fix(deps): resolve all Dependabot security alerts#231
Conversation
Update dependency resolutions and overrides to fix 20+ open Dependabot alerts across the workspace and test projects: - lodash/lodash-es: 4.17.23 → 4.18.1 (code injection + prototype pollution) - handlebars: 4.7.8 → 4.7.9 (critical JS injection via AST type confusion) - basic-ftp: 5.2.0 → 5.3.0 (CRLF injection) - brace-expansion: 1.1.12 → 1.1.14 (process hang via zero-step sequence) - @xmldom/xmldom: 0.8.11 → 0.9.9 (XML injection via CDATA) - node-forge: 1.3.3 → 1.4.0 (signature forgery + DoS) - yaml: → 2.8.3 (stack overflow via deep collections) - picomatch: → 4.0.4 (method injection in POSIX classes) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
| Filename | Overview |
|---|---|
| package.json | Adds yarn resolutions for basic-ftp, brace-expansion, handlebars; bumps lodash/lodash-es floor from 4.17.23 to 4.18.0. The basic-ftp lower bound (>=5.2.2) is below the reported patched version (5.3.0). |
| test-projects/expo-purchasely-test/package.json | Adds overrides for @xmldom/xmldom, brace-expansion, node-forge, yaml. The @xmldom/xmldom lower bound (>=0.8.12) is below the patched version (0.9.9), and picomatch (listed as fixed in the PR) has no override entry. |
| test-projects/rn-purchasely-test/package.json | Adds brace-expansion override (~1.1.13) and bumps lodash floor to >=4.18.0; constraints and resolved versions are aligned. |
| yarn.lock | Regenerated lock entries for basic-ftp (5.3.0), brace-expansion (1.1.14), handlebars (4.7.9), lodash/lodash-es (4.18.1); all patched versions correctly resolved. |
| test-projects/expo-purchasely-test/package-lock.json | Regenerated with @xmldom/xmldom@0.9.9, node-forge@1.4.0, yaml@2.8.3 — all patched versions confirmed. npm audit shows 0 vulnerabilities. |
| test-projects/rn-purchasely-test/package-lock.json | Regenerated with brace-expansion 1.1.14 and lodash 4.18.x; npm audit shows 0 vulnerabilities. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Dependabot Security Alerts] --> B{Manifest Type}
B --> C[Yarn Root resolutions]
B --> D[npm overrides in test-projects]
C --> C1["basic-ftp >=5.2.2 → 5.3.0 ✅"]
C --> C2["brace-expansion ~1.1.13 → 1.1.14 ✅"]
C --> C3["handlebars >=4.7.9 → 4.7.9 ✅"]
C --> C4["lodash/lodash-es >=4.18.0 → 4.18.1 ✅"]
D --> E[expo-purchasely-test overrides]
D --> F[rn-purchasely-test overrides]
E --> E1["xmldom >=0.8.12 → 0.9.9 ✅"]
E --> E2["node-forge >=1.4.0 → 1.4.0 ✅"]
E --> E3["yaml >=2.8.3 ✅"]
E --> E4["picomatch — no override, transitive only ⚠️"]
F --> F1["brace-expansion ~1.1.13 ✅"]
F --> F2["lodash >=4.18.0 ✅"]
Prompt To Fix All With AI
This is a comment left during a code review.
Path: test-projects/expo-purchasely-test/package.json
Line: 28
Comment:
**`@xmldom/xmldom` lower bound is below the patched version**
The PR's own vulnerability table says the patched release is `0.9.9`, yet the override floor is `>=0.8.12`. Versions between `0.8.12` and `0.9.8` (if ever published) would satisfy the constraint but could still be vulnerable. The lock file currently resolves to `0.9.9`, so there is no immediate risk, but the constraint doesn't enforce the minimum safe version semantically.
