Skip to content

fix: patch 7 security alerts (high + medium severity)#53

Merged
John Kennedy (jkennedyvz) merged 1 commit into
mainfrom
fix/security-alerts-2026-04-01
Apr 1, 2026
Merged

fix: patch 7 security alerts (high + medium severity)#53
John Kennedy (jkennedyvz) merged 1 commit into
mainfrom
fix/security-alerts-2026-04-01

Conversation

@jkennedyvz
Copy link
Copy Markdown
Contributor

@jkennedyvz John Kennedy (jkennedyvz) commented Apr 1, 2026

Security Alert Patch

Resolves all 7 open Dependabot security alerts (4 high + 3 medium severity).

Packages Updated

Package Old → New Strategy Scope CVEs Resolved
flatted 3.3.3 → 3.4.2 override dev-only CVE-2026-33228
minimatch 3.1.2 → ≥3.1.4 override dev-only CVE-2026-27903
minimatch 9.0.5 → 9.0.7 override dev-only CVE-2026-27903
rollup 4.55.1 → 4.60.1 override dev-only CVE-2026-27606
picomatch 4.0.2 → 4.0.4 override dev-only CVE-2026-33672
yaml 2.7.1 → 2.8.3 lockfile regen runtime CVE-2026-33532
ajv 8.17.1 → 8.18.0 lockfile regen runtime CVE-2025-69873

Strategy: override = npm overrides in package.json, lockfile regen = resolved via lockfile regeneration
Scope: dev-only = devDependencies chain only, runtime = ships to end users

CVE Details

  • CVE-2026-33228 (high) — flatted: Prototype Pollution via parse()
  • CVE-2026-27903 (high) — minimatch: ReDoS via multiple non-adjacent GLOBSTAR segments
  • CVE-2026-27606 (high) — rollup: Arbitrary File Write via Path Traversal
  • CVE-2026-33672 (medium) — picomatch: Method Injection in POSIX Character Classes
  • CVE-2026-33532 (medium) — yaml: Stack Overflow via deeply nested YAML collections
  • CVE-2025-69873 (medium) — ajv: ReDoS when using $data option

Linear Tickets

No matching Linear tickets found for the resolved CVEs.

Verification

  • All lockfiles regenerated
  • Typecheck passes
  • Linters pass (pre-existing warnings only)
  • npm audit reports 0 vulnerabilities

🤖 Submitted by langster-patch

@jkennedyvz @claude
fix: patch 7 security alerts (high + medium severity)
ed496e6 
Add npm overrides for flatted, minimatch, rollup, and picomatch to
resolve transitive dev dependency vulnerabilities. Lockfile regeneration
also resolves yaml and ajv runtime dependency alerts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jkennedyvz John Kennedy (jkennedyvz) merged commit c9629b7 into main Apr 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jkennedyvz