Skip to content

Commit 57b0645

Browse files
wfr-data-acquisitionwfr-data-acquisition
committed
grafana-bridge: add npm overrides for quick-win Dependabot alerts
grafana-bridge is a minimal Express app (single dep) but still pulls in the same vulnerable transitive packages. Adds an 'overrides' block to force patched versions: lodash -> ^4.18.0 qs -> ^6.15.2 picomatch -> ^2.3.2 fast-uri -> ^3.1.2 serialize-javascript -> ^7.0.5 Regenerated package-lock.json. Verified qs pinned at 6.15.2.
1 parent ae20e82 commit 57b0645

2 files changed

Lines changed: 10 additions & 3 deletions

File tree

server/installer/grafana-bridge/package-lock.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

server/installer/grafana-bridge/package.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,5 +8,12 @@
88
},
99
"dependencies": {
1010
"express": "^4.21.0"
11+
},
12+
"overrides": {
13+
"lodash": "^4.18.0",
14+
"qs": "^6.15.2",
15+
"picomatch": "^2.3.2",
16+
"fast-uri": "^3.1.2",
17+
"serialize-javascript": "^7.0.5"
1118
}
1219
}

0 commit comments

Comments
 (0)