Fix CVEs: add npm overrides for picomatch, yaml, brace-expansion, lodash

mraible · mraible · commit 7453c763793f · 2026-04-06T11:30:48.000-06:00
Add overrides to resolve known vulnerabilities:
- picomatch@2 -&gt; 2.3.2 (ReDoS via extglob quantifiers)
- picomatch@4 -&gt; 4.0.4 (ReDoS via extglob quantifiers)
- yaml@1 -&gt; 1.10.3 (stack overflow via deeply nested collections)
- brace-expansion@2 -&gt; 2.0.3 (zero-step sequence hang)
- lodash -&gt; 4.18.1 (prototype pollution and code injection)

Remaining: brace-expansion 1.x (1.1.12) has no fixed version available.
diff --git a/ui/extensions/hello/package-lock.json b/ui/extensions/hello/package-lock.json
diff --git a/ui/extensions/hello/package.json b/ui/extensions/hello/package.json
@@ -68,9 +68,13 @@
   },
   "overrides": {
     "js-yaml": "^3.14.2",
-    "lodash": "4.17.23",
+    "lodash": "4.18.1",
     "svgo": "2.8.1",
     "minimatch@3": "3.1.4",
-    "minimatch@9": "9.0.9"
+    "minimatch@9": "9.0.9",
+    "picomatch@2": "2.3.2",
+    "picomatch@4": "4.0.4",
+    "yaml@1": "1.10.3",
+    "brace-expansion@2": "2.0.3"
   }
 }
diff --git a/ui/extensions/hello/src/dist/app.js b/ui/extensions/hello/src/dist/app.js
@@ -3857,6 +3857,9 @@ class Navigation {
             },
         });
     }
+    /**
+     * @deprecated Use navigateTo directly
+     */
     async onClick(event, defaultTarget = '_self', defaultType = 'falcon') {
         if (!(event instanceof Event)) {
             throw Error('"event" property should be subclass of Event');
