From 6722b0e796a1c51da1fc937913ae70b0f5470759 Mon Sep 17 00:00:00 2001
From: Barcode Betty <32+cs_betty@noreply.git.farh.net>
Date: Tue, 23 Jun 2026 03:42:45 +0000
Subject: [PATCH] fix(deps): add npm overrides to pin patched versions of defu,
 kysely, picomatch (CAR-1446)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4

All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 package.json | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 9eef257..032d08b 100644
--- a/package.json
+++ b/package.json
@@ -21,5 +21,10 @@
     "@types/pg": "^8.11.0",
     "tsx": "^4.19.0",
     "typescript": "^5.7.0"
+  },
+  "overrides": {
+    "picomatch": "^4.0.4",
+    "defu": "^6.1.5",
+    "kysely": "^0.28.17"
   }
-}
\ No newline at end of file
+}