Commit 629a568
authored
fix(deps): bump flatted, picomatch, undici, rollup (CVE-2026-32141, 33228, 33671, 1526/1528/2229, 27606) (#165)
* fix(deps): bump flatted 3.3.3→3.4.2, picomatch 2.3.1→2.3.2, undici 6.23.0→6.25.0
Resolves:
- CVE-2026-32141 (CVSS 7.5): flatted DoS via unbounded recursion — fix: >=3.4.0
- CVE-2026-33228 (High): flatted Prototype Pollution — fix: >3.4.1
- CVE-2026-33671 (CVSS 7.5): picomatch ReDoS — fix: >=2.3.2
- CVE-2026-1526/1528/2229 (CVSS 7.5): undici WebSocket vulnerabilities — fix: >=6.24.0
All fixes are lockfile-only — parent constraints already allow the safe versions.
* fix(deps): bump rollup 4.53.3→4.60.1 (CVE-2026-27606)
Lockfile-only — vite@6.4.1 specifies rollup '^4.34.9' which already
allows 4.60.1. CVE-2026-27606 (High): Rollup Arbitrary File Write via
Path Traversal — fix: >=4.59.0.
* fix(deps): tighten undici pnpm override to >=6.25.0
* fix(deps): regenerate lockfile after undici override update
* fix(deps): tighten undici override to ^6.25.0 (6.x only)1 parent 2a0662f commit 629a568
2 files changed
Lines changed: 154 additions & 127 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
124 | 124 | | |
125 | 125 | | |
126 | 126 | | |
127 | | - | |
| 127 | + | |
128 | 128 | | |
129 | 129 | | |
130 | 130 | | |
| |||
0 commit comments