security: update flatted to 3.4.0 to fix prototype pollution (GHSA-25h7-pfq9-p65f) #258
Description
Summary
The flatted npm package at version 3.3.3 has a High severity prototype pollution vulnerability (GHSA-25h7-pfq9-p65f). This is a transitive dependency present in two docs-related lock files. The fix version (3.4.0) is already within the existing semver range (^3.3.3), so a lock file update resolves the issue.
A grype ignore rule was added in PR #240 to unblock CI. This issue tracks the actual dependency fix and subsequent removal of that ignore rule.
Severity
High — Prototype Pollution
Affected Files
docs/_server/package-lock.json— flatted 3.3.3 (transitive dependency)docs/assets/js/package-lock.json— flatted 3.3.3 (transitive dependency)
Neither docs/_server/package.json nor docs/assets/js/package.json list flatted as a direct dependency. It is pulled in transitively.
Vulnerability Details
| Field | Value |
|---|---|
| Package | flatted |
| Current Version | 3.3.3 |
| Fixed Version | 3.4.0 |
| Advisory | GHSA-25h7-pfq9-p65f |
| Severity | High |
| Type | Prototype Pollution |
Remediation Steps
- Run
npm updateindocs/_server/to bump flatted from 3.3.3 to 3.4.0 - Run
npm updateindocs/assets/js/to bump flatted from 3.3.3 to 3.4.0 - Verify both
package-lock.jsonfiles no longer reference flatted 3.3.3 - Remove the grype ignore rule for
GHSA-25h7-pfq9-p65ffrom.grype.yaml - Run grype locally to confirm the finding is resolved:
grype dir:. --config .grype.yaml
Acceptance Criteria
-
flattedupdated to >= 3.4.0 indocs/_server/package-lock.json -
flattedupdated to >= 3.4.0 indocs/assets/js/package-lock.json - Grype ignore rule for
GHSA-25h7-pfq9-p65fremoved from.grype.yaml - CI Security Scan passes without the ignore rule
Related
- PR build(ci): replace MegaLinter with per-tool GitHub Actions lint workflows #240 — Introduced grype CI scanning and temporary ignore rule
- GHSA-25h7-pfq9-p65f