Commit 0c85722
authored
chore(deps): patch 4 npm security vulnerabilities (#2655)
Centralises patched versions via root overrides (and the advent-of-calm
website overrides for its standalone lockfile):
- tmp ^0.2.6 -> ^0.2.7 (override too loose, permitted vulnerable 0.2.6)
- esbuild -> ^0.28.1 (new root + advent-of-calm/website override)
- joi -> ^17.13.4 (new root override)
Also removes the @vscode/vsce minimatch override. baa5716 intended that
pin only for minimatch 3.x consumers, but @vscode/vsce requires minimatch
^10.2.2; forcing 3.1.x broke "vsce package" (minimatch_1.minimatch is not
a function) on a clean lockfile regeneration. vsce now resolves the
already-patched minimatch 10.2.5.
Bumps calm-hub-ui @vitejs/plugin-react ^4.3.4 -> ^5.0.0. Required to
regenerate the lockfile cleanly: #2657 bumped vite to 8 but plugin-react
4.x only peers vite <=7, so a clean install ERESOLVEs. plugin-react 5.2.0
(already hoisted at root) supports vite 8 and dedupes to one copy.
Resolves: GHSA-7c78-jf6q-g5cm, GHSA-gv7w-rqvm-qjhr, GHSA-g7r4-m6w7-qqqr, GHSA-q7cg-457f-vx791 parent 7146105 commit 0c85722
5 files changed
Lines changed: 6076 additions & 7435 deletions
File tree
- advent-of-calm/website
- calm-hub-ui
0 commit comments