Skip to content

Commit c4980bd

Browse files
authored
fix(security): patch all known dependency vulnerabilities (#447)
* fix(security): patch all known dependency vulnerabilities Resolves all advisories reported by npm audit (13 -> 0) via overrides: - form-data ^4.0.6 (high: CRLF injection, GHSA-hmw2-7cc7-3qxx) - uuid ^11.1.1 (moderate: missing buffer bounds check, GHSA-w5hq-g745-h8pq) - js-yaml ^4.2.0 (moderate: quadratic-complexity DoS, GHSA-h67p-54hq-rp68) Transitive fixes for @babel/core, brace-expansion, fast-uri, fast-xml-builder, fast-xml-parser and ws were picked up by the refreshed lockfile. uuid/js-yaml are pulled in transitively via nyc; overrides avoid the nyc 17 -> 14 downgrade that 'npm audit fix --force' would have forced. Build and all 57 tests pass. * fix(security): bump hasown to 2.0.4 to satisfy form-data@4.0.6 form-data@4.0.6 requires hasown ^2.0.4; the lockfile still pinned 2.0.3, which broke 'npm ci' sync validation. Verified clean: npm ci -> 0 vulnerabilities, tsc clean, 57 tests passing.
1 parent 40e5c46 commit c4980bd

2 files changed

Lines changed: 208 additions & 186 deletions

File tree

0 commit comments

Comments
 (0)