Skip to content

Fix security advisories: postcss, @adonisjs/core, lodash-es#493

Merged
tp-abtion merged 1 commit intomainfrom
fix/security-advisories-2026-05-04
May 4, 2026
Merged

Fix security advisories: postcss, @adonisjs/core, lodash-es#493
tp-abtion merged 1 commit intomainfrom
fix/security-advisories-2026-05-04

Conversation

@tp-abtion
Copy link
Copy Markdown
Contributor

@tp-abtion tp-abtion commented May 4, 2026
edited
Loading

Changes

  • postcss 8.5.8 → 8.5.13 — fixes XSS via unescaped </style> in CSS stringify output (GHSA-qx2v-qp2m-jg93)
  • @adonisjs/core 7.0.1 → 7.3.2 — pulls @adonisjs/http-server@^8.2.0 which fixes the open redirect vulnerability (GHSA-6qvv-pj99-48qm)
  • lodash-es overridden to 4.18.1 — fixes code injection via _.template (GHSA-r5fr-rjxr-66jc) and prototype pollution via _.unset/_.omit (GHSA-f23m-r3pf-42rh). The vulnerable 4.17.23 is pinned by chevrotain@11 (transitive of prettier-plugin-edgejs); no upstream fix available yet.

Verification

  • npm audit reports 0 vulnerabilities
  • Lint, typecheck, and build all pass locally
  • Tests deferred to CI

@tp-abtion tp-abtion marked this pull request as ready for review May 4, 2026 14:18
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependency versions and migrates the Prettier configuration from an external package to an inline definition in package.json. However, several critical issues were identified: the specified versions for postcss (8.5.13), @adonisjs/core (7.3.2), and lodash-es (4.18.1) do not exist on the npm registry, which will lead to installation failures and potential security risks. Furthermore, removing the Prettier configuration package disables formatting for .edge files; it is recommended to use dependency overrides to resolve security vulnerabilities while maintaining project formatting.

Comment thread package.json
Comment thread package.json
Comment thread package-lock.json
Comment thread package.json
@tp-abtion
Fix security advisories: postcss, @adonisjs/core, lodash-es
1eaee81 
- Upgrade postcss 8.5.8 → 8.5.13 (fixes XSS via unescaped </style>)
- Upgrade @adonisjs/core 7.0.1 → 7.3.2 (pulls @adonisjs/http-server
  with open redirect fix)
- Override lodash-es to 4.18.1 (fixes code injection via _.template
  and prototype pollution via _.unset/_.omit). The vulnerable 4.17.23
  is pinned by chevrotain@11 (transitive of prettier-plugin-edgejs);
  no upstream fix available yet.
@tp-abtion tp-abtion force-pushed the fix/security-advisories-2026-05-04 branch from 38a6383 to 1eaee81 Compare May 4, 2026 14:25
@tp-abtion tp-abtion merged commit c1145f5 into main May 4, 2026
7 checks passed
@tp-abtion tp-abtion deleted the fix/security-advisories-2026-05-04 branch May 4, 2026 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tp-abtion