Commit cd9086d
* fix(deps): bump serialize-javascript to 7.0.5, picomatch to 4.0.4
Addresses Dependabot alerts:
- #1 (GHSA-5c6j-r48x-rmvq, CVSS 8.1 high): serialize-javascript
<= 7.0.2 — static code injection via RegExp.flags /
Date.prototype.toISOString, potential RCE when output is eval'd.
- #14 (GHSA-qj8w-gfj5-8c6v, CVSS 5.9 medium): serialize-javascript
< 7.0.5 — CPU-exhaustion DoS via crafted array-like objects.
- #4 (GHSA-3v7f-55p6-f55p, CVSS 5.3 medium): picomatch
>= 4.0.0, < 4.0.4 — prototype method injection in
POSIX_REGEX_SOURCE causes incorrect glob matching.
All three are transitive dev-scope dependencies. Fixed by adding
npm overrides for `serialize-javascript: 7.0.5` and
`picomatch@>=4.0.0 <4.0.4: 4.0.4`.
Note: alert #4 will remain partially open — semantic-release's
bundled `npm` CLI ships its own copy of picomatch@4.0.3 as a
bundleDependency, which npm overrides cannot reach. All other
usages in the tree are pinned to 4.0.4.
Regenerated package-lock.json with a clean install to ensure
overrides take effect (prior resolutions were stale).
Fixes #1
Fixes #14
* fix(deps): regenerate lockfile to restore @fastify/send resolution
Previous clean install produced a corrupted lockfile: node_modules/@fastify/send
was dropped entirely and several packages lost their `resolved`/`integrity`
fields, causing Jest to fail with "Cannot find module '@fastify/send'" across
server route test suites.
Rerunning the clean install produced a well-formed lockfile. Overrides still
take effect — serialize-javascript pinned to 7.0.5 everywhere, picomatch 4.0.4
for all reachable copies (the 4.0.3 inside semantic-release's bundled npm
remains unreachable, as noted in the PR description).
---------
Co-authored-by: Frank Steiler <frank@steiler.de>
1 parent 16e0e2c commit cd9086d
2 files changed
Lines changed: 5 additions & 23 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
66 | 66 | | |
67 | 67 | | |
68 | 68 | | |
| 69 | + | |
69 | 70 | | |
70 | 71 | | |
| 72 | + | |
71 | 73 | | |
72 | 74 | | |
73 | 75 | | |
0 commit comments