```suggestion
"@xmldom/xmldom": ">=0.9.9",
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: package.json
Line: 30
Comment:
**`basic-ftp` resolution floor is below the reported patched version**
The PR describes the patched version as `5.3.0`, but the resolution is set to `>=5.2.2`. Any hypothetical `5.2.x` release between `5.2.2` and `5.3.0` would satisfy the constraint without carrying the fix. The yarn.lock currently resolves to `5.3.0`, so there is no immediate exposure, but aligning the floor with the actual fix boundary is cleaner.
```suggestion
"basic-ftp": ">=5.3.0",
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: test-projects/expo-purchasely-test/package.json
Line: 26-37
Comment:
**`picomatch` listed as fixed but has no explicit override**
The PR's vulnerability table lists `picomatch <4.0.4` as a medium-severity issue fixed in expo-test, but no `picomatch` entry was added to `overrides`. The lock file currently resolves `4.0.4` because a transitive dependency bumped its peer requirement, but this is fragile — a future `npm install` that resolves picomatch from a different dependency tree could bring back a version below `4.0.4` without any constraint to catch it.
Consider adding:
```json
"picomatch": ">=4.0.4"
```
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "fix(deps): resolve all Dependabot securi..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "private": true, | ||
| "overrides": { | ||
| "@isaacs/brace-expansion": ">=5.0.1", | ||
| "@xmldom/xmldom": ">=0.8.12", |
There was a problem hiding this comment.
@xmldom/xmldom lower bound is below the patched version
The PR's own vulnerability table says the patched release is 0.9.9, yet the override floor is >=0.8.12. Versions between 0.8.12 and 0.9.8 (if ever published) would satisfy the constraint but could still be vulnerable. The lock file currently resolves to 0.9.9, so there is no immediate risk, but the constraint doesn't enforce the minimum safe version semantically.
| "@xmldom/xmldom": ">=0.8.12", | |
| "@xmldom/xmldom": ">=0.9.9", |
Prompt To Fix With AI
This is a comment left during a code review.
Path: test-projects/expo-purchasely-test/package.json
Line: 28
Comment:
**`@xmldom/xmldom` lower bound is below the patched version**
The PR's own vulnerability table says the patched release is `0.9.9`, yet the override floor is `>=0.8.12`. Versions between `0.8.12` and `0.9.8` (if ever published) would satisfy the constraint but could still be vulnerable. The lock file currently resolves to `0.9.9`, so there is no immediate risk, but the constraint doesn't enforce the minimum safe version semantically.
```suggestion
"@xmldom/xmldom": ">=0.9.9",
```
How can I resolve this? If you propose a fix, please make it concise.
| "resolutions": { | ||
| "@types/react": "^18.2.12", | ||
| "@types/react-native": "^0.70.14", | ||
| "basic-ftp": ">=5.2.2", |
There was a problem hiding this comment.
basic-ftp resolution floor is below the reported patched version
The PR describes the patched version as 5.3.0, but the resolution is set to >=5.2.2. Any hypothetical 5.2.x release between 5.2.2 and 5.3.0 would satisfy the constraint without carrying the fix. The yarn.lock currently resolves to 5.3.0, so there is no immediate exposure, but aligning the floor with the actual fix boundary is cleaner.
| "basic-ftp": ">=5.2.2", | |
| "basic-ftp": ">=5.3.0", |
Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 30
Comment:
**`basic-ftp` resolution floor is below the reported patched version**
The PR describes the patched version as `5.3.0`, but the resolution is set to `>=5.2.2`. Any hypothetical `5.2.x` release between `5.2.2` and `5.3.0` would satisfy the constraint without carrying the fix. The yarn.lock currently resolves to `5.3.0`, so there is no immediate exposure, but aligning the floor with the actual fix boundary is cleaner.
