Skip to content

Fix CVEs: add overrides for picomatch, yaml, brace-expansion#119

Merged
mraible merged 2 commits intomainfrom
fix/cve-overrides
Apr 7, 2026
Merged

Fix CVEs: add overrides for picomatch, yaml, brace-expansion#119
mraible merged 2 commits intomainfrom
fix/cve-overrides

Conversation

@mraible
Copy link
Copy Markdown
Contributor

@mraible mraible commented Apr 6, 2026
edited
Loading

Add npm overrides to resolve known vulnerabilities in ui/extensions/hello:

lodash remains pinned at 4.17.23 (fix version 4.18.1 not yet available). brace-expansion 1.x (1.1.12) remains unfixed as no patched version exists.

All tests pass and the project builds successfully. Requesting the Foundry team to review.

@mraible
Fix CVEs: add npm overrides for picomatch, yaml, brace-expansion, lodash
7453c76 
Add overrides to resolve known vulnerabilities:
- picomatch@2 -> 2.3.2 (ReDoS via extglob quantifiers)
- picomatch@4 -> 4.0.4 (ReDoS via extglob quantifiers)
- yaml@1 -> 1.10.3 (stack overflow via deeply nested collections)
- brace-expansion@2 -> 2.0.3 (zero-step sequence hang)
- lodash -> 4.18.1 (prototype pollution and code injection)

Remaining: brace-expansion 1.x (1.1.12) has no fixed version available.
@mraible mraible requested a review from a team April 6, 2026 17:31
@mraible mraible changed the title Fix CVEs: add overrides for picomatch, yaml, brace-expansion, lodash Fix CVEs: add overrides for picomatch, yaml, brace-expansion Apr 6, 2026
@mraible mraible merged commit 175aeab into main Apr 7, 2026
18 checks passed
@mraible mraible deleted the fix/cve-overrides branch April 7, 2026 02:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prvn prvn prvn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mraible @prvn