mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-07-17 16:37:43 +00:00
chore(deps): bump lodash from 4.17.23 to 4.18.1 (#7225)
* chore(deps): bump lodash from 4.17.23 to 4.18.1 Cherry-pick from Dependabot PR #7218. Fixes prototype pollution via constructor/prototype path traversal in _.unset/_.omit (GHSA-f23m-r3pf-42rh) and code injection via _.template imports keys (GHSA-r5fr-rjxr-66jc). https://claude.ai/code/session_01NbP8MQuSHm7p4Z4uUCRqeg * chore(deps): fix security vulnerabilities via npm audit fix Updates transitive dependencies to resolve security advisories: - follow-redirects 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653) - path-to-regexp 8.3.0 -> 8.4.2 and 0.1.12 -> 0.1.13 (ReDoS fixes) - picomatch: updated nested copies to 4.0.4 (GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj) - minimatch: updated app-builder-lib override from vulnerable 10.1.1 to 10.2.5 Remaining items blocked on upstream releases: - picomatch 4.0.3 (top-level, needs @angular-devkit update) - undici 7.22.0 (needs @angular/build update) - vite 7.3.1 (needs @angular/build update) - minimatch 10.1.1 in glob (needs glob update) All vulnerabilities are in dev/build tooling only — none affect production. https://claude.ai/code/session_01NbP8MQuSHm7p4Z4uUCRqeg --------- Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
parent
35c9f26a64
commit
c47ab48eb7
3 changed files with 1341 additions and 689 deletions
|
|
@ -282,7 +282,7 @@
|
|||
},
|
||||
"overrides": {
|
||||
"app-builder-lib": {
|
||||
"minimatch": "10.1.1"
|
||||
"minimatch": "10.2.5"
|
||||
}
|
||||
},
|
||||
"optionalDependencies": {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue