Add npm overrides for vulnerable transitive packages#366
Conversation
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hiiii, @arpitjain099 welcome!🎊 Thanks for taking the effort to make our project better! 🙌 Keep making such awesome contributions!
arpitjain099
force-pushed
the
security/npm-overrides-serialize-and-path
branch
from
28dca36 to
9fc3548
Compare
|
Hi @tuhaihe, gentle ping on this. PR has been open for 4 days without review. I noticed you've been on the recent-merger side of recent merges in this repo. When you have a moment, would you mind giving it a quick look? No urgency. Happy to address any feedback. |
NP. Let me review it later. Thanks again! |
|
Friendly ping in case this slipped off the queue. Happy to rebase if needed. |
2 participants
Summary
overridesfor two vulnerable transitive dependencies:serialize-javascript->7.0.5path-to-regexp->1.9.0package-lock.jsonaccordingly.Why
Dependabot currently reports high-severity advisories for these transitive packages. This keeps the existing direct dependency set while forcing patched versions in the dependency tree.
Validation
npm installnpm run buildnpm audit --jsonnow reports a reduced high-severity count in this environment (from 18 to 12).