Skip to content

Fix 5 Dependabot security alerts via npm overrides#2041

Open
zawata wants to merge 1 commit intonodegit:masterfrom
zawata:fix/dependabot-alerts
Open

Fix 5 Dependabot security alerts via npm overrides#2041
zawata wants to merge 1 commit intonodegit:masterfrom
zawata:fix/dependabot-alerts

Conversation

@zawata
Copy link
Copy Markdown
Contributor

@zawata zawata commented Apr 1, 2026

Summary

Test plan

  • npm audit shows no high/moderate/critical vulnerabilities
  • npm ls tar picomatch serialize-javascript brace-expansion confirms
    patched versions are installed
  • Linting passes (npm run lint)
  • Full test suite passes (requires native build environment)

🤖 Generated with Claude Code

@zawata @claude
fix: resolve 5 Dependabot security alerts via npm overrides
6e0c570 
Add and update npm overrides to resolve high and moderate severity
vulnerabilities in transitive dependencies:

- tar: upgrade to ^7.5.11 (GHSA-9ppj-qmqm-q256, high - symlink path traversal)
- picomatch: upgrade to ^4.0.4 (GHSA-c2c7-rcm5-vvqj, high - ReDoS;
  GHSA-3v7f-55p6-f55p, medium - method injection)
- serialize-javascript: upgrade override to ^7.0.5 (GHSA-qj8w-gfj5-8c6v,
  medium - CPU exhaustion DoS)
- brace-expansion: upgrade to ^2.0.3 and ^1.1.13 (GHSA-f886-m6hf-6m8v,
  medium - process hang and memory exhaustion)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zawata