From 6dd0ade733d2511eb3bc2e8fc7649c8cfebc44d8 Mon Sep 17 00:00:00 2001 From: John Kennedy <65985482+jkennedyvz@users.noreply.github.com> Date: Sat, 4 Apr 2026 04:10:29 +0000 Subject: [PATCH] fix(deps): patch all open Dependabot security vulnerabilities via pnpm overrides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds/updates pnpm overrides to resolve 11 open Dependabot alerts: - lodash <= 4.17.23 → 4.18.1 (prototype pollution) - picomatch < 2.3.2 → 2.3.2 and >= 4.0.0 < 4.0.4 → 4.0.4 (ReDoS) - fast-xml-parser >= 4.0.0-beta.3 <= 5.5.6 → 5.5.10 (multiple vulns) - flatted < 3.4.2 → 3.4.2 (prototype pollution) Co-Authored-By: Claude Opus 4.6 (1M context) --- package.json | 8 +++-- pnpm-lock.yaml | 87 +++++++++++++++++++++++++++++--------------------- 2 files changed, 56 insertions(+), 39 deletions(-) diff --git a/package.json b/package.json index b2a4068b6..aa2922fcc 100644 --- a/package.json +++ b/package.json @@ -60,8 +60,12 @@ "overrides": { "minimatch@<3.1.4": "3.1.4", "minimatch@>=9 <10.2.1": "10.2.4", - "fast-xml-parser@>=5.0.0 <5.3.6": "5.3.6", - "rollup@>=4.0.0 <4.59.0": "4.59.0" + "fast-xml-parser@>=4.0.0-beta.3 <=5.5.6": "5.5.10", + "rollup@>=4.0.0 <4.59.0": "4.59.0", + "lodash@<=4.17.23": "4.18.1", + "picomatch@<2.3.2": "2.3.2", + "picomatch@>=4.0.0 <4.0.4": "4.0.4", + "flatted@<3.4.2": "3.4.2" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index b2674b692..6650e263f 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -7,8 +7,12 @@ settings: overrides: minimatch@<3.1.4: 3.1.4 minimatch@>=9 <10.2.1: 10.2.4 - fast-xml-parser@>=5.0.0 <5.3.6: 5.3.6 + fast-xml-parser@>=4.0.0-beta.3 <=5.5.6: 5.5.10 rollup@>=4.0.0 <4.59.0: 4.59.0 + lodash@<=4.17.23: 4.18.1 + picomatch@<2.3.2: 2.3.2 + picomatch@>=4.0.0 <4.0.4: 4.0.4 + flatted@<3.4.2: 3.4.2 importers: @@ -411,7 +415,7 @@ importers: version: 25.5.0 '@vitest/coverage-v8': specifier: ^4.0.18 - version: 4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))) + version: 4.0.18(vitest@4.1.2) '@vitest/ui': specifier: ^4.0.18 version: 4.0.18(vitest@4.1.2) @@ -484,7 +488,7 @@ importers: version: 25.5.0 '@vitest/coverage-v8': specifier: ^4.0.18 - version: 4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))) + version: 4.0.18(vitest@4.1.2) '@vitest/ui': specifier: ^4.0.18 version: 4.0.18(vitest@4.1.2) @@ -521,7 +525,7 @@ importers: version: 25.5.0 '@vitest/coverage-v8': specifier: ^4.0.18 - version: 4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))) + version: 4.0.18(vitest@4.1.2) deepagents: specifier: workspace:* version: link:../../deepagents @@ -558,7 +562,7 @@ importers: version: 25.5.0 '@vitest/coverage-v8': specifier: ^4.0.18 - version: 4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))) + version: 4.0.18(vitest@4.1.2) deepagents: specifier: workspace:* version: link:../../deepagents @@ -595,7 +599,7 @@ importers: version: 25.5.0 '@vitest/coverage-v8': specifier: ^4.0.18 - version: 4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))) + version: 4.0.18(vitest@4.1.2) deepagents: specifier: workspace:* version: link:../../deepagents @@ -632,7 +636,7 @@ importers: version: 25.5.0 '@vitest/coverage-v8': specifier: ^4.0.18 - version: 4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))) + version: 4.0.18(vitest@4.1.2) deepagents: specifier: workspace:* version: link:../../deepagents @@ -699,7 +703,7 @@ importers: version: 25.5.0 '@vitest/coverage-v8': specifier: ^4.0.18 - version: 4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))) + version: 4.0.18(vitest@4.1.2) deepagents: specifier: workspace:* version: link:../../deepagents @@ -2840,8 +2844,11 @@ packages: resolution: {integrity: sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==} engines: {node: '>=8.6.0'} - fast-xml-parser@5.3.6: - resolution: {integrity: sha512-QNI3sAvSvaOiaMl8FYU4trnEzCwiRr8XMWgAHzlrWpTSj+QaCSvOf1h82OEP1s4hiAXhnbXSyFWCf4ldZzZRVA==} + fast-xml-builder@1.1.4: + resolution: {integrity: sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==} + + fast-xml-parser@5.5.10: + resolution: {integrity: sha512-go2J2xODMc32hT+4Xr/bBGXMaIoiCwrwp2mMtAvKyvEFW6S/v5Gn2pBmE4nvbwNjGhpcAiOwEv7R6/GZ6XRa9w==} hasBin: true fastq@1.20.1: @@ -2851,7 +2858,7 @@ packages: resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==} engines: {node: '>=12.0.0'} peerDependencies: - picomatch: ^3 || ^4 + picomatch: 4.0.4 peerDependenciesMeta: picomatch: optional: true @@ -2867,8 +2874,8 @@ packages: resolution: {integrity: sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==} engines: {node: '>=8'} - flatted@3.3.3: - resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==} + flatted@3.4.2: + resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==} follow-redirects@1.15.11: resolution: {integrity: sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==} @@ -3240,8 +3247,8 @@ packages: lodash.startcase@4.4.0: resolution: {integrity: sha512-+WKqsK294HMSc2jEbNgpHpd0JfIBhp7rEV4aqXWqFr6AlXov+SlcgB1Fv01y2kGe3Gc8nMW7VA0SrGuSkRfIEg==} - lodash@4.17.23: - resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==} + lodash@4.18.1: + resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==} log-update@6.1.0: resolution: {integrity: sha512-9ie8ItPR6tjY5uYJh8K/Zrv/RMZ5VOlOWvtZdEHYSTFKZfIBPQa9tOAEeAWhd+AnIneLJ22w5fjOYtoutpWq5w==} @@ -3448,6 +3455,10 @@ packages: resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==} engines: {node: '>=8'} + path-expression-matcher@1.2.1: + resolution: {integrity: sha512-d7gQQmLvAKXKXE2GeP9apIGbMYKz88zWdsn/BN2HRWVQsDFdUY36WSLTY0Jvd4HWi7Fb30gQ62oAOzdgJA6fZw==} + engines: {node: '>=14.0.0'} + path-key@3.1.1: resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==} engines: {node: '>=8'} @@ -3496,14 +3507,10 @@ packages: picocolors@1.1.1: resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==} - picomatch@2.3.1: - resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==} + picomatch@2.3.2: + resolution: {integrity: sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==} engines: {node: '>=8.6'} - picomatch@4.0.3: - resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==} - engines: {node: '>=12'} - picomatch@4.0.4: resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} engines: {node: '>=12'} @@ -3760,8 +3767,8 @@ packages: resolution: {integrity: sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==} engines: {node: '>=4'} - strnum@2.2.0: - resolution: {integrity: sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==} + strnum@2.2.2: + resolution: {integrity: sha512-DnR90I+jtXNSTXWdwrEy9FakW7UX+qUZg28gj5fk2vxxl7uS/3bpI4fjFYVmdK9etptYBPNkpahuQnEwhwECqA==} supports-color@7.2.0: resolution: {integrity: sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==} @@ -4528,7 +4535,7 @@ snapshots: '@aws-sdk/xml-builder@3.972.8': dependencies: '@smithy/types': 4.13.0 - fast-xml-parser: 5.3.6 + fast-xml-parser: 5.5.10 tslib: 2.8.1 '@aws/lambda-invoke-store@0.2.3': {} @@ -6142,7 +6149,7 @@ snapshots: transitivePeerDependencies: - supports-color - '@vitest/coverage-v8@4.0.18(vitest@4.1.2(@opentelemetry/api@1.9.0)(@types/node@25.5.0)(vite@8.0.3(@emnapi/core@1.8.1)(@emnapi/runtime@1.8.1)(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3)))': + '@vitest/coverage-v8@4.0.18(vitest@4.1.2)': dependencies: '@bcoe/v8-coverage': 1.0.2 '@vitest/utils': 4.0.18 @@ -6199,7 +6206,7 @@ snapshots: dependencies: '@vitest/utils': 4.0.18 fflate: 0.8.2 - flatted: 3.3.3 + flatted: 3.4.2 pathe: 2.0.3 sirv: 3.0.2 tinyglobby: 0.2.15 @@ -6524,9 +6531,15 @@ snapshots: merge2: 1.4.1 micromatch: 4.0.8 - fast-xml-parser@5.3.6: + fast-xml-builder@1.1.4: dependencies: - strnum: 2.2.0 + path-expression-matcher: 1.2.1 + + fast-xml-parser@5.5.10: + dependencies: + fast-xml-builder: 1.1.4 + path-expression-matcher: 1.2.1 + strnum: 2.2.2 fastq@1.20.1: dependencies: @@ -6547,7 +6560,7 @@ snapshots: locate-path: 5.0.0 path-exists: 4.0.0 - flatted@3.3.3: {} + flatted@3.4.2: {} follow-redirects@1.15.11: {} @@ -6748,7 +6761,7 @@ snapshots: '@types/lodash': 4.17.24 is-glob: 4.0.3 js-yaml: 4.1.1 - lodash: 4.17.23 + lodash: 4.18.1 minimist: 1.2.8 prettier: 3.8.1 tinyglobby: 0.2.15 @@ -6861,7 +6874,7 @@ snapshots: dependencies: commander: 14.0.3 listr2: 9.0.5 - picomatch: 4.0.3 + picomatch: 4.0.4 string-argv: 0.3.2 tinyexec: 1.0.4 yaml: 2.8.3 @@ -6883,7 +6896,7 @@ snapshots: lodash.startcase@4.4.0: {} - lodash@4.17.23: {} + lodash@4.18.1: {} log-update@6.1.0: dependencies: @@ -6924,7 +6937,7 @@ snapshots: micromatch@4.0.8: dependencies: braces: 3.0.3 - picomatch: 2.3.1 + picomatch: 2.3.2 mime-db@1.52.0: {} @@ -7091,6 +7104,8 @@ snapshots: path-exists@4.0.0: {} + path-expression-matcher@1.2.1: {} + path-key@3.1.1: {} path-type@4.0.0: {} @@ -7134,9 +7149,7 @@ snapshots: picocolors@1.1.1: {} - picomatch@2.3.1: {} - - picomatch@4.0.3: {} + picomatch@2.3.2: {} picomatch@4.0.4: {} @@ -7388,7 +7401,7 @@ snapshots: strip-bom@3.0.0: {} - strnum@2.2.0: {} + strnum@2.2.2: {} supports-color@7.2.0: dependencies: