Commit c4980bd
authored
fix(security): patch all known dependency vulnerabilities (#447)
* fix(security): patch all known dependency vulnerabilities
Resolves all advisories reported by npm audit (13 -> 0) via overrides:
- form-data ^4.0.6 (high: CRLF injection, GHSA-hmw2-7cc7-3qxx)
- uuid ^11.1.1 (moderate: missing buffer bounds check, GHSA-w5hq-g745-h8pq)
- js-yaml ^4.2.0 (moderate: quadratic-complexity DoS, GHSA-h67p-54hq-rp68)
Transitive fixes for @babel/core, brace-expansion, fast-uri,
fast-xml-builder, fast-xml-parser and ws were picked up by the
refreshed lockfile. uuid/js-yaml are pulled in transitively via nyc;
overrides avoid the nyc 17 -> 14 downgrade that 'npm audit fix --force'
would have forced. Build and all 57 tests pass.
* fix(security): bump hasown to 2.0.4 to satisfy form-data@4.0.6
form-data@4.0.6 requires hasown ^2.0.4; the lockfile still pinned
2.0.3, which broke 'npm ci' sync validation. Verified clean:
npm ci -> 0 vulnerabilities, tsc clean, 57 tests passing.1 parent 40e5c46 commit c4980bd
2 files changed
Lines changed: 208 additions & 186 deletions
0 commit comments