Commit 65e36ee
committed
fix: add npm overrides to resolve remaining high-severity vulnerabilities
Adds overrides in package.json for transitive dependencies that cannot
be updated within their parent packages declared semver ranges:
- mocha > diff: ^7.0.0 overridden to ^8.0.3
Fixes DoS in parsePatch/applyPatch (GHSA-73rr-hh4g-fpgx)
- mocha > serialize-javascript: ^6.0.2 overridden to ^7.0.4
Fixes RCE via RegExp.flags and Date.prototype.toISOString (GHSA-5c6j-r48x-rmvq)
- jshint > minimatch: ~3.0.2 overridden to 3.1.5
Fixes multiple ReDoS vulnerabilities (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74)
Remaining: aws-sdk v2 low-severity advisory (GHSA-j965-2qgj-vjmq)
affects all of v2, requires migration to v3 which is out of scope.
Lint (jshint) verified passing after minimatch override.1 parent 9436ddc commit 65e36ee
2 files changed
Lines changed: 32 additions & 47 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
47 | 47 | | |
48 | 48 | | |
49 | 49 | | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
50 | 59 | | |
51 | 60 | | |
52 | 61 | | |
| |||
0 commit comments