fix: resolve 7 dependency security vulnerabilities (4 high, 3 medium)#548
Open
vicperdana wants to merge 1 commit into
Open
fix: resolve 7 dependency security vulnerabilities (4 high, 3 medium)#548vicperdana wants to merge 1 commit into
vicperdana wants to merge 1 commit into
Conversation
Force-pin transitive dependencies via npm overrides to address all open Dependabot alerts. No source-code changes required. Pinned versions: - fast-uri ^3.1.2 (was 3.1.0) fixes #69, #70 - lodash ^4.18.1 (was 4.17.23) fixes #66, #67 - picomatch ^2.3.2 (was 2.3.1) fixes #61, #62 - serialize-javascript ^7.0.5 (was 7.0.4) fixes #65 Detail: - GHSA-q3j6-qgpj-74h6 / CVE-2026-6321 fast-uri path traversal (high) #69 - GHSA-v39h-62p7-jpjc / CVE-2026-6322 fast-uri host confusion (high) #70 - GHSA-r5fr-rjxr-66jc / CVE-2026-4800 lodash code injection (high) #66 - GHSA-f23m-r3pf-42rh / CVE-2026-2950 lodash prototype pollution (medium) #67 - GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 picomatch ReDoS (high) #61 - GHSA-3v7f-55p6-f55p / CVE-2026-33672 picomatch method injection (medium) #62 - GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 serialize-javascript DoS (medium, dev) #65 Validation: - npm audit reports 0 vulnerabilities - All resolved versions verified in package-lock.json - npm run pack loads the full @secretlint/@vscode/vsce dependency chain successfully (existing engines.vscode pre-flight error is unrelated) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes all 7 open Dependabot alerts on
main. All findings are transitive npm dependencies; no source-code changes are required.Following the pattern established in #539, each vulnerable transitive is force-pinned to its first patched version via the npm
overridesfield inpackage.json. The existingmocha.diffnested override is preserved.Alerts addressed
Changes
package.json— promoteserialize-javascriptout of the nestedmochaoverride and bump^7.0.4→^7.0.5; add top-level overrides forfast-uri ^3.1.2,lodash ^4.18.1,picomatch ^2.3.2. Themocha.diff ^8.0.3override is preserved.package-lock.json— regenerated bynpm install. No new top-level packages.picomatchdeliberately stays on the v2.x line becausemicromatch@4(transitive viafast-glob→globbyand@typescript-eslint/typescript-estree) declarespicomatch ^2.3.1; v4 is a breaking API change.Validation
npm install— clean install, no errorsnpm audit— 0 vulnerabilities (info/low/moderate/high/critical all 0)node_modules/fast-uri→ 3.1.2node_modules/lodash→ 4.18.1node_modules/picomatch→ 2.3.2node_modules/serialize-javascript→ 7.0.5npm run pack(vsce) successfully loaded the full@vscode/vsce→@secretlint/node→ajv→fast-urichain end-to-end. (The pre-existingengines.vscodepre-flight error is unrelated to this change and reproduces onmain.)Out of scope
Pre-existing issues unrelated to this PR (verified to reproduce on clean
main):eslint.config.*migration warning@types/glob/minimatchtypings mismatchvsceengines.vscodevs@types/vscodemismatchThese are out of scope for this security-only PR.