Skip to content

Commit 7f5f225

Browse files
fix(deps): resolve open Dependabot security alerts (#59)
Bump react-router/react-router-dom to 7.18.1 and js-yaml to 4.3.0, clearing all 8 open Dependabot alerts: - react-router (7 alerts): RCE via turbo-stream deserialization, DoS in single-fetch and __manifest, XSS in RSC/prerender redirects, open redirect, CSRF — fixed in <=7.15.1, resolved by 7.18.1 - js-yaml (1 alert): quadratic-complexity DoS in merge key handling — fixed in 4.2.0, resolved by 4.3.0 Also pulls in non-breaking transitive fixes surfaced by npm audit (@eslint/plugin-kit, ajv, brace-expansion). npm audit now reports 0 vulnerabilities. Verified: npm run build, npm run lint, and a browser smoke test (app loads, router works, 0 console errors) all pass.
1 parent fd9fce1 commit 7f5f225

2 files changed

Lines changed: 107 additions & 81 deletions

File tree

package-lock.json

Lines changed: 106 additions & 80 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
"react": "^18.2.0",
2222
"react-dom": "^18.2.0",
2323
"react-markdown": "^9.0.3",
24-
"react-router-dom": "^7.12.0",
24+
"react-router-dom": "^7.17.0",
2525
"web-vitals": "^4.2.4"
2626
},
2727
"devDependencies": {

0 commit comments

Comments
 (0)