mirror of
https://github.com/photoprism/photoprism.git
synced 2026-07-17 16:49:04 +00:00
Frontend: Retire redundant minimatch override
The "minimatch@~3.0": "^3.1.3" override was added on 2026-04-27 to
force-patch the ReDoS chain when postcss-url's locked minimatch@3.0.8
was the active vulnerability. With postcss-url removed, no consumer
in the tree pins to ~3.0.x anymore — every remaining minimatch
request (^3.0.4 from babel-plugin-istanbul/test-exclude and
eslint-plugin-node, ^3.1.5 from the eslint family, ^9.0.4 / ^10.1.1
from modern tooling) resolves naturally to a patched version.
Verification: removing the override leaves the lockfile byte-identical
("up to date in 932ms"), npm audit reports zero vulnerabilities, and
all installed minimatch versions are 3.1.5 / 5.1.x / 9.0.9 / 10.2.5
(no <3.1.4 entry). Build and 1055 vitest tests pass.
This commit is contained in:
parent
4410269cc2
commit
eb49c285d7
3 changed files with 3 additions and 6 deletions
|
|
@ -40,10 +40,9 @@ Other frontend documentation lives next to this file:
|
|||
|
||||
`frontend/package.json` and root `package.json` declare matching `overrides`. Mirroring them keeps the npm workspace lockfile resolution consistent.
|
||||
|
||||
| Override | Reason |
|
||||
|------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `"minimatch@~3.0": "^3.1.3"` | Forces transitive `minimatch` resolutions onto the patched 3.1.x line. Defends against the ReDoS chain (`GHSA-3ppc-4f35-3m26`, `GHSA-7r86-cg39-jmmj`, `GHSA-23c5-xmqv-rm74`). |
|
||||
| `"serialize-javascript": "^7.0.5"` | Closes the `workbox-build` → `@rollup/plugin-terser` → `serialize-javascript` RCE advisory (`GHSA-5c6j-r48x-rmvq`, `GHSA-qj8w-gfj5-8c6v`). |
|
||||
| Override | Reason |
|
||||
|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `"serialize-javascript": "^7.0.5"` | Closes the `workbox-build` → `@rollup/plugin-terser` → `serialize-javascript` RCE advisory (`GHSA-5c6j-r48x-rmvq`, `GHSA-qj8w-gfj5-8c6v`). |
|
||||
|
||||
When an upstream advisory is fully resolved, retire the override and rerun `make audit` plus a focused build/test pass before committing the cleanup.
|
||||
|
||||
|
|
|
|||
|
|
@ -137,7 +137,6 @@
|
|||
"yarn": "please use npm"
|
||||
},
|
||||
"overrides": {
|
||||
"minimatch@~3.0": "^3.1.3",
|
||||
"serialize-javascript": "^7.0.5"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
"name": "photoprism",
|
||||
"private": true,
|
||||
"overrides": {
|
||||
"minimatch@~3.0": "^3.1.3",
|
||||
"serialize-javascript": "^7.0.5"
|
||||
},
|
||||
"workspaces": [
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue