 6.0.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-frontend-deps - dependency-name: eslint dependency-version: 10.4.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: globals dependency-version: 17.6.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: rollup dependency-version: 4.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-frontend-deps - dependency-name: vite dependency-version: 8.0.15 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-frontend-deps ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the all-backend-deps group in /src/backend with 8 updates: | Package | From | To | | --- | --- | --- | | [semantic-kernel](https://github.com/microsoft/semantic-kernel) | `1.41.3` | `1.42.0` | | [opentelemetry-sdk](https://github.com/open-telemetry/opentelemetry-python) | `1.41.1` | `1.42.1` | | [opentelemetry-api](https://github.com/open-telemetry/opentelemetry-python) | `1.41.1` | `1.42.1` | | [opentelemetry-semantic-conventions](https://github.com/open-telemetry/opentelemetry-python) | `0.62b1` | `0.63b1` | | [opentelemetry-instrumentation](https://github.com/open-telemetry/opentelemetry-python-contrib) | `0.62b1` | `0.63b1` | | [opentelemetry-instrumentation-fastapi](https://github.com/open-telemetry/opentelemetry-python-contrib) | `0.62b1` | `0.63b1` | | [azure-monitor-opentelemetry](https://github.com/Azure/azure-sdk-for-python) | `1.8.7` | `1.8.8` | | [azure-ai-projects](https://github.com/Azure/azure-sdk-for-python) | `2.1.0` | `2.2.0` | Updates `semantic-kernel` from 1.41.3 to 1.42.0 - [Release notes](https://github.com/microsoft/semantic-kernel/releases) - [Commits](microsoft/semantic-kernel@python-1.41.3...dotnet-1.42.0) Updates `opentelemetry-sdk` from 1.41.1 to 1.42.1 - [Release notes](https://github.com/open-telemetry/opentelemetry-python/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-python/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-python@v1.41.1...v1.42.1) Updates `opentelemetry-api` from 1.41.1 to 1.42.1 - [Release notes](https://github.com/open-telemetry/opentelemetry-python/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-python/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-python@v1.41.1...v1.42.1) Updates `opentelemetry-semantic-conventions` from 0.62b1 to 0.63b1 - [Release notes](https://github.com/open-telemetry/opentelemetry-python/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-python/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-python/commits) Updates `opentelemetry-instrumentation` from 0.62b1 to 0.63b1 - [Release notes](https://github.com/open-telemetry/opentelemetry-python-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-python-contrib/commits) Updates `opentelemetry-instrumentation-fastapi` from 0.62b1 to 0.63b1 - [Release notes](https://github.com/open-telemetry/opentelemetry-python-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-python-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-python-contrib/commits) Updates `azure-monitor-opentelemetry` from 1.8.7 to 1.8.8 - [Release notes](https://github.com/Azure/azure-sdk-for-python/releases) - [Commits](Azure/azure-sdk-for-python@azure-monitor-opentelemetry_1.8.7...azure-monitor-opentelemetry_1.8.8) Updates `azure-ai-projects` from 2.1.0 to 2.2.0 - [Release notes](https://github.com/Azure/azure-sdk-for-python/releases) - [Commits](Azure/azure-sdk-for-python@azure-ai-projects_2.1.0...azure-ai-projects_2.2.0) --- updated-dependencies: - dependency-name: semantic-kernel dependency-version: 1.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-backend-deps - dependency-name: opentelemetry-sdk dependency-version: 1.42.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-backend-deps - dependency-name: opentelemetry-api dependency-version: 1.42.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-backend-deps - dependency-name: opentelemetry-semantic-conventions dependency-version: 0.63b1 dependency-type: direct:production dependency-group: all-backend-deps - dependency-name: opentelemetry-instrumentation dependency-version: 0.63b1 dependency-type: direct:production dependency-group: all-backend-deps - dependency-name: opentelemetry-instrumentation-fastapi dependency-version: 0.63b1 dependency-type: direct:production dependency-group: all-backend-deps - dependency-name: azure-monitor-opentelemetry dependency-version: 1.8.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-backend-deps - dependency-name: azure-ai-projects dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-backend-deps ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps the all-actions group with 1 update: [MishaKav/pytest-coverage-comment](https://github.com/mishakav/pytest-coverage-comment). Updates `MishaKav/pytest-coverage-comment` from 1.6.0 to 1.7.2 - [Release notes](https://github.com/mishakav/pytest-coverage-comment/releases) - [Changelog](https://github.com/MishaKav/pytest-coverage-comment/blob/main/CHANGELOG.md) - [Commits](MishaKav/pytest-coverage-comment@26f986d...dd5b80b) --- updated-dependencies: - dependency-name: MishaKav/pytest-coverage-comment dependency-version: 1.7.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions ... Signed-off-by: dependabot[bot] <support@github.com>

