Skip to content

fix: update vulnerable dependencies via yarn resolutions#16

Merged
guptaankit015 merged 2 commits intomasterfrom
fix/dependabot-vulns
Mar 24, 2026
Merged

fix: update vulnerable dependencies via yarn resolutions#16
guptaankit015 merged 2 commits intomasterfrom
fix/dependabot-vulns

Conversation

@guptaankit015
Copy link
Copy Markdown
Collaborator

@guptaankit015 guptaankit015 commented Mar 23, 2026

Summary

  • Add yarn resolutions to force-update transitive vulnerable dependencies:
    • undici >= 6.24.0 (CRLF injection, memory consumption, request smuggling, decompression chain, WebSocket validation)
    • minimatch >= 9.0.7 (ReDoS)
    • fast-xml-parser >= 5.5.7 (DoS, entity expansion)
    • tar >= 7.0.0 (arbitrary file creation/overwrite via symlinks)
    • lodash >= 4.17.22 (prototype pollution)
    • flatted >= 3.3.4 (prototype pollution)

Resolves Dependabot vulnerability alerts

Made with Cursor

@guptaankit015
fix: update vulnerable dependencies via yarn resolutions
d17da22 
- Force undici >= 6.24.0 (fixes CRLF injection, memory consumption, request smuggling, decompression chain, WebSocket validation)
- Force minimatch >= 9.0.7 (fixes ReDoS vulnerabilities)
- Force fast-xml-parser >= 5.5.7 (fixes DoS and entity expansion vulnerabilities)
- Force tar >= 7.0.0 (fixes arbitrary file creation/overwrite via symlinks)
- Force lodash >= 4.17.22 (fixes prototype pollution)
- Force flatted >= 3.3.4 (fixes prototype pollution)

Resolves Dependabot vulnerability alerts

Made-with: Cursor
@guptaankit015 guptaankit015 merged commit 2e3ce11 into master Mar 24, 2026
6 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@suryaoruganti suryaoruganti suryaoruganti approved these changes

Assignees

@guptaankit015 guptaankit015

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guptaankit015 @suryaoruganti