From 7d7fdaab8e34d67f495c923f53c8ee2dfe3ad21b Mon Sep 17 00:00:00 2001 From: phantom-autopilot <273411261+phantom-autopilot@users.noreply.github.com> Date: Tue, 5 May 2026 22:23:16 +0000 Subject: [PATCH] chore(SEC-10598): upgrade underscore to 1.13.8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves GHSA-qpx9-hpmf-5gmw / CVE-2026-27601 — underscore <=1.13.7 allows unlimited recursion in _.flatten and _.isEqual (DoS). --- .changeset/sec-10598-underscore-1-13-8.md | 5 +++++ package.json | 2 +- pnpm-lock.yaml | 14 +++++++------- yarn.lock | 10 +++++----- 4 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 .changeset/sec-10598-underscore-1-13-8.md diff --git a/.changeset/sec-10598-underscore-1-13-8.md b/.changeset/sec-10598-underscore-1-13-8.md new file mode 100644 index 000000000..e57723b09 --- /dev/null +++ b/.changeset/sec-10598-underscore-1-13-8.md @@ -0,0 +1,5 @@ +--- +'@phantom/synpress': patch +--- + +chore(SEC-10598): upgrade underscore to 1.13.8 (GHSA-qpx9-hpmf-5gmw) diff --git a/package.json b/package.json index ae8e3a3cf..49efada63 100644 --- a/package.json +++ b/package.json @@ -76,7 +76,7 @@ "find-config": "^1.0.0", "get-port": "^7.0.0", "node-fetch": "^2.6.1", - "underscore": "^1.13.6", + "underscore": "^1.13.8", "unzip-crx-3": "^0.2.0", "viem": "^1.6.0", "wait-on": "^7.0.1" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 686e5712f..4c8aa14eb 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -99,8 +99,8 @@ dependencies: specifier: ^2.6.1 version: 2.6.9 underscore: - specifier: ^1.13.6 - version: 1.13.6 + specifier: ^1.13.8 + version: 1.13.8 unzip-crx-3: specifier: ^0.2.0 version: 0.2.0 @@ -201,8 +201,8 @@ dependencies: specifier: ^2.6.1 version: 2.6.9 underscore: - specifier: ^1.13.6 - version: 1.13.6 + specifier: ^1.13.8 + version: 1.13.8 viem: specifier: ^1.6.0 version: 1.6.0(typescript@5.0.4) @@ -5514,8 +5514,8 @@ packages: unbzip2-stream@1.4.3: resolution: {integrity: sha512-mlExGW4w71ebDJviH16lQLtZS32VKqsSfk80GCfUlwT/4/hNRFsoscrF/c++9xinkMzECL1uL9DDwXqFWkruPg==} - underscore@1.13.6: - resolution: {integrity: sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A==} + underscore@1.13.8: + resolution: {integrity: sha512-DXtD3ZtEQzc7M8m4cXotyHR+FAS18C64asBYY5vqZexfYryNNnDc02W4hKg3rdQuqOYas1jkseX0+nZXjTXnvQ==} unicode-canonical-property-names-ecmascript@2.0.0: resolution: {integrity: sha512-yY5PpDlfVIU5+y/BSCxAJRBIS1Zc2dDG3Ujq+sR0U+JjUevW2JhocOF+soROYDSaAezOzOKuyyixhD6mBknSmQ==} @@ -12065,7 +12065,7 @@ snapshots: buffer: 5.7.1 through: 2.3.8 - underscore@1.13.6: {} + underscore@1.13.8: {} unicode-canonical-property-names-ecmascript@2.0.0: {} diff --git a/yarn.lock b/yarn.lock index 4a17feae2..44a85d16e 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1218,7 +1218,7 @@ __metadata: serve: "npm:^14.2.0" start-server-and-test: "npm:^2.0.0" turbo: "npm:^1.10.12" - underscore: "npm:^1.13.6" + underscore: "npm:^1.13.8" unzip-crx-3: "npm:^0.2.0" viem: "npm:^1.6.0" wait-on: "npm:^7.0.1" @@ -12214,10 +12214,10 @@ __metadata: languageName: node linkType: hard -"underscore@npm:^1.13.6": - version: 1.13.7 - resolution: "underscore@npm:1.13.7" - checksum: 10c0/fad2b4aac48847674aaf3c30558f383399d4fdafad6dd02dd60e4e1b8103b52c5a9e5937e0cc05dacfd26d6a0132ed0410ab4258241240757e4a4424507471cd +"underscore@npm:^1.13.8": + version: 1.13.8 + resolution: "underscore@npm:1.13.8" + checksum: 10c0/6677688daeda30484823e77c0b89ce4dcf29964a77d5a06f37299c007ab4bb1c66a0ff75e0d274620b62a1fe2a6ba29879f8214533ca611d71a1ae504f2bfc9b languageName: node linkType: hard