Skip to content

Commit c3801a9

Browse files
SebTardifSebTardif
committed
fix: resolve npm audit vulnerabilities via overrides
Add npm overrides to force mocha's transitive dependencies to patched versions: - diff ^7.0.0 -> ^8.0.3 (fixes GHSA-73rr-hh4g-fpgx DoS) - serialize-javascript ^6.0.2 -> ^7.0.5 (fixes GHSA-5c6j-r48x-rmvq RCE, GHSA-qj8w-gfj5-8c6v DoS) npm audit now reports 0 vulnerabilities. All 162 tests pass. Closes #37 Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
1 parent 903dfe0 commit c3801a9

2 files changed

Lines changed: 14 additions & 19 deletions

File tree

package-lock.json

Lines changed: 8 additions & 19 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,12 @@
130130
"package": "vsce package",
131131
"check": "npm run test && npm run package"
132132
},
133+
"overrides": {
134+
"mocha": {
135+
"diff": "^8.0.3",
136+
"serialize-javascript": "^7.0.5"
137+
}
138+
},
133139
"devDependencies": {
134140
"@types/mocha": "^10.0.10",
135141
"@types/node": "^25.9.1",

0 commit comments

Comments
 (0)