Skip to content

fix: resolve high-severity Dependabot alerts#1021

Open
sarayev wants to merge 3 commits into
mainfrom
fix/high-dependabot-alerts
Open

fix: resolve high-severity Dependabot alerts#1021
sarayev wants to merge 3 commits into
mainfrom
fix/high-dependabot-alerts

Conversation

@sarayev
Copy link
Copy Markdown
Contributor

@sarayev sarayev commented Apr 13, 2026

Summary

Fixes 6 high-severity Dependabot alerts by adding/updating yarn resolutions:

  • lodash (code injection via _.template) → resolution ^\4.18.0
  • lodash-es (code injection) → resolution ^\4.18.0
  • basic-ftp (CRLF/FTP command injection) → resolution >=5.2.2
  • picomatch (ReDoS via extglob) → resolution ^\2.3.2
  • tar (symlink path traversal) → resolution ^\7.5.11
  • fast-xml-parser (entity expansion bypass) → resolutions updated for v4 and v5

No conflicts with PR #1019 (critical fixes) or PR #1020 (e2e/cleanup fixes).

Validation

  • yarn.lock updated
  • dependency_licenses.txt regenerated
  • No packageManager field changes

@sarayev sarayev requested review from a team as code owners April 13, 2026 21:41
Simone319
Simone319 reviewed Apr 14, 2026
View reviewed changes
Comment thread package.json
Comment on lines +158 to +159
"picomatch": "^2.3.2",
"basic-ftp": ">=5.2.2"
Copy link
Copy Markdown

@Simone319 Simone319 Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having these overrides could still result in these packages being brought into consumer repo, because the override only take effects for this repo not in the consumer repo. We should avoid adding override, instead update the direct dependencies that brought into these vulnerable package versions if possible.

Copy link
Copy Markdown
Contributor Author

@sarayev sarayev Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The direct dependencies do not have a version that fixes those vulnerabilities. In addition, most of these updated dependencies are dev dependencies, anyways.

sarayev added 3 commits April 14, 2026 12:28
@sarayev
fix: resolve high severity dependabot security vulnerabilities
dc3e031 
Fixes the following Dependabot HIGH severity alerts:
- #175: lodash Code Injection via _.template (bumped to ^4.18.0)
- #170: lodash-es Code Injection via _.template (added resolution ^4.18.0)
- #177: basic-ftp CRLF Injection (added resolution >=5.2.2)
- #172: basic-ftp FTP Command Injection via CRLF (added resolution >=5.2.2)
- #152: picomatch ReDoS via extglob quantifiers (added resolution ^2.3.2)

Also fixes additional HIGH vulnerabilities from yarn audit:
- tar: Symlink Path Traversal (bumped to ^7.5.11)
- fast-xml-parser v4: Entity Expansion bypass (bumped to ^4.5.5)
- fast-xml-parser v5: Entity Expansion bypass (bumped to 5.5.12)

Resolved versions:
- lodash: 4.17.23 -> 4.18.1
- lodash-es: 4.17.23 -> 4.18.1
- picomatch: 2.3.1 -> 2.3.2
- basic-ftp: 5.2.0 -> 5.2.2
- tar: 7.5.8 -> 7.5.13
- fast-xml-parser (v4): 4.4.1 -> 4.5.6
- fast-xml-parser (v5): 5.3.8 -> 5.5.12
@sarayev
fix: add process-level safety nets and XML parsing error handling to …
8201987 
…cleanup script
@sarayev
fix: update tar direct dependency to ^7.5.13
265467b
@sarayev sarayev force-pushed the fix/high-dependabot-alerts branch from 78f4726 to 265467b Compare April 14, 2026 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Simone319 Simone319 Simone319 left review comments

@adrianjoshua-strutt adrianjoshua-strutt adrianjoshua-strutt left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sarayev @Simone319 @adrianjoshua-strutt