Skip to content

Commit c9b8d66

Browse files
fix(security): add npm override for lodash >= 4.17.24 to fix HIGH CVEs
Adds lodash >= 4.17.24 override in package.json to resolve two CVEs (HIGH code injection via _.template, MODERATE prototype pollution via _.unset/_.omit) in transitive dependencies swagger-ui-react and @antv/g6. All lodash instances now resolve to 4.18.1. npm audit reports 0 vulnerabilities. Co-Authored-By: Paperclip <noreply@paperclip.ing>
1 parent b4d03ea commit c9b8d66

2 files changed

Lines changed: 5 additions & 4 deletions

File tree

src/main/frontend/package-lock.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/main/frontend/package.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@
3333
"tailwindcss-animate": "^1.0.7"
3434
},
3535
"overrides": {
36-
"dompurify": "^3.3.3"
36+
"dompurify": "^3.3.3",
37+
"lodash": ">=4.17.24"
3738
},
3839
"devDependencies": {
3940
"@axe-core/playwright": "^4.10.1",

0 commit comments

Comments
 (0)