Skip to content

fix(deps): patch transitive security vulnerabilities (lodash, undici, flatted, +3)#123

Merged
anoncam merged 1 commit into
mainfrom
fix/deps-transitive-security-sweep
Jun 2, 2026
Merged

fix(deps): patch transitive security vulnerabilities (lodash, undici, flatted, +3)#123
anoncam merged 1 commit into
mainfrom
fix/deps-transitive-security-sweep

Conversation

@anoncam

@anoncam anoncam commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Summary

Patches 6 transitive dependency vulnerabilities flagged by Dependabot, with target versions verified against Sonatype (which corrected several of Dependabot's suggested fixes). Clears the two 9.8 critical advisories (lodash, undici) plus the flatted high.

Changes

Package From To Mechanism Severity cleared
lodash 4.17.23 4.18.1 npm update 9.8 critical (CVE-2026-4800)
undici 7.18.2 7.24.4 overrides (miniflare hard-pins 7.18.2) 9.8 critical + 5 more
flatted 3.3.3 3.4.2 npm update 9.8 / 7.5
brace-expansion 1.1.12 1.1.15 npm update 7.5
picomatch 2.3.1 2.3.2 npm update 7.5 / 6.9
yaml 1.10.2 1.10.3 npm update 4.3

Notes

  • Sonatype corrected Dependabot on two: lodash fix is 4.18.1 (not 4.18.0), and the undici 7.24.4 pick has the highest trust score in the 7.x line.
  • undici required an overrides entry because miniflare (local dev runtime, via wrangler) hard-pins 7.18.2. This only affects local npm run dev — the deployed Worker uses Cloudflare's runtime, not npm undici. undici is API-stable within 7.x.
  • Supersedes chore(deps): bump flatted from 3.3.3 to 3.4.1 in the npm_and_yarn group across 1 directory #121 (flatted → 3.4.1), which was insufficient: Sonatype/Dependabot both show ≤3.4.1 still vulnerable; this goes to 3.4.2.

Verification

  • npm run build ✅ passes
  • npm test: no regression — the 2 failing tests (friend-encryption / PGP) are pre-existing and flaky on main (verified via baseline runs), unrelated to these bumps.
  • npm run lint is broken on main independently (ESLint 9 needs a flat config) — out of scope here.

Out of scope (follow-ups)

  • serialize-javascript 6→7 (high) — separate PR (major bump, needs overrides).
  • uuid 13→14 (moderate) — separate PR (direct dep).
  • ws (moderate) and diff/jsdiff (low) surfaced by npm audit but weren't in the Dependabot set — noted for triage.

@anoncam anoncam merged commit 1066a34 into main Jun 2, 2026
3 checks passed
@anoncam anoncam deleted the fix/deps-transitive-security-sweep branch June 2, 2026 15:44
github-actions Bot added a commit that referenced this pull request Jun 2, 2026
Version bump type: patch
PR: #123
Title: fix(deps): patch transitive security vulnerabilities (lodash, undici, flatted, +3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant