Skip to content

Fix/security vulnerabilities#219

Open
Robert-Bosse wants to merge 7 commits intopluginpal:masterfrom
spring-media:fix/security-vulnerabilities
Open

Fix/security vulnerabilities#219
Robert-Bosse wants to merge 7 commits intopluginpal:masterfrom
spring-media:fix/security-vulnerabilities

Conversation

@Robert-Bosse
Copy link
Copy Markdown

@Robert-Bosse Robert-Bosse commented Mar 5, 2026

No description provided.

Luca-Esposito and others added 7 commits September 21, 2023 09:31
@Luca-Esposito
Merge pull request #3 from spring-media/update-1.3.7
43bbabc 
Update 1.3.7
@Luca-Esposito
updated readme
8ab9268
@Luca-Esposito
re-added lost commit: "use correct slug for entity"
d6d7bea
@Luca-Esposito
re-added lost commit: "add custom validation"
37ad498
@Robert-Bosse
fix: resolve 6 of 7 security vulnerabilities in dependencies
7acad0c 
- Upgrade lodash from ^4.17.21 to ^4.17.23 (Prototype Pollution - Medium)
- Add yarn resolutions to pin transitive dependencies:
  - minimatch@3.1.3 (ReDoS + Inefficient Algorithmic Complexity - High)
  - brace-expansion@1.1.12 (ReDoS - Low)
  - @babel/runtime@~7.26.10 (ReDoS - Medium)
  - lodash-es@4.17.23 (Prototype Pollution - Medium)
  - lodash@4.17.23 (Prototype Pollution - Medium)

Remaining: inflight@1.0.6 (Medium) - no fix available (unmaintained package)

All updates are patch/minor version bumps within compatible semver ranges.
No breaking changes introduced.
@Robert-Bosse
Create settings.json
c791a0d
@Robert-Bosse
fix: resolve security vulnerabilities in dependencies
f2cc661 
Update vulnerable dependencies identified by Wiz CLI scan:

CRITICAL:
- @babel/traverse 7.22.5 -> 7.29.0 (CVE-2023-45133)

HIGH:
- minimatch 3.1.3 -> 3.1.4 (CVE-2026-27904)
- semver 6.3.0 -> 6.3.1 (CVE-2022-25883)
- cross-spawn 7.0.3 -> 7.0.5 (CVE-2024-21538)

MEDIUM:
- @babel/helpers 7.22.5 -> 7.28.6 (CVE-2025-27789)
- word-wrap 1.2.3 -> 1.2.4 (CVE-2023-26115)
- js-yaml 4.1.0 -> 4.1.1 (CVE-2025-64718)
- ajv 6.12.6 -> 6.14.0 (CVE-2025-69873)

Changes:
- Upgrade @babel/core, @babel/eslint-parser, @babel/preset-react to ^7.26.10
- Fix minimatch resolution from 3.1.3 to 3.1.4
- Add yarn resolutions for semver, cross-spawn, word-wrap, js-yaml, ajv
@Robert-Bosse Robert-Bosse marked this pull request as draft March 12, 2026 08:28
@Robert-Bosse Robert-Bosse marked this pull request as ready for review March 12, 2026 08:28
@TMSchipper
Copy link
Copy Markdown
Contributor

TMSchipper commented Mar 19, 2026

Hi @Robert-Bosse, could you give me a description what this PR does or the main reason is you opened this?
I've seen some remarkable changes which does not belong in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Robert-Bosse @TMSchipper @Luca-Esposito