Fix: Vite and lodash related security vulnerability#245
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates dependency resolution to address reported security advisories related to Vite and lodash in the frappe-ui-react monorepo.
Changes:
- Add pnpm overrides to force patched versions of
lodashandvite. - Update the lockfile to resolve to
vite@7.3.2andlodash@4.18.1(and propagate the new Vite resolution across dependent tooling like Storybook/Vitest).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Adds pnpm overrides entries for lodash and Vite to mitigate reported vulnerabilities. |
| pnpm-lock.yaml | Applies the overrides in the resolved dependency graph, updating Vite/lodash versions and their downstream resolutions. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
|
Where is lodash used even? |
@ayushnirwal Its a transitive dependancy:
|
|
I don't remember seeing styled components any where in the project. Can you check |
Removed the usage of styled-components completely and also removed unnecessary dependencies. |
ayushnirwal
left a comment
ayushnirwal
left a comment
There was a problem hiding this comment.
LGTM. Merge the changes to develop after this is merged.
|
Updated PR to fix new security vulnerability introduced due to dompurify: https://github.com/rtCamp/frappe-ui-react/security/dependabot/39 |
Description
This PR fixes Vite and lodash related security vulnerability.
Checklist
Fixes: