Skip to content

fix: Address Dependabot security alerts#327

Open
spawnia wants to merge 1 commit intomasterfrom
fix-dependabot-security
Open

fix: Address Dependabot security alerts#327
spawnia wants to merge 1 commit intomasterfrom
fix-dependabot-security

Conversation

@spawnia
Copy link
Member

@spawnia spawnia commented Mar 3, 2026

Summary

Remaining (no upstream fix available)

  • serialize-javascript 6.0.2: terser-webpack-plugin requires ^6.0.2, patched version is 7.0.3+ (major version jump)
  • tar 6.2.1: cacache/node-gyp require ^6.x, no 6.x patch exists

Test plan

  • yarn run test — 90 tests pass
  • yarn npm audit — clean (only eslint 8 deprecation, separate migration)

🤖 Generated with Claude Code

@spawnia @claude
fix: Address Dependabot security alerts
bf081a5 
- lodash ^4.17.23: prototype pollution in `_.unset` and `_.omit`
  GHSA-xxjr-mmjv-4gpg
- rollup ^4.59.0: arbitrary file write via path traversal
  GHSA-mw96-cpmx-2vgc
- storybook ^10.2.14: dev server WebSocket hijacking
  GHSA-mjf5-7g4m-gx5w
- webpack ^5.105.3: buildHttp allowedUris SSRF bypass
  GHSA-8fgc-7cc6-rx7x
  GHSA-38r7-794h-5758
- @mll-lab/js-utils ^2.41.1: includes lodash 4.17.23
- Refresh lockfile transitive deps: minimatch, tar, lodash-es

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@spawnia spawnia force-pushed the fix-dependabot-security branch from 06ec2ac to bf081a5 Compare March 3, 2026 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kilya11 kilya11

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spawnia @kilya11