Skip to content

Commit ed366bc

Browse files
committed
fix(security): patch all Dependabot alerts and update dependencies
Add pnpm overrides for 8 new vulnerable transitive deps: - vite >=6.4.2 (arbitrary file read via WebSocket) - defu >=6.1.5 (prototype pollution via __proto__) - picomatch >=2.3.2 / >=4.0.4 (ReDoS + method injection) - yaml >=2.8.3 (stack overflow via deeply nested collections) - smol-toml >=1.6.1 (DoS via consecutive commented lines) - h3 >=1.15.9 (path traversal + SSE injection) - immutable >=4.3.8 (prototype pollution) - fast-xml-parser >=5.5.7 (entity expansion bypass) Update existing overrides: minimatch >=3.1.4, brace-expansion >=2.0.3. Update direct deps: @astrojs/rss, @astrojs/sitemap, @astrojs/tailwind, @headlessui/react, lodash, sass, slugify, pagefind, @types/dompurify, @types/lodash.
1 parent 5dd8a3c commit ed366bc

File tree

2 files changed

+371
-336
lines changed

2 files changed

+371
-336
lines changed

package.json

Lines changed: 23 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,10 @@
2121
"@astrojs/markdown-remark": "^6.0.0",
2222
"@astrojs/mdx": "^4.0.0",
2323
"@astrojs/react": "^4.0.0",
24-
"@astrojs/rss": "^4.0.17",
25-
"@astrojs/sitemap": "^3.7.0",
26-
"@astrojs/tailwind": "^6.0.0",
27-
"@headlessui/react": "^2.2.9",
24+
"@astrojs/rss": "^4.0.18",
25+
"@astrojs/sitemap": "^3.7.2",
26+
"@astrojs/tailwind": "^6.0.2",
27+
"@headlessui/react": "^2.2.10",
2828
"@heroicons/react": "^2.1.3",
2929
"@react-three/drei": "9.117.0",
3030
"@react-three/fiber": "8.17.10",
@@ -36,36 +36,44 @@
3636
"framer-motion": "^12.38.0",
3737
"gray-matter": "^4.0.3",
3838
"leaflet": "^1.9.4",
39-
"lodash": "^4.17.23",
39+
"lodash": "^4.18.1",
4040
"marked": "^17.0.5",
4141
"react": "^18.2.0",
4242
"react-dom": "^18.2.0",
4343
"react-icons": "^5.2.1",
4444
"react-is": "^18.3.1",
4545
"react-leaflet": "^4.2.1",
46-
"sass": "^1.77.8",
47-
"slugify": "^1.6.8",
46+
"sass": "^1.99.0",
47+
"slugify": "^1.6.9",
4848
"tailwindcss": "^3.4.3",
4949
"three": "^0.183.2",
5050
"typescript": "^5.4.5"
5151
},
5252
"devDependencies": {
5353
"@tailwindcss/typography": "^0.5.14",
54-
"@types/dompurify": "^3.0.5",
55-
"@types/lodash": "^4.17.12",
54+
"@types/dompurify": "^3.2.0",
55+
"@types/lodash": "^4.17.24",
5656
"@types/react": "^18.2.37",
5757
"@types/react-dom": "^18.2.15",
5858
"npm-run-all": "^4.1.5",
59-
"pagefind": "^1.1.1"
59+
"pagefind": "^1.5.0"
6060
},
6161
"pnpm": {
6262
"overrides": {
63-
"minimatch@<9.0.9": "9.0.9",
64-
"minimatch@>=3.0.0 <3.1.3": "3.1.3",
63+
"minimatch@>=3.0.0 <3.1.4": "3.1.4",
64+
"minimatch@>=4.0.0 <9.0.9": "9.0.9",
6565
"svgo@<3.3.3": "3.3.3",
66-
"fast-xml-parser@<5.2.2": "5.2.2",
67-
"brace-expansion@<2.0.2": "2.0.2",
68-
"ajv@<8.17.1": "8.17.1"
66+
"fast-xml-parser@<5.5.7": "5.5.7",
67+
"brace-expansion@<2.0.3": "2.0.3",
68+
"ajv@<8.17.1": "8.17.1",
69+
"vite@>=6.0.0 <6.4.2": "6.4.2",
70+
"defu@<6.1.5": "6.1.5",
71+
"picomatch@>=2.0.0 <2.3.2": "2.3.2",
72+
"picomatch@>=4.0.0 <4.0.4": "4.0.4",
73+
"yaml@>=2.0.0 <2.8.3": "2.8.3",
74+
"smol-toml@<1.6.1": "1.6.1",
75+
"h3@<1.15.9": "1.15.9",
76+
"immutable@<4.3.8": "4.3.8"
6977
}
7078
}
7179
}

0 commit comments

Comments
 (0)