fix(audit): patch high severity dependency vulnerabilities

[fbosch]

Summary

• update picomatch to ^4.0.4 to address direct high-severity advisory coverage
• add pnpm.overrides for vulnerable transitive ranges of picomatch, defu, and lodash
• refresh pnpm-lock.yaml so resolution graph uses patched versions and audit-high passes

Validation

• pnpm audit --audit-level=high
• pnpm typecheck
• pnpm lint

Summary by CodeRabbit

Release Notes

• Chores
  • Updated project dependencies to improve stability and security, including patches for core utility libraries.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated direct dependencies and expanded pnpm override resolutions in package.json. The picomatch dependency was bumped from ^4.0.3 to ^4.0.4, and explicit version resolutions were added or modified for defu, lodash, and picomatch in the pnpm.overrides section.

Changes

Cohort / File(s)	Summary
Dependency and Override Updates package.json	Bumped picomatch direct dependency to ^4.0.4 and expanded pnpm.overrides with new/updated version constraints for defu (6.1.5), lodash (4.18.0), and picomatch (2.3.2).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰✨ A hop through versions, so neat and so clean,
Dependencies dancing in package.json's scene,
Picomatch prances to 4.0.4 with cheer,
While lodash and defu bring freshness here! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of patching high-severity dependency vulnerabilities, clearly summarizing the primary change in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/audit-high-vulns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

npx https://pkg.pr.new/docs-cache@34

commit: f8ac756

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f8ac756e64

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid forcing deprecated lodash release

The new override pins all lodash versions up to 4.17.23 to 4.18.0, but this exact version is marked in the lockfile as deprecated: Bad release. Please use lodash@4.17.21 instead. (pnpm-lock.yaml), so every fresh install will intentionally resolve to a known bad release. That creates a real risk of runtime regressions or supply-chain instability in any codepath using transitive lodash, and the override should target a non-deprecated patched version instead.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

This PR updates dependency resolutions to address high-severity audit findings by bumping picomatch and adding pnpm.overrides to force patched versions for vulnerable transitive dependencies.

Changes:

• Bump direct dependency picomatch to ^4.0.4.
• Add pnpm.overrides for defu, lodash, and transitive picomatch ranges.
• Regenerate pnpm-lock.yaml to reflect the updated resolution graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
package.json	Updates picomatch and adds pnpm.overrides to force patched dependency versions.
pnpm-lock.yaml	Refreshes lockfile to apply overrides and new resolved versions across the dependency graph.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 141-144: The override for lodash currently maps the selector
"lodash@>=4.0.0 <=4.17.23" to the deprecated version "4.18.0"; update that
override in package.json so the selector points to "4.17.21" instead (replace
the right-hand value "4.18.0" with "4.17.21") to match the pnpm-lock guidance
and avoid pinning a deprecated release.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: da69f67a-12cd-4ae4-9a62-d3079bc1b95d

📥 Commits

Reviewing files that changed from the base of the PR and between 5718f0f and f8ac756.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm lodash override currently set in package.json"
rg -n '"lodash@>=4\.0\.0 <=4\.17\.23":' package.json -C1

echo
echo "2) Confirm lockfile contains deprecated lodash@4.18.0 entry"
rg -n 'lodash@4\.18\.0|deprecated: Bad release' pnpm-lock.yaml -C2

echo
echo "3) Verify npm metadata for 4.18.0 vs 4.17.21 deprecation fields"
python - <<'PY'
import json, urllib.request
for v in ("4.18.0", "4.17.21"):
    with urllib.request.urlopen(f"https://registry.npmjs.org/lodash/{v}") as r:
        data = json.load(r)
    print(f"{v}: deprecated={data.get('deprecated')!r}")
PY

Repository: fbosch/docs-cache

Length of output: 3448

---

Replace the lodash override target at Line 142 with 4.17.21.

The pnpm-lock.yaml (lines 1030-1032) marks lodash@4.18.0 as deprecated with the message: "Bad release. Please use lodash@4.17.21 instead." Pinning to a deprecated version introduces unnecessary supply-chain risk.

Suggested fix

  "pnpm": {
    "overrides": {
      "defu@<=6.1.4": "6.1.5",
-     "lodash@>=4.0.0 <=4.17.23": "4.18.0",
+     "lodash@>=4.0.0 <=4.17.23": "4.17.21",
      "minimatch@>=10.0.0 <10.2.3": "10.2.4",
      "picomatch@<2.3.2": "2.3.2"
    }
  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"defu@<=6.1.4": "6.1.5",
	"lodash@>=4.0.0 <=4.17.23": "4.18.0",
	"minimatch@>=10.0.0 <10.2.3": "10.2.4",
	"picomatch@<2.3.2": "2.3.2"
	"defu@<=6.1.4": "6.1.5",
	"lodash@>=4.0.0 <=4.17.23": "4.17.21",
	"minimatch@>=10.0.0 <10.2.3": "10.2.4",
	"picomatch@<2.3.2": "2.3.2"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 141 - 144, The override for lodash currently maps
the selector "lodash@>=4.0.0 <=4.17.23" to the deprecated version "4.18.0";
update that override in package.json so the selector points to "4.17.21" instead
(replace the right-hand value "4.18.0" with "4.17.21") to match the pnpm-lock
guidance and avoid pinning a deprecated release.