Skip to content

fix(deps): patch all open Dependabot security vulnerabilities#425

Merged
Christian Bromann (christian-bromann) merged 1 commit intomainfrom
fix/dependabot-security-overrides
Apr 4, 2026
Merged

fix(deps): patch all open Dependabot security vulnerabilities#425
Christian Bromann (christian-bromann) merged 1 commit intomainfrom
fix/dependabot-security-overrides

Conversation

@jkennedyvz
Copy link
Copy Markdown
Contributor

@jkennedyvz John Kennedy (jkennedyvz) commented Apr 4, 2026
edited
Loading

Summary

  • Adds pnpm overrides to resolve all 11 open Dependabot security alerts
  • Patches lodash (→4.18.1), picomatch (→2.3.2/4.0.4), fast-xml-parser (→5.5.10), flatted (→3.4.2)
  • Updates existing fast-xml-parser override to cover all reported CVE ranges

Test plan

  • Verify pnpm install succeeds without errors
  • Verify no vulnerable versions remain in pnpm-lock.yaml
  • Confirm Dependabot alerts auto-close after merge
  • Run pnpm test to ensure no regressions

@jkennedyvz @claude
fix(deps): patch all open Dependabot security vulnerabilities via pnp…
6dd0ade 
…m overrides

Adds/updates pnpm overrides to resolve 11 open Dependabot alerts:
- lodash <= 4.17.23 → 4.18.1 (prototype pollution)
- picomatch < 2.3.2 → 2.3.2 and >= 4.0.0 < 4.0.4 → 4.0.4 (ReDoS)
- fast-xml-parser >= 4.0.0-beta.3 <= 5.5.6 → 5.5.10 (multiple vulns)
- flatted < 3.4.2 → 3.4.2 (prototype pollution)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 4, 2026

⚠️ No Changeset found

Latest commit: 6dd0ade

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 4, 2026

Open in StackBlitz

npm i https://pkg.pr.new/deepagents-acp@425

npm i https://pkg.pr.new/deepagents@425

npm i https://pkg.pr.new/@langchain/sandbox-standard-tests@425

commit: 6dd0ade

@christian-bromann Christian Bromann (christian-bromann) merged commit 37a12fa into main Apr 4, 2026
16 checks passed
@christian-bromann Christian Bromann (christian-bromann) deleted the fix/dependabot-security-overrides branch April 4, 2026 05:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christian-bromann Christian Bromann (christian-bromann) christian-bromann approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkennedyvz @christian-bromann