fix(deps): add npm overrides to pin patched versions of defu, kysely, picomatch (CAR-1446)
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / build-and-push (push) Failing after 10s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 2s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / build-and-push (push) Failing after 10s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 2s
Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit missed (different advisory DB): - GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+ - GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17 - GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4 All three are transitive deps of better-auth. Adding npm overrides forces the patched versions. Grype scan passes at --fail-on high after these overrides are applied. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
+6
-1
@@ -21,5 +21,10 @@
|
||||
"@types/pg": "^8.11.0",
|
||||
"tsx": "^4.19.0",
|
||||
"typescript": "^5.7.0"
|
||||
},
|
||||
"overrides": {
|
||||
"picomatch": "^4.0.4",
|
||||
"defu": "^6.1.5",
|
||||
"kysely": "^0.28.17"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user