Skip to content

chore: update dependencies to resolve security vulnerabilities#83

Merged
butler54 merged 1 commit intovalidatedpatterns:mainfrom
butler54:fix/update-dependencies-security
May 6, 2026
Merged

chore: update dependencies to resolve security vulnerabilities#83
butler54 merged 1 commit intovalidatedpatterns:mainfrom
butler54:fix/update-dependencies-security

Conversation

@butler54
Copy link
Copy Markdown
Collaborator

@butler54 butler54 commented May 6, 2026

Summary

  • Updates package-lock.json to address 10 Dependabot security alerts (1 critical, 7 high, 2 moderate)
  • Excludes superlinter-related vulnerabilities as requested

Fixed Vulnerabilities

  • lodash 4.17.23 → 4.18.1 (prototype pollution, code injection)
  • lodash-es 4.17.23 → 4.18.1 (prototype pollution, code injection)
  • handlebars 4.7.8 → 4.7.9 (critical JavaScript injection vulnerabilities)
  • undici 6.23.0 → 6.25.0 (WebSocket parser crashes, CRLF injection, HTTP smuggling)
  • npm 11.11.0 → 11.13.0 (includes minimatch 10.2.5 fixing ReDoS)

Remaining Issues

One moderate severity vulnerability (ip-address) remains as it's a bundled npm dependency that cannot be fixed at the project level.

Test Plan

  • Pre-commit hooks pass
  • npm audit shows only 1 moderate vulnerability (ip-address in bundled npm)
  • All major Dependabot alerts resolved

🤖 Generated with Claude Code

@butler54 @claude
fix: update dependencies to resolve security vulnerabilities
3c6dab4 
Update package-lock.json to address multiple Dependabot security alerts:
- lodash: 4.17.23 → 4.18.1 (fixes prototype pollution and code injection)
- lodash-es: 4.17.23 → 4.18.1 (fixes prototype pollution and code injection)
- handlebars: 4.7.8 → 4.7.9 (fixes critical JavaScript injection vulnerabilities)
- undici: 6.23.0 → 6.25.0 (fixes WebSocket parser crashes and CRLF injection)
- npm: 11.11.0 → 11.13.0 (includes minimatch 10.2.5 to fix ReDoS vulnerabilities)

This update resolves 1 critical, 7 high, and 2 moderate severity vulnerabilities.
The remaining moderate vulnerability (ip-address) is a bundled npm dependency
that cannot be fixed at the project level.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@butler54 butler54 requested a review from a team May 6, 2026 02:54
@butler54 butler54 changed the title fix: update dependencies to resolve security vulnerabilities chore: update dependencies to resolve security vulnerabilities May 6, 2026
@butler54 butler54 merged commit 1c8287f into validatedpatterns:main May 6, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@butler54