Skip to content

Commit b03bde0

Browse files
jhfjhf
committed
deps: Add lodash-es override to fix prototype pollution vulnerability
Override lodash-es to >=4.17.23 to fix GHSA-xxjr-mmjv-4gpg (prototype pollution in _.unset and _.omit functions). The vulnerability was in transitive dependencies from mermaid's dependency chain (chevrotain, dagre-d3-es). pnpm audit now reports: No known vulnerabilities found
1 parent 884de7b commit b03bde0

File tree

2 files changed

+6
-9
lines changed

2 files changed

+6
-9
lines changed

app/package.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -768,7 +768,8 @@
768768
],
769769
"overrides": {
770770
"@types/react": "19.2.10",
771-
"@types/react-dom": "19.2.3"
771+
"@types/react-dom": "19.2.3",
772+
"lodash-es": ">=4.17.23"
772773
}
773774
}
774775
}

app/pnpm-lock.yaml

Lines changed: 4 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)