[DependOnMe] Bulk security fix - 5 issues

[dependonme-deriv]

Bulk Security Fix

This pull request was automatically generated by DependOnMe to fix 5 security issues at once.

Issues Fixed

• Critical: 0
• High: 1
• Medium: 4
• Low: 0

Files Modified

• package.json

AI Summary

Fixed 5 security issues using npm overrides for transitive dependencies:

HIGH SEVERITY:

• CVE-2026-4800: lodash Code Injection via _.template - Updated to >=4.18.0

MEDIUM SEVERITY:

• CVE-2026-2950: lodash Prototype Pollution in _.unset and _.omit - Updated to >=4.18.0
• CVE-2025-64718: js-yaml prototype pollution in merge (<<) - Updated to >=4.1.1
• CVE-2025-64718: js-yaml prototype pollution (4.x branch) - Updated to >=4.1.1
• CVE-2024-6783: vue-template-compiler XSS vulnerability - Updated to >=3.4.0

⚠️ Risk Assessment:

• Low Risk: lodash and js-yaml patches (4.17.23→4.18.0, various→4.1.1)
  • These are patch/minor updates with security fixes only
• High Risk: vue-template-compiler (2.x→3.x)
  • This is a major version jump with potential breaking changes
  • However, since it's a transitive dependency, the impact depends on which package uses it

🧪 Testing Checklist:

• CRITICAL: Run npm install to regenerate package-lock.json
• CRITICAL: Run npm audit to verify all vulnerabilities are resolved
• Run full test suite (npm run test_all)
• Test build process (npm run build)
• Test documentation generation (npm run docs)
• Verify webpack bundling works correctly
• Test ESLint functionality
• Check if any tools break due to vue-template-compiler v3 changes

🔧 Manual Steps Required:

1. Delete package-lock.json and node_modules:

   rm -rf node_modules package-lock.json

2. Clean install with new overrides:

   npm install

3. Verify security fixes:

   npm audit

4. If vue-template-compiler v3 causes issues, you may need to:

   • Identify which dev tool depends on it
   • Find alternative tools or configurations
   • Consider temporarily pinning to latest v2.x (2.7.16) if v3 breaks critical tooling

🚨 Important Notes:

• Overrides Approach: Used npm overrides because all vulnerabilities are in transitive dependencies, not direct dependencies
• Future Maintenance: Monitor for updates to direct dependencies that may resolve these overrides naturally
• Vue Template Compiler: The major version jump (2→3) is the highest risk change - if it breaks tooling, consider temporarily using "vue-template-compiler": "~2.7.16" instead
• Alternative Strategy: If issues arise, consider upgrading specific dev dependencies (like documentation, webpack tools) to versions that use secure transitive dependencies

---

This PR was created by DependOnMe - Automated Security Issue Management

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Manifest Files

package-lock.json

• lodash@4.17.23
• js-yaml@3.14.1
• js-yaml@4.1.0
• vue-template-compiler@2.7.16
• js-yaml@4.1.1
• lodash@4.18.1
• argparse@1.0.10
• de-indent@1.0.2
• he@1.2.0
• sprintf-js@1.0.3