forked from cartsnitch/cartsnitch
fix(deps): pin safe versions of audit-flagged transitive deps (CAR-1162 audit)
The CI's npm audit (10.8.2) flagged three transitive vulnerabilities that local newer-npm runs (11.x) miss due to advisory-DB divergence: - @babel/plugin-transform-modules-systemjs: 7.29.0 -> ^7.29.4 (CVE-2026-44728: arbitrary code generation, fixed in 7.29.4) - fast-uri: 3.1.0 -> ^3.1.2 (path traversal / host confusion via percent-encoded segments) - brace-expansion: 5.0.5 -> >=5.0.6 (DoS via large numeric range defeating max protection) These are non-breaking transitive updates within the same major version. The previous override for brace-expansion (>=1.1.13) was too loose to exclude 5.0.2-5.0.5; tightening it to >=5.0.6. Ref CAR-1162, CAR-1122, CAR-1078 Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Flea Flicker
+4
-2
@@ -51,8 +51,10 @@
|
||||
"@rollup/pluginutils": "5.3.0",
|
||||
"flatted": "^3.4.2",
|
||||
"serialize-javascript": "7.0.5",
|
||||
"brace-expansion": ">=1.1.13",
|
||||
"brace-expansion": ">=5.0.6",
|
||||
"lodash": ">=4.17.24",
|
||||
"minimatch": "^10.2.4"
|
||||
"minimatch": "^10.2.4",
|
||||
"@babel/plugin-transform-modules-systemjs": "^7.29.4",
|
||||
"fast-uri": "^3.1.2"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user