Skip to content

fix(deps): resolve picomatch and esbuild security alerts#53

Merged
nicomiguelino merged 1 commit into
mainfrom
fix/dependabot-security-alerts
Jul 14, 2026
Merged

fix(deps): resolve picomatch and esbuild security alerts#53
nicomiguelino merged 1 commit into
mainfrom
fix/dependabot-security-alerts

Conversation

@nicomiguelino

Copy link
Copy Markdown
Contributor

Summary

  • Bump transitive picomatch 2.3.12.3.2 under anymatch, micromatch, and readdirp (fixes GHSA-c2c7-rcm5-vvqj ReDoS and GHSA-3v7f-55p6-f55p POSIX-class injection)
  • Add an exact-pinned overrides entry for esbuild 0.17.190.25.12 under @jsheaven/easybuild, whose latest release still requires ^0.17.6 (fixes GHSA-67mh-4wv8-2f99 dev-server CORS issue)

Resolves Dependabot alerts #1, #15, #17.

Test plan

  • npm audit reports 0 vulnerabilities
  • npm run test:unit — 187/187 passing
  • npm run build succeeds

- bump transitive picomatch 2.3.1 -> 2.3.2 under anymatch, micromatch,
  and readdirp (fixes GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 ReDoS and
  GHSA-3v7f-55p6-f55p / CVE-2026-33672 POSIX class injection)
- add an exact-pinned override for esbuild 0.17.19 -> 0.25.12 under
  @jsheaven/easybuild, whose latest release still requires ^0.17.6
  (fixes GHSA-67mh-4wv8-2f99 dev-server CORS issue)
@nicomiguelino nicomiguelino self-assigned this Jul 14, 2026
@nicomiguelino nicomiguelino marked this pull request as ready for review July 14, 2026 14:13
@nicomiguelino nicomiguelino merged commit 05e8bf2 into main Jul 14, 2026
4 checks passed
@nicomiguelino nicomiguelino deleted the fix/dependabot-security-alerts branch July 14, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants