Revisit open security vulnerabilities #2127
Description
Revisit remaining vulnerabilities not addressed by PR #2122:
| Package | Severity | Blocker |
|---|---|---|
lodash-es (×3 alerts) |
High/Medium | chevrotain declares exact 4.17.21; override to 4.18.0 breaks electron-builder |
underscore |
High | jsonpath declares exact 1.13.6 |
qs (×2 alerts) |
Medium/Low | body-parser declares exact 6.13.0 |
nodemailer |
Low | mailparser depends on 7.x; fix requires 8.x (major version gap) |
These cannot be fixed via pnpm overrides because electron-builder's traversalNodeModulesCollector validates that installed versions exactly match declared dependency ranges. When a pnpm override changes the resolved version, the packager fails with "Production dependency not found".
To resolve these, the upstream packages need to update their declared dependency ranges, or electron-builder needs to support pnpm overrides. The following packages also have cross-major-version vulnerabilities that can't use global overrides: brace-expansion (1.x/2.x/5.x), picomatch (2.x/4.x), @xmldom/xmldom (0.8.x/0.9.x), undici (7.x/8.x).