Skip to content

Frontend: fix Dependabot security alerts#1347

Merged
gusthoff merged 1 commit intoAdaCore:mainfrom
gusthoff:topic/infrastructure/yarn/updates/20260424/npm_alerts
Apr 24, 2026
Merged

Frontend: fix Dependabot security alerts#1347
gusthoff merged 1 commit intoAdaCore:mainfrom
gusthoff:topic/infrastructure/yarn/updates/20260424/npm_alerts

Conversation

@gusthoff
Copy link
Copy Markdown
Collaborator

@gusthoff gusthoff commented Apr 24, 2026

lodash, serialize-javascript, minimatch

Add yarn resolutions to force patched versions of three vulnerable transitive dependencies:

  • lodash 4.18.1 (CVE: code injection via _.template imports key names)
  • serialize-javascript 7.0.5 (RCE via RegExp.flags / Date.toISOString)
  • globule/minimatch 3.1.5 (ReDoS in matchOne() with multiple GLOBSTAR segments)

The minimatch resolution is scoped to globule to avoid breaking mocha's glob 10.x and c8's test-exclude which require minimatch 9.x/10.x.

@gusthoff @claude
Frontend: fix Dependabot security alerts (lodash, serialize-javascrip…
7416bb0 
…t, minimatch)

Add yarn resolutions to force patched versions of three vulnerable
transitive dependencies:
- lodash 4.18.1 (CVE: code injection via _.template imports key names)
- serialize-javascript 7.0.5 (RCE via RegExp.flags / Date.toISOString)
- globule/minimatch 3.1.5 (ReDoS in matchOne() with multiple GLOBSTAR segments)

The minimatch resolution is scoped to globule to avoid breaking mocha's
glob 10.x and c8's test-exclude which require minimatch 9.x/10.x.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@gusthoff gusthoff merged commit 43323f9 into AdaCore:main Apr 24, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

website infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gusthoff