Skip to content

[v5] Address CVEs#8189

Closed
sameerag wants to merge 27 commits intomsal-v5from
cves-dec-2025-v5
Closed

[v5] Address CVEs#8189
sameerag wants to merge 27 commits intomsal-v5from
cves-dec-2025-v5

Conversation

@sameerag
Copy link
Member

@sameerag sameerag commented Dec 8, 2025
edited
Loading

Address CVE alerts for msal-v5

@sameerag sameerag marked this pull request as ready for review December 9, 2025 00:16
@sameerag sameerag requested review from a team as code owners December 9, 2025 00:16
Copilot AI review requested due to automatic review settings December 9, 2025 00:16
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to address CVEs by updating multiple dependencies across sample applications and libraries. The updates include axios, nodemon, Playwright, Electron, Angular packages, and other dependencies to newer versions that presumably fix security vulnerabilities.

Key changes:

  • Security dependency updates across sample applications (axios, nodemon, Playwright, Electron, Angular packages)
  • Updates to @azure/identity, semver, and puppeteer packages
  • Formatting changes to package.json files (indentation standardization)

Reviewed changes

Copilot reviewed 22 out of 23 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
samples/msal-node-samples/silent-flow/package.json Updated axios to ^1.12.0
samples/msal-node-samples/on-behalf-of-distributed-cache/package.json Updated axios to ^1.12.0, nodemon to ^3.1.11, formatting changes
samples/msal-node-samples/custom-INetworkModule-and-network-tracing/package.json Updated axios to 1.12.0
samples/msal-node-samples/client-credentials-distributed-cache/package.json Updated axios to ^1.12.0, nodemon to ^3.1.11, formatting changes
samples/msal-node-samples/b2c-user-flows/package.json Updated axios to ^1.12.0
samples/msal-node-samples/auth-code-key-vault/package.json Updated @azure/identity to ^4.5.0, formatting changes
samples/msal-node-samples/auth-code-distributed-cache/package.json Updated axios to ^1.12.0, nodemon to ^3.1.11, formatting changes
samples/msal-node-samples/auth-code-cli-app/package.json Updated axios to ^1.12.0
samples/msal-node-samples/ElectronSystemBrowserTestApp/package.json Updated @playwright/test to ^1.56.0, electron to ^36.9.5, axios to ^1.12.0
samples/msal-browser-samples/TestingSample/package.json Updated @playwright/test to ^1.56.0, formatting changes
samples/msal-browser-samples/HybridSample/package.json Updated nodemon to ^3.1.11
samples/msal-browser-samples/ExpressSample/package.json Updated nodemon to ^3.1.11
samples/msal-browser-samples/COOP/sts/package.json Updated @playwright/test to ^1.56.0, formatting changes
samples/msal-browser-samples/COOP/package.json Updated @playwright/test to ^1.56.0, electron to ^36.9.5, formatting changes
samples/msal-angular-samples/angular-standalone-sample/package.json Updated Angular packages to 20.3.x versions
samples/msal-angular-samples/angular-modules-sample/package.json Updated Angular packages to 20.3.x versions
samples/msal-angular-samples/angular-b2c-sample/package.json Updated Angular packages to 20.3.x and 20.2.x versions, fixed karma formatting
samples/e2eTestUtils/package.json Updated axios to ^1.12.0, playwright-core to ^1.56.0, puppeteer to ^24.29.0
package.json Updated @angular/compiler to ^19.2.17, semver to ^7.7.3
lib/msal-angular/package.json Updated Angular dev dependencies to 19.2.15/16 versions
extensions/samples/electron-webpack/package.json Updated electron to ^36.9.5, formatting changes
change/@azure-msal-angular-e230b80b-b14b-4696-9d63-ad0fcbb416be.json Added beachball changefile for the CVE fixes

Copilot AI mentioned this pull request Dec 9, 2025
Closed
Copy link
Contributor

Copilot AI commented Dec 9, 2025

@sameerag I've opened a new pull request, #8192, to work on those changes. Once the pull request is ready, I'll request review from you.

sameerag and others added 4 commits December 8, 2025 16:26
@sameerag
Update lib/msal-angular/package.json
9f7feb6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@sameerag
Update samples/msal-angular-samples/angular-b2c-sample/package.json
98a26ed 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@sameerag
Update samples/msal-angular-samples/angular-modules-sample/package.json
f6760b6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@sameerag
Update samples/msal-angular-samples/angular-standalone-sample/package…
f455ae8 
….json

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
sameerag
sameerag commented Dec 9, 2025
View reviewed changes
sameerag and others added 9 commits December 8, 2025 21:19
@sameerag
Update change/@azure-msal-angular-e230b80b-b14b-4696-9d63-ad0fcbb416b…
1ab9f66 
…e.json
@hectormmg @sameerag
[v5] Update beachball filter logic (#8190)
ca3226a 
New branch naming isn't caught by the existing beachball branch filter,
causing beachball check not to be skipped in post-release PRs.
@msal-js-release-automation @konstantin-msft @sameerag
Release PR: beta (#8188)
0e04ee0 
This PR contains the changelogs and version bumps for the MSAL.js 3P
releases.

---------

Co-authored-by: MSAL.js Release Automation <msaljsbuilds@microsoft.com>
Co-authored-by: Konstantin <kshabelko@microsoft.com>
@konstantin-msft @sameerag
Use cross-env for environment variable management in build scripts (#…
e276bf0 
…8191)

Use cross-env for environment variable management in build scripts
@sameerag
Merge branch 'msal-v5' into cves-dec-2025-v5
3a21a1f
@sameerag
Update to existing packages - undo copilot suggestions
060b5a8
@sameerag
Change files
51c2d64
@sameerag
Merge branch 'msal-v5' into cves-dec-2025-v5
c6aee56
@sameerag
Update angular sample
5d774dd
peterzenz
peterzenz previously approved these changes Dec 12, 2025
View reviewed changes
tnorling
tnorling previously approved these changes Dec 12, 2025
View reviewed changes
lalimasharda
lalimasharda previously approved these changes Dec 12, 2025
View reviewed changes
@sameerag sameerag dismissed stale reviews from lalimasharda, tnorling, and peterzenz via 7e24dff December 12, 2025 19:59
@sameerag sameerag enabled auto-merge (squash) December 12, 2025 19:59
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Dec 29, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot removed the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jan 8, 2026
@jo-arroyo jo-arroyo mentioned this pull request Jan 15, 2026
Closed
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Feb 2, 2026
@microsoft-github-policy-service microsoft-github-policy-service bot removed the Needs: Attention 👋 Awaiting response from the MSAL.js team label Feb 10, 2026
@sameerag
Copy link
Member Author

sameerag commented Feb 20, 2026

@jo-arroyo Closing this as you are addressing them.

@sameerag sameerag closed this Feb 20, 2026
auto-merge was automatically disabled February 20, 2026 23:06

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tnorling tnorling tnorling left review comments

@peterzenz peterzenz peterzenz left review comments

@lalimasharda lalimasharda lalimasharda left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@sameerag @tnorling @peterzenz @lalimasharda @hectormmg @konstantin-msft @jo-arroyo