```suggestion
"basic-ftp": ">=5.3.0",
```
How can I resolve this? If you propose a fix, please make it concise.| "overrides": { | ||
| "@isaacs/brace-expansion": ">=5.0.1", | ||
| "@xmldom/xmldom": ">=0.8.12", | ||
| "brace-expansion": "~1.1.13", | ||
| "fast-xml-parser": ">=4.5.4", | ||
| "flatted": ">=3.3.4", | ||
| "minimatch": ">=3.1.3", | ||
| "node-forge": ">=1.4.0", | ||
| "tar": ">=7.5.10", | ||
| "undici": ">=6.24.0" | ||
| "undici": ">=6.24.0", | ||
| "yaml": ">=2.8.3" | ||
| } |
There was a problem hiding this comment.
picomatch listed as fixed but has no explicit override
The PR's vulnerability table lists picomatch <4.0.4 as a medium-severity issue fixed in expo-test, but no picomatch entry was added to overrides. The lock file currently resolves 4.0.4 because a transitive dependency bumped its peer requirement, but this is fragile — a future npm install that resolves picomatch from a different dependency tree could bring back a version below 4.0.4 without any constraint to catch it.
Consider adding:
"picomatch": ">=4.0.4"Prompt To Fix With AI
This is a comment left during a code review.
Path: test-projects/expo-purchasely-test/package.json
Line: 26-37
Comment:
**`picomatch` listed as fixed but has no explicit override**
The PR's vulnerability table lists `picomatch <4.0.4` as a medium-severity issue fixed in expo-test, but no `picomatch` entry was added to `overrides`. The lock file currently resolves `4.0.4` because a transitive dependency bumped its peer requirement, but this is fragile — a future `npm install` that resolves picomatch from a different dependency tree could bring back a version below `4.0.4` without any constraint to catch it.
Consider adding:
```json
"picomatch": ">=4.0.4"
```
How can I resolve this? If you propose a fix, please make it concise.
## Summary - resolve the 6 remaining Dependabot alerts in a single branch/PR - bump the root Yarn resolutions for `flatted` and `picomatch` so `yarn.lock` resolves to patched versions - remove the direct `activesupport` declaration from `example/Gemfile` so the example no longer advertises the vulnerable dependency directly ## Root cause The repository already fixed the earlier JavaScript advisories in PR #231, but GitHub still reported 6 open alerts: - `flatted` in `yarn.lock` - `picomatch` in `yarn.lock` (2 advisories on the same vulnerable resolution) - `activesupport` in `example/Gemfile` (3 advisories on the direct gem declaration) ## Changes - `package.json` - raise `flatted` resolution from `>=3.3.4` to `>=3.4.2` - add explicit Yarn resolutions for `picomatch@npm:^4.0.2` and `picomatch@npm:^4.0.3` to `4.0.4` - `yarn.lock` - resolve `flatted` to `3.4.2` - resolve the vulnerable `picomatch` entry to `4.0.4` - `example/Gemfile` - remove the direct `activesupport` gem declaration - keep the explicit `cocoapods`, `xcodeproj`, and `concurrent-ruby` constraints ## Validation - `corepack yarn test --maxWorkers=2` - `corepack yarn typecheck` - `corepack yarn lint` - completed with existing warnings from the untracked local `packages/purchasely/coverage/` directory, not from the changed files ## Notes - `gh auth status` succeeds outside the sandbox via the macOS keyring. The earlier failure came from running `gh` inside the sandboxed environment, not from a broken GitHub login.
2 participants
Summary
npm audit)Vulnerabilities Fixed
Changes
package.json— Added/updated yarn resolutions:basic-ftp,brace-expansion,handlebars,lodash,lodash-esyarn.lock— Regenerated with patched versionstest-projects/rn-purchasely-test/package.json— Added overrides forbrace-expansion, updatedlodashtest-projects/rn-purchasely-test/package-lock.json— Regenerated (0 vulns)test-projects/expo-purchasely-test/package.json— Added overrides for@xmldom/xmldom,node-forge,yaml,brace-expansiontest-projects/expo-purchasely-test/package-lock.json— Regenerated (0 vulns)Test plan
yarn test— 139 tests passed, 0 failuresyarn lint— 0 errorsyarn typecheck— passesnpm auditon rn-purchasely-test — 0 vulnerabilitiesnpm auditon expo-purchasely-test — 0 vulnerabilities🤖 Generated with Claude Code