Commit f393902
committed
chore(deps): clear vulnerable transitive deps (tar, flatted)
Resolves open Dependabot security advisories for transitive npm
dependencies that have no direct manifest entry (so Dependabot cannot
auto-open fix PRs for them).
tar (6 x HIGH): an old tar@6.2.1 was pulled in via
ttf2woff2@4.0.5 -> node-gyp@9.4.1 (and node-gyp's
make-fetch-happen@10 -> cacache@16 chain). ttf2woff2 6+ switched to an
ESM/default export that breaks @vusion/webfonts-generator's callable
usage, so rather than bump ttf2woff2 we override its node-gyp to
^11.2.0 via a scoped resolution. That modernises the whole sub-tree
(node-gyp 11, make-fetch-happen 14/15, cacache 19/20) onto tar@7.5.16
while keeping ttf2woff2 at 4.0.5 so webfont generation still works.
flatted (1 x HIGH): bumped 3.4.1 -> 3.4.2 in the Electron runtime
(GHSA-rf6f-7fwh-wjgh).
Verified: yarn install builds ttf2woff2's native addon with node-gyp@11,
the webpack build regenerates the icon webfonts successfully, and
test:js-once passes 829/829.
paramiko (covered by #9927) and elliptic (no fix available upstream) are
intentionally left untouched.1 parent 4dd5cdd commit f393902
4 files changed
Lines changed: 133 additions & 421 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
| 27 | + | |
27 | 28 | | |
28 | 29 | | |
29 | 30 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
797 | 797 | | |
798 | 798 | | |
799 | 799 | | |
800 | | - | |
801 | | - | |
802 | | - | |
| 800 | + | |
| 801 | + | |
| 802 | + | |
803 | 803 | | |
804 | 804 | | |
805 | 805 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
165 | 165 | | |
166 | 166 | | |
167 | 167 | | |
168 | | - | |
| 168 | + | |
| 169 | + | |
169 | 170 | | |
170 | 171 | | |
171 | 172 | | |
| |||
0 commit comments