From 425ec549a45ee5acf8ef47742ea0506c5993d0bc Mon Sep 17 00:00:00 2001 From: Arshavir Ter-Gabrielyan Date: Thu, 2 Apr 2026 10:49:52 +0200 Subject: [PATCH] chore(deps): bump transitive npm dependencies to fix Dependabot alerts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add pnpm overrides for vulnerable transitive dependencies: - form-data <4.0.4 → ^4.0.4 (critical, #89) - picomatch >=2.0.0 <2.3.2 → 2.3.2 (high, #212/#213) - lodash-es <4.18.0 → ^4.18.1 (high/medium, #215/#216) - brace-expansion ^1 → 1.1.13 (medium, #214) - brace-expansion ^2 → 2.0.3 (medium, #211) Co-Authored-By: Claude Opus 4.6 --- package.json | 7 +++- pnpm-lock.yaml | 101 ++++++++++++++++++++----------------------------- 2 files changed, 48 insertions(+), 60 deletions(-) diff --git a/package.json b/package.json index b2d3ea0e5..55e128f9c 100644 --- a/package.json +++ b/package.json @@ -39,7 +39,12 @@ "minimatch@^5": "5.1.9", "minimatch@^9": "9.0.9", "rollup@>=4.0.0 <4.59.0": "^4.59.0", - "chokidar@>=5.0.0": "4.0.3" + "chokidar@>=5.0.0": "4.0.3", + "form-data@<4.0.4": "^4.0.4", + "picomatch@>=2.0.0 <2.3.2": "2.3.2", + "lodash-es@<4.18.0": "^4.18.1", + "brace-expansion@^1": "1.1.13", + "brace-expansion@^2": "2.0.3" } }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2712dd8ca..18cc25c82 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -18,6 +18,11 @@ overrides: minimatch@^9: 9.0.9 rollup@>=4.0.0 <4.59.0: ^4.59.0 chokidar@>=5.0.0: 4.0.3 + form-data@<4.0.4: ^4.0.4 + picomatch@>=2.0.0 <2.3.2: 2.3.2 + lodash-es@<4.18.0: ^4.18.1 + brace-expansion@^1: 1.1.13 + brace-expansion@^2: 2.0.3 importers: @@ -3289,11 +3294,11 @@ packages: resolution: {integrity: sha512-F3PH5k5juxom4xktynS7MoFY+NUWH5LC4CnH11YB8NPew+HLpmBLCybSAEyb2F+4pRXhuhWqFesoQd6DAyc2hw==} engines: {node: '>=18'} - brace-expansion@1.1.12: - resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==} + brace-expansion@1.1.13: + resolution: {integrity: sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==} - brace-expansion@2.0.2: - resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==} + brace-expansion@2.0.3: + resolution: {integrity: sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==} braces@3.0.3: resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} @@ -4263,12 +4268,8 @@ packages: resolution: {integrity: sha512-TMKDUnIte6bfb5nWv7V/caI169OHgvwjb7V4WkeUvbQQdjr5rWKqHFiKWb/fcOwB+CzBT+qbWjvj+DVwRskpIg==} engines: {node: '>=14'} - form-data@4.0.1: - resolution: {integrity: sha512-tzN8e4TX8+kkxGPK8D5u0FNmjPUjw3lwC9lSLxxoB/+GtsJG91CO8bSWy73APlgAZzZbXEYZJuxjkHH2w+Ezhw==} - engines: {node: '>= 6'} - - form-data@4.0.2: - resolution: {integrity: sha512-hGfm/slu0ZabnNt4oaRZ6uREyfCj6P4fT/n6A1rGV+Z0VdGXjfOhVUpkn6qVQONHGIFwmveGXyDs75+nr6FM8w==} + form-data@4.0.5: + resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==} engines: {node: '>= 6'} front-matter@4.0.2: @@ -4909,8 +4910,8 @@ packages: resolution: {integrity: sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==} engines: {node: '>=10'} - lodash-es@4.17.21: - resolution: {integrity: sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==} + lodash-es@4.18.1: + resolution: {integrity: sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==} lodash.castarray@4.4.0: resolution: {integrity: sha512-aVx8ztPv7/2ULbArGJ2Y42bG1mEQ5mGjpdvrbJcJFU3TbYybe+QlLS4pst9zV52ymy2in1KpFPiZnAOATxD4+Q==} @@ -5496,8 +5497,8 @@ packages: picocolors@1.1.1: resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==} - picomatch@2.3.1: - resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==} + picomatch@2.3.2: + resolution: {integrity: sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==} engines: {node: '>=8.6'} picomatch@4.0.4: @@ -7779,12 +7780,12 @@ snapshots: dependencies: '@chevrotain/gast': 11.0.3 '@chevrotain/types': 11.0.3 - lodash-es: 4.17.21 + lodash-es: 4.18.1 '@chevrotain/gast@11.0.3': dependencies: '@chevrotain/types': 11.0.3 - lodash-es: 4.17.21 + lodash-es: 4.18.1 '@chevrotain/regexp-to-ast@11.0.3': {} @@ -8644,7 +8645,7 @@ snapshots: colorette: 2.0.20 debug: 4.4.3 js-yaml: 4.1.1 - lodash-es: 4.17.21 + lodash-es: 4.18.1 semver: 7.7.4 toml: 3.0.0 typanion: 3.14.0 @@ -9936,7 +9937,7 @@ snapshots: anymatch@3.1.3: dependencies: normalize-path: 3.0.0 - picomatch: 2.3.1 + picomatch: 2.3.2 arg@4.1.3: {} @@ -10100,7 +10101,7 @@ snapshots: axios@1.7.9: dependencies: follow-redirects: 1.15.9 - form-data: 4.0.1 + form-data: 4.0.5 proxy-from-env: 1.1.0 transitivePeerDependencies: - debug @@ -10206,12 +10207,12 @@ snapshots: widest-line: 5.0.0 wrap-ansi: 9.0.0 - brace-expansion@1.1.12: + brace-expansion@1.1.13: dependencies: balanced-match: 1.0.2 concat-map: 0.0.1 - brace-expansion@2.0.2: + brace-expansion@2.0.3: dependencies: balanced-match: 1.0.2 @@ -10244,7 +10245,6 @@ snapshots: dependencies: es-errors: 1.3.0 function-bind: 1.1.2 - optional: true callsites@3.1.0: {} @@ -10313,7 +10313,7 @@ snapshots: chevrotain-allstar@0.3.1(chevrotain@11.0.3): dependencies: chevrotain: 11.0.3 - lodash-es: 4.17.21 + lodash-es: 4.18.1 chevrotain@11.0.3: dependencies: @@ -10322,7 +10322,7 @@ snapshots: '@chevrotain/regexp-to-ast': 11.0.3 '@chevrotain/types': 11.0.3 '@chevrotain/utils': 11.0.3 - lodash-es: 4.17.21 + lodash-es: 4.18.1 chokidar@3.6.0: dependencies: @@ -10705,7 +10705,7 @@ snapshots: dagre-d3-es@7.0.11: dependencies: d3: 7.9.0 - lodash-es: 4.17.21 + lodash-es: 4.18.1 data-urls@5.0.0: dependencies: @@ -10834,7 +10834,6 @@ snapshots: call-bind-apply-helpers: 1.0.2 es-errors: 1.3.0 gopd: 1.2.0 - optional: true duplexer@0.1.2: {} @@ -10884,11 +10883,9 @@ snapshots: dependencies: is-arrayish: 0.2.1 - es-define-property@1.0.1: - optional: true + es-define-property@1.0.1: {} - es-errors@1.3.0: - optional: true + es-errors@1.3.0: {} es-module-lexer@1.6.0: {} @@ -10897,7 +10894,6 @@ snapshots: es-object-atoms@1.1.1: dependencies: es-errors: 1.3.0 - optional: true es-set-tostringtag@2.1.0: dependencies: @@ -10905,7 +10901,6 @@ snapshots: get-intrinsic: 1.3.0 has-tostringtag: 1.0.2 hasown: 2.0.2 - optional: true esast-util-from-estree@2.0.0: dependencies: @@ -11330,19 +11325,13 @@ snapshots: cross-spawn: 7.0.6 signal-exit: 4.1.0 - form-data@4.0.1: - dependencies: - asynckit: 0.4.0 - combined-stream: 1.0.8 - mime-types: 2.1.35 - - form-data@4.0.2: + form-data@4.0.5: dependencies: asynckit: 0.4.0 combined-stream: 1.0.8 es-set-tostringtag: 2.1.0 + hasown: 2.0.2 mime-types: 2.1.35 - optional: true front-matter@4.0.2: dependencies: @@ -11380,13 +11369,11 @@ snapshots: has-symbols: 1.1.0 hasown: 2.0.2 math-intrinsics: 1.1.0 - optional: true get-proto@1.0.1: dependencies: dunder-proto: 1.0.1 es-object-atoms: 1.1.1 - optional: true get-stream@8.0.1: {} @@ -11427,8 +11414,7 @@ snapshots: globals@15.14.0: {} - gopd@1.2.0: - optional: true + gopd@1.2.0: {} graceful-fs@4.2.11: {} @@ -11450,13 +11436,11 @@ snapshots: has-flag@4.0.0: {} - has-symbols@1.1.0: - optional: true + has-symbols@1.1.0: {} has-tostringtag@1.0.2: dependencies: has-symbols: 1.1.0 - optional: true hasown@2.0.2: dependencies: @@ -11930,7 +11914,7 @@ snapshots: cssstyle: 4.0.1 data-urls: 5.0.0 decimal.js: 10.4.3 - form-data: 4.0.1 + form-data: 4.0.5 html-encoding-sniffer: 4.0.0 http-proxy-agent: 7.0.2 https-proxy-agent: 7.0.6 @@ -11958,7 +11942,7 @@ snapshots: cssstyle: 4.3.1 data-urls: 5.0.0 decimal.js: 10.5.0 - form-data: 4.0.2 + form-data: 4.0.5 html-encoding-sniffer: 4.0.0 http-proxy-agent: 7.0.2 https-proxy-agent: 7.0.6 @@ -12100,7 +12084,7 @@ snapshots: dependencies: p-locate: 5.0.0 - lodash-es@4.17.21: {} + lodash-es@4.18.1: {} lodash.castarray@4.4.0: {} @@ -12171,8 +12155,7 @@ snapshots: marked@13.0.3: {} - math-intrinsics@1.1.0: - optional: true + math-intrinsics@1.1.0: {} mdast-util-definitions@6.0.0: dependencies: @@ -12401,7 +12384,7 @@ snapshots: dompurify: 3.3.3 katex: 0.16.21 khroma: 2.1.0 - lodash-es: 4.17.21 + lodash-es: 4.18.1 marked: 13.0.3 roughjs: 4.6.6 stylis: 4.3.5 @@ -12696,7 +12679,7 @@ snapshots: micromatch@4.0.8: dependencies: braces: 3.0.3 - picomatch: 2.3.1 + picomatch: 2.3.2 mime-db@1.52.0: {} @@ -12712,15 +12695,15 @@ snapshots: minimatch@3.1.5: dependencies: - brace-expansion: 1.1.12 + brace-expansion: 1.1.13 minimatch@5.1.9: dependencies: - brace-expansion: 2.0.2 + brace-expansion: 2.0.3 minimatch@9.0.9: dependencies: - brace-expansion: 2.0.2 + brace-expansion: 2.0.3 minimist@1.2.8: {} @@ -13055,7 +13038,7 @@ snapshots: picocolors@1.1.1: {} - picomatch@2.3.1: {} + picomatch@2.3.2: {} picomatch@4.0.4: {} @@ -13232,7 +13215,7 @@ snapshots: readdirp@3.6.0: dependencies: - picomatch: 2.3.1 + picomatch: 2.3.2 readdirp@4.1.2: {}