fix: lodash 4.17.21->4.18.1, revert giphy upgrade (worse vulns)
CI / Build & Quality Checks (push) Successful in 10m9s
CI / Build & Quality Checks (push) Successful in 10m9s
lodash >= 4.18.0 patches prototype-pollution (GHSA-f23m-r3pf-42rh) and code-injection (GHSA-r5fr-rjxr-66jc) used by slate-dom/slate-react in the deployed bundle. Attempted @giphy/react-components@10.1.2 upgrade but it pulled in new high-severity lodash and js-cookie vulns — net regression, reverted. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Lotus Bot
+2
-1
@@ -68,7 +68,7 @@
|
||||
"@atlaskit/pragmatic-drag-and-drop-hitbox": "1.0.3",
|
||||
"@fontsource/inter": "4.5.14",
|
||||
"@giphy/js-fetch-api": "5.8.0",
|
||||
"@giphy/js-types": "5.1.0",
|
||||
"@giphy/js-types": "4.3.0",
|
||||
"@giphy/react-components": "1.6.0",
|
||||
"@sentry/react": "10.53.1",
|
||||
"@tanstack/react-query": "5.24.1",
|
||||
@@ -100,6 +100,7 @@
|
||||
"jotai": "2.6.0",
|
||||
"linkify-react": "4.3.2",
|
||||
"linkifyjs": "4.3.2",
|
||||
"lodash": "4.18.1",
|
||||
"matrix-js-sdk": "38.2.0",
|
||||
"matrix-widget-api": "1.16.1",
|
||||
"millify": "6.1.0",
|
||||
|
||||
Reference in New Issue
Block a user