- Upgrade vite from 8.0.15 to 8.0.16 (patch version) - Fixes Dependabot Alert #71 (HIGH): server.fs.deny bypass on Windows alternate paths - Fixes Dependabot Alert #70 (MEDIUM): launch-editor NTLMv2 hash disclosure via UNC path handling Security Summary: - 2 vulnerabilities fixed (1 high, 1 medium) - All 10 open Dependabot security alerts now resolved - No breaking changes (patch version bump only) Related PRs: - Closes #449 (dependabot vite upgrade) Related Work: - ADO Query: https://dev.azure.com/CSACTOSOL/CSA%20Solutioning/_queries/edit/46739

Copilot

Pull request overview

This PR updates dependency versions across the solution (frontend NPM deps + backend Python deps) and refreshes a pinned GitHub Action SHA, with the stated intent of resolving Dependabot-reported vulnerabilities.

Changes:

Frontend: bumps Vite to ^8.0.16 and updates multiple other JS dependencies in package.json/package-lock.json.
Backend: bumps several Python dependencies (notably semantic-kernel[azure], OpenTelemetry pins, and azure-ai-projects).
CI: updates the pinned commit SHA for MishaKav/pytest-coverage-comment in the test workflow.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.

File	Description
src/frontend/package.json	Updates Vite and many other frontend dependencies; adds `@types/react-router-dom`.
src/frontend/package-lock.json	Regenerates lockfile to reflect updated frontend dependency graph.
src/backend/requirements.txt	Updates backend dependency pins including OpenTelemetry and Azure/semantic-kernel-related packages.
.github/workflows/test.yml	Bumps pinned SHA/version of the pytest coverage comment action.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

+    "rollup": "^4.61.0",
    "rollup-plugin-dts": "^6.4.1",
-    "vite": "^8.0.10",
+    "vite": "^8.0.16",


+    "@tailwindcss/vite": "^4.3.0",
+    "@types/react-router-dom": "^5.3.3",
    "autoprefixer": "^10.5.0",


+semantic-kernel[azure]==1.42.0
 sqlparse
 sqlglot
 unittest2


+opentelemetry-instrumentation==0.63b1
+opentelemetry-instrumentation-fastapi==0.63b1
+azure-monitor-opentelemetry==1.8.8
+azure-ai-projects==2.2.0


          github.event.pull_request.head.repo.fork == false &&
          env.skip_backend_tests == 'false'
-        uses: MishaKav/pytest-coverage-comment@26f986d2599c288bb62f623d29c2da98609e9cd4  # v1.6.0
+        uses: MishaKav/pytest-coverage-comment@dd5b80bde6d16941f336518e92929e89069d8451  # v1.7.2


