Skip to content

chore(deps): flatted overrides for vulnerability#295

Merged
kanoru3101 merged 3 commits intomainfrom
chore/update-flatted
Apr 30, 2026
Merged

chore(deps): flatted overrides for vulnerability#295
kanoru3101 merged 3 commits intomainfrom
chore/update-flatted

Conversation

@kanoru3101
Copy link
Copy Markdown
Contributor

@kanoru3101 kanoru3101 commented Apr 30, 2026

What/Why/How?

Update flatted vulnerabilities https://github.com/Redocly/website/security/dependabot/70
Run npm audit fix

Reference

Testing

Screenshots (optional)

Check yourself

  • Code is linted
  • Tested
  • All new/updated code is covered with tests

Security

  • Security impact of change has been considered
  • Code follows company security practices and guidelines

@kanoru3101 kanoru3101 requested a review from a team as a code owner April 30, 2026 08:48
redocly[bot]
redocly Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@redocly redocly Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

marketing-site AI Review: 🟢 Completed

Reunite Bot has reviewed your changes and found 1 potential issue(s).

Note

Medium Risk

Running npm audit fix blanket-upgraded multiple nested dependencies, including core build tools (vite, esbuild). While this resolves security vulnerabilities, updating build tools and 0.x dependencies (such as esbuild 0.25.x to 0.27.x) carries a potential risk of introducing subtle dev-server or build regressions. A quick check of the build output and dev environment is recommended.

Overview

Resolves a Dependabot security alert for the flatted package by bumping it from 3.3.3 to 3.4.2 via npm audit fix.

As a side effect of the audit fix, several other transitive dependencies were updated in package-lock.json, most notably:

  • vite (hoisted and bumped from 7.1.12 to 7.3.2)
  • esbuild and @esbuild/* (0.25.10 -> 0.27.7)
  • lodash (4.17.23 -> 4.18.1)
  • follow-redirects (1.15.11 -> 1.16.0)
  • @xmldom/xmldom (0.8.10 -> 0.8.13)
  • postcss (8.5.6 -> 8.5.12)

No application code or package.json configurations were modified.

@kanoru3101 kanoru3101 self-assigned this Apr 30, 2026
redocly[bot]
redocly Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread package-lock.json
"integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
"version": "3.4.2",
"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
Copy link
Copy Markdown

@redocly redocly Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flatted package was correctly updated to 3.4.2 via npm audit fix, resolving vulnerabilities without needing overrides. However, significant transitive updates like esbuild (0.25 to 0.27) and vite pose risks and should be tested carefully.

@kanoru3101 kanoru3101 merged commit d52ef82 into main Apr 30, 2026
7 checks passed
@kanoru3101 kanoru3101 deleted the chore/update-flatted branch April 30, 2026 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@redocly redocly[bot] redocly[bot] left review comments

@vadyvas vadyvas vadyvas approved these changes

Assignees

@kanoru3101 kanoru3101

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kanoru3101 @vadyvas