Skip to content

chore(deps): fix dependabot security alerts via overrides and lockfile updates#166

Merged
Aidosmf merged 17 commits intomainfrom
Aidosmf/fix-dependabot-alerts
Mar 31, 2026
Merged

chore(deps): fix dependabot security alerts via overrides and lockfile updates#166
Aidosmf merged 17 commits intomainfrom
Aidosmf/fix-dependabot-alerts

Conversation

@Aidosmf
Copy link
Copy Markdown
Collaborator

@Aidosmf Aidosmf commented Mar 31, 2026

Summary

  • Fix 15 out of 16 dependabot security alerts by adding pnpm overrides and updating transitive dependencies in the lockfile
  • Vulnerabilities addressed include prototype pollution (flatted, lodash, js-yaml), ReDoS (picomatch, ajv, micromatch), DoS (zod, brace-expansion, serialize-javascript, bn.js, qs), SSRF (webpack), and other issues (esbuild, nanoid, yaml)
  • elliptic (chore: 🤖 update versions #75) has no upstream fix available and remains unresolved

Packages updated

Package From To Method
flatted 3.3.3 3.4.2 override
picomatch 2.3.1 / 4.0.2 2.3.2 / 4.0.4 lockfile update
lodash 4.17.21 4.17.23 override
brace-expansion 2.0.2 2.0.3 override
serialize-javascript 7.0.4 7.0.5 override update
bn.js 4.12.2 / 5.2.2 4.12.3 / 5.2.3 lockfile update
ajv 6.12.6 / 8.17.1 6.14.0 / 8.18.0 override + update
zod 3.13.4 3.22.4 override
micromatch 3.1.10 / 4.0.5 4.0.8 override
js-yaml 3.14.1 / 4.1.0 3.14.2 / 4.1.1 lockfile update
esbuild 0.24.2 removed (0.25.7 only) override
nanoid 5.0.7 removed (3.3.11 / 5.1.5 only) override
yaml 1.10.2 / 2.3.1 1.10.3 / 2.8.3 override + update
qs 6.14.1 6.15.0 override update
webpack 5.99.9 5.105.4 override

Test plan

  • Verify pnpm install succeeds without errors
  • Verify pnpm audit no longer reports the 15 fixed alerts
  • Run pnpm build to confirm no breakage from overrides
  • Run pnpm test to confirm no regressions

Aidosmf and others added 15 commits March 31, 2026 12:03
@Aidosmf @claude
chore(deps): fix flatted prototype pollution and DoS vulnerabilities
910861d 
Override flatted to ^3.4.2 to fix Prototype Pollution via parse() and
unbounded recursion DoS in parse() revive phase.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix picomatch ReDoS and method injection vulnerabilities
6c4f197 
Update picomatch 2.3.1 to 2.3.2 and 4.0.2 to 4.0.4 to fix ReDoS
vulnerability via extglob quantifiers and method injection in POSIX
character classes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix lodash prototype pollution vulnerability
bf7f0cf 
Override lodash to ^4.17.23 to fix Prototype Pollution in _.unset and
_.omit functions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix brace-expansion zero-step sequence DoS vulnerability
d54506f 
Override brace-expansion to ^2.0.3 to fix zero-step sequence causing
process hang and memory exhaustion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix serialize-javascript CPU exhaustion DoS vulnerability
fd8a89c 
Update serialize-javascript override from ^7.0.3 to ^7.0.5 to fix CPU
exhaustion DoS via crafted array-like objects.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix bn.js infinite loop vulnerability
ebfba3d 
Update bn.js 4.12.2 to 4.12.3 and 5.2.2 to 5.2.3 to fix infinite loop
vulnerability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix ajv ReDoS vulnerability with $data option
23e6aa6 
Override ajv to >=6.14.0 and update to 8.18.0 to fix ReDoS
vulnerability when using the $data option.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix zod denial of service vulnerability
863659e 
Override zod to ^3.22.3 to fix denial of service vulnerability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix micromatch ReDoS vulnerability
84f9639 
Override micromatch to ^4.0.8 to fix Regular Expression Denial of
Service vulnerability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix js-yaml prototype pollution in merge vulnerability
b08e3ba 
Update js-yaml 3.14.1 to 3.14.2 and 4.1.0 to 4.1.1 to fix prototype
pollution via merge (<<) operator.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix esbuild dev server request vulnerability
11bcccb 
Override esbuild to ^0.25.0 to fix vulnerability allowing any website
to send requests to the development server and read the response.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix nanoid predictable results vulnerability
03de990 
Override nanoid to exclude vulnerable range (4.0.0-5.0.8) to fix
predictable results when given non-integer values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix yaml stack overflow via deeply nested collections
c57af61 
Override yaml to >=1.10.3 (v1) and >=2.8.3 (v2) to fix Stack Overflow
vulnerability via deeply nested YAML collections.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix qs arrayLimit bypass DoS vulnerability
d111888 
Update qs override from ^6.14.1 to ^6.14.2 to fix arrayLimit bypass in
comma parsing allowing denial of service.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): fix webpack SSRF vulnerabilities
847e41c 
Override webpack to ^5.104.1 to fix buildHttp HttpUriPlugin allowedUris
bypass via HTTP redirects and URL userinfo leading to SSRF.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Mar 31, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 8e84191

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Aidosmf and others added 2 commits March 31, 2026 12:22
@Aidosmf @claude
chore(deps): pin ajv@8 below 8.18.0 to fix eslint compatibility
8e84191 
ajv@8.18.0 introduces stricter schema validation that breaks the tsdoc
eslint plugin. Pin ajv@8 to <8.18.0 while keeping the 6.x fix at 6.14.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf @claude
chore(deps): revert ajv override to fix tests and lint compatibility
27d6891 
Remove ajv override as it causes incompatibilities: ajv@8.18.0 breaks
eslint tsdoc plugin and overriding to 6.x breaks ajv-formats. The ajv
vulnerabilities require upstream fixes in @microsoft/tsdoc-config and
eslint-plugin-tsdoc.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Aidosmf Aidosmf merged commit 1aff8c1 into main Mar 31, 2026
6 checks passed
@Aidosmf Aidosmf deleted the Aidosmf/fix-dependabot-alerts branch March 31, 2026 07:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kudanai kudanai kudanai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Aidosmf @kudanai