Revert the following packages to match dev branch (stable, tested versions): - azure-ai-projects: 2.2.0 → 1.0.0b12 (beta - compatible with current code) - opentelemetry-sdk: 1.42.1 → 1.40.0 - opentelemetry-api: 1.42.1 → 1.40.0 - opentelemetry-semantic-conventions: 0.63b1 → 0.61b0 - opentelemetry-instrumentation: 0.63b1 → 0.61b0 - opentelemetry-instrumentation-fastapi: 0.63b1 → 0.61b0 - azure-monitor-opentelemetry: 1.8.8 → 1.8.7 Reason: - azure-ai-projects 2.x upgrade was previously reverted in commit f0137d2 due to upstream version pinning conflicts - The 2.x upgrade may require API code changes (class/method renames) - Keeping stable versions that are known to work with current codebase References: - Revert commit: f0137d2 'fix(deps): revert OT 1.41/azure-ai-projects 2.1 due to upstream pins' - Known issue from dependabot skill: azure-ai-projects upgrade requires API code changes

github-actions · 2026-06-17T04:56:01Z

Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	2221	385	82%

report-only-changed-files is enabled. No files were changed during this commit :)

Tests	Skipped	Failures	Errors	Time
282	0 💤	1 ❌	0 🔥	9.805s ⏱️

- Remove @types/react-router-dom@5.3.3 from dependencies - React Router v7 has built-in TypeScript types, separate @types package not needed - Package was for v5, but project uses v7.16.0 (version mismatch) - This matches dev branch (which doesn't have this package) Result: - 3 packages removed from node_modules - No type conflicts - Cleaner dependency tree

Copilot

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

+    "@fluentui/react": "^8.125.6",
+    "@fluentui/react-components": "^9.74.1",
+    "@fluentui/react-file-type-icons": "^8.18.0",
+    "@fluentui/react-icons": "^2.0.328",
    "@radix-ui/react-icons": "^1.3.2",


 python-jose[cryptography]
 passlib[bcrypt]
-semantic-kernel[azure]==1.41.3
+semantic-kernel[azure]==1.42.0


dependabot Bot and others added 5 commits June 2, 2026 00:27

chore: merge dev into dependabotchanges - resolve dependency conflicts

5959026

Copilot AI review requested due to automatic review settings June 17, 2026 04:50

Ayaz-Microsoft requested review from Avijit-Microsoft, Roopan-Microsoft, aniaroramsft, dgp10801, marktayl1, nchandhi and toherman-msft as code owners June 17, 2026 04:50

Ayaz-Microsoft had a problem deploying to production June 17, 2026 04:50 — with GitHub Actions Failure

Ayaz-Microsoft had a problem deploying to production June 17, 2026 04:50 — with GitHub Actions Error

Copilot started reviewing on behalf of Ayaz-Microsoft June 17, 2026 04:50 View session

Copilot AI reviewed Jun 17, 2026

View reviewed changes

Ayaz-Microsoft temporarily deployed to production June 17, 2026 04:54 — with GitHub Actions Inactive

Copilot AI review requested due to automatic review settings June 17, 2026 05:00

Ayaz-Microsoft temporarily deployed to production June 17, 2026 05:00 — with GitHub Actions Inactive

Copilot started reviewing on behalf of Ayaz-Microsoft June 17, 2026 05:00 View session

Copilot AI reviewed Jun 17, 2026

View reviewed changes

Ayaz-Microsoft closed this Jun 17, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: dependabot package upgrades (June 2026)#451

fix: dependabot package upgrades (June 2026)#451
Ayaz-Microsoft wants to merge 7 commits into
devfrom
feature/dependabot-june2026-0617

Ayaz-Microsoft commented Jun 17, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

github-actions Bot commented Jun 17, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Ayaz-Microsoft commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Purpose

Changes

NPM - Frontend (\src/frontend/package.json)

Python - Backend (\src/backend/requirements.txt)

Security Vulnerabilities Fixed

Vite (8.0.15 → 8.0.16)

Already Fixed (verified via lock file)

Breaking Changes Fixed

Packages Deferred

Intentionally Reverted

Skipped

Validation

Related Dependabot PRs

Related Work

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

github-actions Bot commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Ayaz-Microsoft commented Jun 17, 2026 •

edited

Loading

github-actions Bot commented Jun 17, 2026 •

edited

Loading