Skip to content

Commit 629a568

Browse files
authored
fix(deps): bump flatted, picomatch, undici, rollup (CVE-2026-32141, 33228, 33671, 1526/1528/2229, 27606) (#165)
* fix(deps): bump flatted 3.3.3→3.4.2, picomatch 2.3.1→2.3.2, undici 6.23.0→6.25.0 Resolves: - CVE-2026-32141 (CVSS 7.5): flatted DoS via unbounded recursion — fix: >=3.4.0 - CVE-2026-33228 (High): flatted Prototype Pollution — fix: >3.4.1 - CVE-2026-33671 (CVSS 7.5): picomatch ReDoS — fix: >=2.3.2 - CVE-2026-1526/1528/2229 (CVSS 7.5): undici WebSocket vulnerabilities — fix: >=6.24.0 All fixes are lockfile-only — parent constraints already allow the safe versions. * fix(deps): bump rollup 4.53.3→4.60.1 (CVE-2026-27606) Lockfile-only — vite@6.4.1 specifies rollup '^4.34.9' which already allows 4.60.1. CVE-2026-27606 (High): Rollup Arbitrary File Write via Path Traversal — fix: >=4.59.0. * fix(deps): tighten undici pnpm override to >=6.25.0 * fix(deps): regenerate lockfile after undici override update * fix(deps): tighten undici override to ^6.25.0 (6.x only)
1 parent 2a0662f commit 629a568

2 files changed

Lines changed: 154 additions & 127 deletions

File tree

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@
124124
"overrides": {
125125
"form-data": ">=4.0.4",
126126
"@semantic-release/npm": "13.1.3",
127-
"undici": "^6.23.0",
127+
"undici": "^6.25.0",
128128
"lodash": "~4.17.23",
129129
"lodash-es": "~4.17.23",
130130
"minimatch@3": "~3.1.5",

0 commit comments

Comments
 (0)