fix: lodash 4.17.21->4.18.1, revert giphy upgrade (worse vulns)
CI / Build & Quality Checks (push) Successful in 10m9s
CI / Build & Quality Checks (push) Successful in 10m9s
lodash >= 4.18.0 patches prototype-pollution (GHSA-f23m-r3pf-42rh) and code-injection (GHSA-r5fr-rjxr-66jc) used by slate-dom/slate-react in the deployed bundle. Attempted @giphy/react-components@10.1.2 upgrade but it pulled in new high-severity lodash and js-cookie vulns — net regression, reverted. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Lotus Bot
Generated
+16
-7
@@ -15,7 +15,7 @@
|
||||
"@atlaskit/pragmatic-drag-and-drop-hitbox": "1.0.3",
|
||||
"@fontsource/inter": "4.5.14",
|
||||
"@giphy/js-fetch-api": "5.8.0",
|
||||
"@giphy/js-types": "5.1.0",
|
||||
"@giphy/js-types": "4.3.0",
|
||||
"@giphy/react-components": "1.6.0",
|
||||
"@sentry/react": "10.53.1",
|
||||
"@tanstack/react-query": "5.24.1",
|
||||
@@ -47,6 +47,7 @@
|
||||
"jotai": "2.6.0",
|
||||
"linkify-react": "4.3.2",
|
||||
"linkifyjs": "4.3.2",
|
||||
"lodash": "4.18.1",
|
||||
"matrix-js-sdk": "38.2.0",
|
||||
"matrix-widget-api": "1.16.1",
|
||||
"millify": "6.1.0",
|
||||
@@ -2632,9 +2633,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@giphy/js-types": {
|
||||
"version": "5.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@giphy/js-types/-/js-types-5.1.0.tgz",
|
||||
"integrity": "sha512-BZYCDtYNRR7cUWkbDLB4wmm3qmWMsVCQdUiBNOfmZ3yAazCgygKJoDI/5Rq4CK5MBaOc5LVdF8viC2WtoBdaPA==",
|
||||
"version": "4.3.0",
|
||||
"resolved": "https://registry.npmjs.org/@giphy/js-types/-/js-types-4.3.0.tgz",
|
||||
"integrity": "sha512-uRzuHz58W/Locbr0xJqFhXtZqURLvjMFrQ2ZsFP5zuKf2vfvmAjRhTMN9rozfxpZWtRPhR8+oitEcrsFyMKeog==",
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/@giphy/js-util": {
|
||||
@@ -8412,6 +8413,13 @@
|
||||
"node": ">=10"
|
||||
}
|
||||
},
|
||||
"node_modules/commitizen/node_modules/lodash": {
|
||||
"version": "4.17.21",
|
||||
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
|
||||
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
|
||||
"dev": true,
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/commitizen/node_modules/minimist": {
|
||||
"version": "1.2.7",
|
||||
"resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz",
|
||||
@@ -13200,9 +13208,10 @@
|
||||
}
|
||||
},
|
||||
"node_modules/lodash": {
|
||||
"version": "4.17.21",
|
||||
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
|
||||
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
|
||||
"version": "4.18.1",
|
||||
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
|
||||
"integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/lodash-es": {
|
||||
"version": "4.18.1",
|
||||
|
||||
+2
-1
@@ -68,7 +68,7 @@
|
||||
"@atlaskit/pragmatic-drag-and-drop-hitbox": "1.0.3",
|
||||
"@fontsource/inter": "4.5.14",
|
||||
"@giphy/js-fetch-api": "5.8.0",
|
||||
"@giphy/js-types": "5.1.0",
|
||||
"@giphy/js-types": "4.3.0",
|
||||
"@giphy/react-components": "1.6.0",
|
||||
"@sentry/react": "10.53.1",
|
||||
"@tanstack/react-query": "5.24.1",
|
||||
@@ -100,6 +100,7 @@
|
||||
"jotai": "2.6.0",
|
||||
"linkify-react": "4.3.2",
|
||||
"linkifyjs": "4.3.2",
|
||||
"lodash": "4.18.1",
|
||||
"matrix-js-sdk": "38.2.0",
|
||||
"matrix-widget-api": "1.16.1",
|
||||
"millify": "6.1.0",
|
||||
|
||||
Reference in New Issue
Block a user