Skip to content

修复前端依赖高危漏洞:锁定 flatted / lodash-es 到安全版本#620

Merged
xerrors merged 2 commits intomainfrom
copilot/fix-critical-high-cves
Apr 7, 2026
Merged

修复前端依赖高危漏洞:锁定 flatted / lodash-es 到安全版本#620
xerrors merged 2 commits intomainfrom
copilot/fix-critical-high-cves

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 7, 2026
edited
Loading

DriftGuard 扫描在 npm 依赖图中发现 3 个 critical/high 级别漏洞,集中在 flatted@3.3.4lodash-es@4.17.23。本 PR 通过最小范围的依赖约束与锁文件更新,消除对应风险版本。

  • 依赖约束(web/package.json)

    • 新增 pnpm.overrides,统一约束传递依赖版本:
      • flatted: 3.4.2
      • lodash-es: 4.18.1

  • 锁文件收敛(web/pnpm-lock.yaml)

    • 更新 lockfile 中上述包的解析结果,移除漏洞版本并固定到安全版本。
    • 在 lockfile 顶层记录 overrides,确保后续安装持续生效。

  • 文档记录(docs/develop-guides/roadmap.md)

    • 补充 0.6.1 版本记录,注明本次依赖安全修复内容。

示例变更:

{
  "pnpm": {
    "overrides": {
      "flatted": "3.4.2",
      "lodash-es": "4.18.1"
    }
  }
}

Copilot AI changed the title [WIP] Fix critical/high CVEs found in dependencies 修复前端依赖高危漏洞:锁定 flatted / lodash-es 到安全版本 Apr 7, 2026
Copilot AI requested a review from xerrors April 7, 2026 09:22
@xerrors xerrors marked this pull request as ready for review April 7, 2026 09:46
Copilot AI review requested due to automatic review settings April 7, 2026 09:46
@xerrors xerrors merged commit aeaefc1 into main Apr 7, 2026
2 checks passed
@xerrors xerrors deleted the copilot/fix-critical-high-cves branch April 7, 2026 09:46
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

本 PR 通过最小范围的依赖约束与 lockfile 更新,修复前端 npm 依赖图中由 flattedlodash-es 引发的高危安全告警,确保后续安装持续使用安全版本。

Changes:

  • web/package.json 增加 pnpm.overrides,强制约束传递依赖 flatted@3.4.2lodash-es@4.18.1
  • 更新 web/pnpm-lock.yaml:写入顶层 overrides,并将解析结果收敛到上述安全版本(移除旧版本条目)
  • docs/develop-guides/roadmap.md 的 0.6.1 记录中补充本次安全修复说明

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
web/package.json 新增 pnpm.overrides,对传递依赖进行安全版本锁定
web/pnpm-lock.yaml 同步 lockfile:记录 overrides 并将解析结果更新到安全版本
docs/develop-guides/roadmap.md 记录 0.6.1 版本的依赖安全修复内容
Files not reviewed (1)
  • web/pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@xerrors xerrors xerrors approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@xerrors xerrors

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xerrors