Skip to content

deps: remove unused c8 and update cross-spawn resolution#16845

Open
RinZ27 wants to merge 1 commit intoGoogleChrome:mainfrom
RinZ27:fix/cross-spawn-vulnerability
Open

deps: remove unused c8 and update cross-spawn resolution#16845
RinZ27 wants to merge 1 commit intoGoogleChrome:mainfrom
RinZ27:fix/cross-spawn-vulnerability

Conversation

@RinZ27
Copy link

@RinZ27 RinZ27 commented Jan 17, 2026
edited
Loading

I removed c8 and its related coverage configurations since we're not really using it anymore. This naturally resolves the security alerts caused by the older cross-spawn version that c8 was pulling in, while also cleaning up some technical debt.

I've also kept the cross-spawn resolution just to be safe in case any other transitive deps are still hitting it, but the primary fix was stripping out the unused dependency as suggested.

@RinZ27 RinZ27 requested a review from a team as a code owner January 17, 2026 14:13
@RinZ27 RinZ27 requested review from connorjclark and removed request for a team January 17, 2026 14:13
@RinZ27 RinZ27 changed the title [Security] Force cross-spawn to v7.0.6 via resolutions fix(deps): resolve cross-spawn to v7.0.6 to fix vulnerabilities Jan 17, 2026
@RinZ27 RinZ27 changed the title fix(deps): resolve cross-spawn to v7.0.6 to fix vulnerabilities deps: resolve cross-spawn to v7.0.6 to fix vulnerabilities Jan 17, 2026
@connorjclark
Copy link
Collaborator

connorjclark commented Jan 18, 2026

I'd rather just update whatever dep is pulling this in. I think it's c8, which we don't really use anymore and should just remove.

@RinZ27
Copy link
Author

RinZ27 commented Jan 18, 2026
edited
Loading

@connorjclark Agreed. If we're not using c8 anymore, dropping it is a much better long-term fix than patching the transitive dep. I'll check the build/test configs and strip it out.

@RinZ27 RinZ27 force-pushed the fix/cross-spawn-vulnerability branch from a80119f to 96348be Compare January 18, 2026 12:42
@RinZ27 RinZ27 changed the title deps: resolve cross-spawn to v7.0.6 to fix vulnerabilities chore: remove unused c8 and update cross-spawn resolution Jan 20, 2026
@RinZ27
Copy link
Author

RinZ27 commented Jan 20, 2026
edited
Loading

@connorjclark Done. I've stripped out c8 and cleaned up the related coverage configurations as we discussed, which I believe is a much cleaner approach. This also naturally resolves the cross-spawn vulnerability. I noticed the Vercel preview build is failing, but after checking my changes, I suspect it might be an environment issue or unrelated to the dependency removal—could you or someone else on the team take a look when you have a moment?

@RinZ27 RinZ27 changed the title chore: remove unused c8 and update cross-spawn resolution deps: remove unused c8 and update cross-spawn resolution Jan 20, 2026
KrrishSR4
KrrishSR4 reviewed Jan 24, 2026
View reviewed changes
Copy link

@KrrishSR4 KrrishSR4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the changes.

Removing the unused c8 dependency makes sense and effectively addresses the cross-spawn vulnerability while reducing technical debt. Keeping the resolution as a safety net also looks reasonable.

LGTM 👍

@RinZ27
Copy link
Author

RinZ27 commented Jan 25, 2026

@KrrishSR4 Appreciate the feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@connorjclark connorjclark Awaiting requested review from connorjclark connorjclark is a code owner automatically assigned from GoogleChrome/lighthouse-hackers

1 more reviewer

@KrrishSR4 KrrishSR4 KrrishSR4 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RinZ27 @connorjclark @KrrishSR4