Skip to content

Benjaming/fix vulnerable dependencies#27

Merged
bgn64 merged 6 commits into
mainfrom
benjaming/fix-vulnerable-dependencies
Oct 10, 2025
Merged

Benjaming/fix vulnerable dependencies#27
bgn64 merged 6 commits into
mainfrom
benjaming/fix-vulnerable-dependencies

Conversation

@bgn64

@bgn64 bgn64 commented Oct 9, 2025

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI review requested due to automatic review settings October 9, 2025 22:04

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the C# tree-sitter submodule to fix vulnerable dependencies by switching from the official tree-sitter repository to a forked version and updating the commit reference.

  • Updated the submodule URL from the official tree-sitter/csharp-tree-sitter to bgn64/csharp-tree-sitter fork
  • Updated the submodule commit hash to a newer version

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/external/tree-sitter/csharp-tree-sitter Updated submodule commit hash to newer version
.gitmodules Changed submodule URL from official repository to bgn64 fork

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread .gitmodules

@jhpohovey jhpohovey left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

temporary fix while waiting for the third party to update their dependencies

@bgn64 bgn64 merged commit 026a040 into main Oct 10, 2025
6 checks passed
pull Bot pushed a commit to ehtick/profile-explorer that referenced this pull request May 12, 2026
…dates

Walks new SHAs outward from a 4-line lockfile-only change in the upstream
tree-sitter project's Jekyll docs site, clearing four security advisories:

- json 2.15.1 -> 2.15.2.1 (format-string injection)
- addressable 2.8.7 -> 2.9.0 (URI-template ReDoS)
- nokogiri 1.18.10 -> 1.19.3, both x64-mingw-ucrt and x86_64-linux-gnu
  platform variants (CSS-selector ReDoS)

Inner change: bgn64/tree-sitter@profile-explorer 00e55c42 -> ad70650e
Middle bump: bgn64/csharp-tree-sitter@profile-explorer 66f35bc4 -> 2e54cfb5
Outer bump: src/external/tree-sitter/csharp-tree-sitter pointer

Profile Explorer does not build or ship these gems; the lockfile is only
flagged because it's checked in. Same propagation pattern as PR microsoft#27
(commit 026a040).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants