fix(deps): bump flatted, picomatch, undici, rollup (CVE-2026-32141, 33228, 33671, 1526/1528/2229, 27606)#165
Conversation
…23.0→6.25.0 Resolves: - CVE-2026-32141 (CVSS 7.5): flatted DoS via unbounded recursion — fix: >=3.4.0 - CVE-2026-33228 (High): flatted Prototype Pollution — fix: >3.4.1 - CVE-2026-33671 (CVSS 7.5): picomatch ReDoS — fix: >=2.3.2 - CVE-2026-1526/1528/2229 (CVSS 7.5): undici WebSocket vulnerabilities — fix: >=6.24.0 All fixes are lockfile-only — parent constraints already allow the safe versions.
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #165 +/- ##
=======================================
Coverage 80.13% 80.13%
=======================================
Files 44 44
Lines 589 589
Branches 111 111
=======================================
Hits 472 472
Misses 77 77
Partials 40 40 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Lockfile-only — vite@6.4.1 specifies rollup '^4.34.9' which already allows 4.60.1. CVE-2026-27606 (High): Rollup Arbitrary File Write via Path Traversal — fix: >=4.59.0.
gyermich
changed the title
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
This PR updates the pnpm lockfile (and the pnpm override) to ensure several transitive dev dependencies resolve to non-vulnerable versions associated with the listed CVEs.
Changes:
- Bumps resolved versions of
flatted,picomatch,undici, androllupinpnpm-lock.yaml. - Updates the
pnpm.overrides.undiciconstraint inpackage.json(and mirrors it inpnpm-lock.yaml).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
pnpm-lock.yaml |
Updates resolved package versions (including undici, rollup, flatted, picomatch) and updates the lockfile’s overrides.undici value. |
package.json |
Tightens/changes the pnpm override for undici to avoid resolving vulnerable versions. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
🎉 This PR is included in version 2.3.4 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Lockfile-only updates — all parent constraints already allow the safe versions.
Also tightens the pnpm override for undici from ^6.23.0 to >=6.25.0 to prevent future lockfile regenerations from selecting a vulnerable version.
All transitive dev dependencies (semantic-release / storybook toolchain), no production runtime exposure.
Testing
Tested this version locally with mercury-web (PR)