Skip to content

fix(deps): Bump defu to 6.1.7 for prototype pollution (GHSA-737v-mqg7-c878)#118993

Merged
oioki merged 1 commit into
masterfrom
atarasov/fix/bump-defu-615
Jul 3, 2026
Merged

fix(deps): Bump defu to 6.1.7 for prototype pollution (GHSA-737v-mqg7-c878)#118993
oioki merged 1 commit into
masterfrom
atarasov/fix/bump-defu-615

Conversation

@oioki

@oioki oioki commented Jul 3, 2026

Copy link
Copy Markdown
Member

Resolves Dependabot alert #531 (GHSA-737v-mqg7-c878 / CVE-2026-35209, high).

defu <= 6.1.4 is vulnerable to prototype pollution: a __proto__ key in the first argument to defu() overrides intended defaults in the merged result. Fixed in 6.1.5.

defu is a transitive devDependency reachable only through @r4ai/remark-callout@0.6.2, which declares defu: ^6.1.4 — a range already satisfied by the patched line. remark-callout is at its latest published version and still uses ^6.1.4, so no dependency bump moves it; the single defu@6.1.4 copy lingered only because pnpm preserves resolved versions. This re-resolves it to 6.1.7 in the lockfile (validated with pnpm install --lockfile-only) instead of adding an override. defu has no dependencies, so the change is isolated.

Refs GHSA-737v-mqg7-c878

…-c878)

defu <= 6.1.4 is vulnerable to prototype pollution via a __proto__ key in the defaults argument (GHSA-737v-mqg7-c878 / CVE-2026-35209, high). It is a transitive devDependency reachable only via @r4ai/remark-callout@0.6.2, which declares defu ^6.1.4 -- a range already satisfying the patched release. remark-callout is at its latest and still uses ^6.1.4, so the fix re-resolves the single defu instance to 6.1.7 in the lockfile (validated with pnpm install --lockfile-only) rather than adding an override.
@oioki oioki marked this pull request as ready for review July 3, 2026 11:09
@oioki oioki requested a review from a team as a code owner July 3, 2026 11:09
@oioki oioki merged commit 56f151f into master Jul 3, 2026
61 checks passed
@oioki oioki deleted the atarasov/fix/bump-defu-615 branch July 3, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants