Tracking the remaining high-severity audit finding after the npm-overrides sweep in commit 27a08f4. expr-eval@2.0.2 is a dev-only benchmark tool (GHSA-whgm-jr23-g3j9). Not in dist/ or lib/; exploitation requires attacker-controlled input we don't expose. safe-expr-eval drop-in is a single-maintainer 4-month-old package — swapping is worse supply-chain posture. Options: (1) remove benchmark, (2) fork expr-eval locally, (3) re-evaluate safe-expr-eval when maintainership matures.
Tracking the remaining high-severity audit finding after the npm-overrides sweep in commit 27a08f4. expr-eval@2.0.2 is a dev-only benchmark tool (GHSA-whgm-jr23-g3j9). Not in dist/ or lib/; exploitation requires attacker-controlled input we don't expose. safe-expr-eval drop-in is a single-maintainer 4-month-old package — swapping is worse supply-chain posture. Options: (1) remove benchmark, (2) fork expr-eval locally, (3) re-evaluate safe-expr-eval when maintainership matures.