Skip to content

Commit 57a048d

Browse files
chargomechargome
authored
chore(deps): Bump Lerna to v9 (#19244)
- Bumps `lerna` from 8.2.4 to 9.0.3 to resolve [CVE-2025-64718](GHSA-mh29-5h37-fv8m) (medium severity prototype pollution in `js-yaml`) - `lerna@8.2.4` pulled in `js-yaml@4.1.0` (vulnerable); `lerna@9.0.3` depends on `js-yaml@4.1.1` (patched) - Lerna 9 drops support for Node <18.18.0. This doesn't affect us — lerna runs in the root workspace context using Volta's pinned Node 20.19.2. The `engines: >=18` fields in dev-packages are runtime compatibility declarations, not what CI uses to run lerna. Resolves https://github.com/getsentry/sentry-javascript/security/dependabot/789
1 parent d39907b commit 57a048d

File tree

2 files changed

+1170
-614
lines changed

2 files changed

+1170
-614
lines changed

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,7 @@
125125
"es-check": "^7.2.1",
126126
"eslint": "8.57.0",
127127
"jsdom": "^21.1.2",
128-
"lerna": "8.2.4",
128+
"lerna": "9.0.3",
129129
"madge": "8.0.0",
130130
"nodemon": "^3.1.10",
131131
"npm-run-all2": "^6.2.0",

0 commit comments

Comments
 (0)