fix(security): resolve transitive lodash vulnerability via override

[LucasSantana-Dev]

Summary

• Add npm overrides to force yaml-language-server to resolve lodash@4.17.23
• Update lockfile to remove vulnerable lodash@4.17.21
• Document the security maintenance decision in CHANGELOG.md and README.md

Root cause

Dependabot could not open a security fix because @astrojs/check -> @astrojs/language-server -> volar-service-yaml pins yaml-language-server@~1.19.2, which depends on lodash@4.17.21.

Validation

• npm ci --ignore-scripts
• npm ls lodash --all shows lodash@4.17.23 overridden
• npm audit --json shows 0 vulnerabilities
• pre-commit tests passed (vitest run)

Summary by CodeRabbit

• Bug Fixes

  • Resolved a security vulnerability affecting transitive dependencies.

• Documentation

  • Updated changelog and security maintenance guidance in project documentation.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 73bf0e61-6963-488e-a72e-208a526a880f

📥 Commits

Reviewing files that changed from the base of the PR and between 8e4b9fd and 1169dbc.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• CHANGELOG.md
• README.md
• package.json

---

📝 Walkthrough

Walkthrough

The pull request addresses a Dependabot security vulnerability by implementing npm overrides to pin lodash to version 4.17.23 for yaml-language-server, resolving a transitive dependency deadlock. Changes are documented in CHANGELOG.md and package.json, with accompanying security maintenance notes added to README.md.

Changes

Cohort / File(s)	Summary
Security Vulnerability Fix package.json	Added npm overrides section to pin lodash@4.17.23 for yaml-language-server, resolving transitive dependency vulnerability without requiring upstream changes.
Documentation Updates CHANGELOG.md, README.md	Added security maintenance documentation: CHANGELOG entry documenting the Dependabot fix and README paragraphs clarifying use of npm overrides for vulnerable transitive dependencies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A lodash lock, a deadlock's cure,
Overrides ensure we're pure,
YAML no longer tied in knots,
Security patches seal the dots,
Documentation lights the way! 📚

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dependabot-lodash-blocker

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.16.3)

package.json

┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

�[1m Loading rules from local config...�[0m

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[LucasSantana-Dev]

Findings (by severity)

1. High (resolved): transitive vulnerable lodash@4.17.21 in the @astrojs/check chain is replaced by lodash@4.17.23 via targeted overrides, with lockfile synchronized.
2. Medium: override strategy introduces maintenance burden; this is documented in README/CHANGELOG to avoid accidental removal before upstream pin updates.
3. Low: patch scope is dependency metadata + docs only; no runtime application code changes.

Assumptions/Open Questions

1. Assumption: using npm overrides for this transitive path is acceptable until volar-service-yaml loosens or updates its yaml-language-server range.
2. Open question: whether to also upgrade @astrojs/check in a follow-up dependency sweep once upstream chain is aligned.

Summary

• Security fix is scoped and validated (npm audit clean); ready to merge once required checks complete.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud