Skip to content

Fix HIGH severity Prototype Pollution in flatted (CVE-2026-33228)#86

Merged
haasonsaas merged 1 commit intomainfrom
fix/security-vulnerabilities
Apr 2, 2026
Merged

Fix HIGH severity Prototype Pollution in flatted (CVE-2026-33228)#86
haasonsaas merged 1 commit intomainfrom
fix/security-vulnerabilities

Conversation

@haasonsaas
Copy link
Copy Markdown
Collaborator

@haasonsaas haasonsaas commented Apr 2, 2026

Summary

  • Fixes Dependabot alert for flatted Prototype Pollution via parse() (CVE-2026-33228, HIGH severity)
  • flatted is a transitive dependency (via flat-cache -> eslint), pinned at 3.4.0 in the lockfile
  • Added an npm overrides entry in web/package.json to enforce flatted >=3.4.2, updating the lockfile from 3.4.0 to 3.4.2

Test plan

  • npm install --package-lock-only succeeds without errors
  • Verified flatted resolves to 3.4.2 in the updated lockfile
  • CI passes (no runtime changes, dev-only transitive dependency)

🤖 Generated with Claude Code

@haasonsaas @claude
Fix HIGH severity Prototype Pollution in flatted (CVE-2026-33228)
714f87a 
Add npm override to pin flatted >=3.4.2, resolving the Prototype
Pollution via parse() vulnerability. flatted is a transitive dependency
of flat-cache (used by eslint).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cursor
Copy link
Copy Markdown

cursor bot commented Apr 2, 2026
edited
Loading

PR Summary

Low Risk
Low risk dependency-only change: adds an npm override and updates package-lock.json to force flatted 3.4.2, with no application/runtime code touched.

Overview
Addresses a Dependabot alert by forcing the transitive flatted dependency to resolve to >=3.4.2 via an npm overrides entry in web/package.json.

Updates web/package-lock.json accordingly, bumping flatted from 3.4.0 to 3.4.2 (used via dev tooling such as flat-cache/eslint).

Written by Cursor Bugbot for commit 714f87a. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Unbounded override range risks future major version breakage
    • Changed the flatted override from >=3.4.2 to ^3.4.2 so fresh installs stay within the compatible 3.x range.

You can send follow-ups to this agent here.

web/package.json
"tailwindcss": "^4.2.1"
},
"overrides": {
"flatted": ">=3.4.2"
Copy link
Copy Markdown

@cursor cursor bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unbounded override range risks future major version breakage

Low Severity

The flatted override uses >=3.4.2, an unbounded upper range that would match future major versions (e.g., 4.0.0). The upstream consumer flat-cache declares "flatted": "^3.2.9" (i.e., <4.0.0). A future major version of flatted could be installed that is incompatible with flat-cache, breaking linting. Using ^3.4.2 instead would stay within the semver-compatible range.

Fix in Cursor Fix in Web

@haasonsaas haasonsaas merged commit 4e40ad1 into main Apr 2, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@haasonsaas