From 714f87aa06068080f0e2773924d79ee0678c51c3 Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Wed, 1 Apr 2026 18:28:05 -0700
Subject: [PATCH] Fix HIGH severity Prototype Pollution in flatted
 (CVE-2026-33228)

Add npm override to pin flatted >=3.4.2, resolving the Prototype
Pollution via parse() vulnerability. flatted is a transitive dependency
of flat-cache (used by eslint).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 web/package-lock.json | 6 +++---
 web/package.json      | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/web/package-lock.json b/web/package-lock.json
index dc7ef25..d70bcf1 100644
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -3867,9 +3867,9 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.4.0",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.0.tgz",
-      "integrity": "sha512-kC6Bb+ooptOIvWj5B63EQWkF0FEnNjV2ZNkLMLZRDDduIiWeFF4iKnslwhiWxjAdbg4NzTNo6h0qLuvFrcx+Sw==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
       "dev": true,
       "license": "ISC"
     },
diff --git a/web/package.json b/web/package.json
index b64e5ce..40d2e75 100644
--- a/web/package.json
+++ b/web/package.json
@@ -34,6 +34,9 @@
     "recharts": "^3.8.0",
     "tailwindcss": "^4.2.1"
   },
+  "overrides": {
+    "flatted": ">=3.4.2"
+  },
   "devDependencies": {
     "@eslint/js": "^9.39.1",
     "@types/node": "^24.10.1",