Skip to content

Resolves npm audit high-severity vulnerabilities #2039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zawata merged 2 commits into from
Apr 1, 2026
+176 −249
Merged

Resolves npm audit high-severity vulnerabilities #2039

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9436ddc
fix: update transitive dependencies to resolve known vulnerabilities
AlexaXs Mar 6, 2026
65e36ee
fix: add npm overrides to resolve remaining high-severity vulnerabili…
AlexaXs Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
fix: add npm overrides to resolve remaining high-severity vulnerabili… 
…ties

Adds overrides in package.json for transitive dependencies that cannot
be updated within their parent packages declared semver ranges:

- mocha > diff: ^7.0.0 overridden to ^8.0.3
  Fixes DoS in parsePatch/applyPatch (GHSA-73rr-hh4g-fpgx)
- mocha > serialize-javascript: ^6.0.2 overridden to ^7.0.4
  Fixes RCE via RegExp.flags and Date.prototype.toISOString (GHSA-5c6j-r48x-rmvq)
- jshint > minimatch: ~3.0.2 overridden to 3.1.5
  Fixes multiple ReDoS vulnerabilities (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74)

Remaining: aws-sdk v2 low-severity advisory (GHSA-j965-2qgj-vjmq)
affects all of v2, requires migration to v3 which is out of scope.

Lint (jshint) verified passing after minimatch override.
  • Loading branch information
@AlexaXs
AlexaXs committed Mar 6, 2026
commit 65e36eeb7b3b3edcb7c19aa10d619ada3b76bca6
70 changes: 23 additions & 47 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,15 @@
"node-gyp": "^11.2.0",
"tar-fs": "^3.0.9"
},
"overrides": {
"mocha": {
"diff": "^8.0.3",
"serialize-javascript": "^7.0.4"
},
"jshint": {
"minimatch": "3.1.5"
}
},
"devDependencies": {
"aws-sdk": "^2.1095.0",
"clean-for-publish": "~1.0.2",
Expand Down