Skip to content

fix(audit): patch high severity dependency vulnerabilities #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
fbosch wants to merge 1 commit into from
Closed

fix(audit): patch high severity dependency vulnerabilities #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@
"fast-glob": "^3.3.2",
"log-update": "^7.0.2",
"picocolors": "^1.1.1",
"picomatch": "^4.0.3",
"picomatch": "^4.0.4",
"zod": "^4.3.6"
},
"devDependencies": {
Expand Down Expand Up @@ -138,7 +138,10 @@
},
"pnpm": {
"overrides": {
"minimatch@>=10.0.0 <10.2.3": "10.2.4"
"defu@<=6.1.4": "6.1.5",
"lodash@>=4.0.0 <=4.17.23": "4.18.0",
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid forcing deprecated lodash release

The new override pins all lodash versions up to 4.17.23 to 4.18.0, but this exact version is marked in the lockfile as deprecated: Bad release. Please use lodash@4.17.21 instead. (pnpm-lock.yaml), so every fresh install will intentionally resolve to a known bad release. That creates a real risk of runtime regressions or supply-chain instability in any codepath using transitive lodash, and the override should target a non-deprecated patched version instead.

Useful? React with 👍 / 👎.

"minimatch@>=10.0.0 <10.2.3": "10.2.4",
"picomatch@<2.3.2": "2.3.2"
Comment on lines +141 to +144
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm lodash override currently set in package.json"
rg -n '"lodash@>=4\.0\.0 <=4\.17\.23":' package.json -C1

echo
echo "2) Confirm lockfile contains deprecated lodash@4.18.0 entry"
rg -n 'lodash@4\.18\.0|deprecated: Bad release' pnpm-lock.yaml -C2

echo
echo "3) Verify npm metadata for 4.18.0 vs 4.17.21 deprecation fields"
python - <<'PY'
import json, urllib.request
for v in ("4.18.0", "4.17.21"):
    with urllib.request.urlopen(f"https://registry.npmjs.org/lodash/{v}") as r:
        data = json.load(r)
    print(f"{v}: deprecated={data.get('deprecated')!r}")
PY

Repository: fbosch/docs-cache

Length of output: 3448

Replace the lodash override target at Line 142 with 4.17.21.

The pnpm-lock.yaml (lines 1030-1032) marks lodash@4.18.0 as deprecated with the message: "Bad release. Please use lodash@4.17.21 instead." Pinning to a deprecated version introduces unnecessary supply-chain risk.

Suggested fix 
  "pnpm": {
    "overrides": {
      "defu@<=6.1.4": "6.1.5",
-     "lodash@>=4.0.0 <=4.17.23": "4.18.0",
+     "lodash@>=4.0.0 <=4.17.23": "4.17.21",
      "minimatch@>=10.0.0 <10.2.3": "10.2.4",
      "picomatch@<2.3.2": "2.3.2"
    }
  }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"defu@<=6.1.4": "6.1.5",
"lodash@>=4.0.0 <=4.17.23": "4.18.0",
"minimatch@>=10.0.0 <10.2.3": "10.2.4",
"picomatch@<2.3.2": "2.3.2"
"defu@<=6.1.4": "6.1.5",
"lodash@>=4.0.0 <=4.17.23": "4.17.21",
"minimatch@>=10.0.0 <10.2.3": "10.2.4",
"picomatch@<2.3.2": "2.3.2"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 141 - 144, The override for lodash currently maps
the selector "lodash@>=4.0.0 <=4.17.23" to the deprecated version "4.18.0";
update that override in package.json so the selector points to "4.17.21" instead
(replace the right-hand value "4.18.0" with "4.17.21") to match the pnpm-lock
guidance and avoid pinning a deprecated release.

}
}
}
62 changes: 33 additions & 29 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading