mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:11:29 +00:00
shankar0123
cd3205a66d
Dependabot opened two High-severity alerts on lodash 4.17.23 arriving transitively via orval 7.x → @stoplight/spectral-* → lodash 4.17.23: #19 — CVE-2026-4800 / GHSA-r5fr-rjxr-66jc: _.template imports key names → Function() constructor sink → arbitrary-code execution at template compile time #18 — Prototype pollution via array path bypass in _.unset / _.omit Both alerts are tagged "Development dependency" by Dependabot — lodash is only pulled by orval (the Phase 5 API client codegen) and doesn't reach the production-served bundle. The risk is build- time RCE during `npm run generate` against untrusted input or a polluted Object.prototype. Worth fixing regardless. Fix: add `"lodash": ">=4.18.0"` to the existing `overrides` block in web/package.json. Force npm to dedupe every transitive lodash edge onto the top-level 4.18.1 already resolved at the root. Pre-fix lockfile state (web/package-lock.json): node_modules/lodash → 4.18.1 node_modules/@stoplight/spectral-functions/node_modules/lodash → 4.17.23 node_modules/@stoplight/spectral-rulesets/node_modules/lodash → 4.17.23 Post-fix: node_modules/lodash → 4.18.1 (the two nested copies are gone — deduplicated under the override) Verification: cd web npm install --package-lock-only --no-audit node -e "const lock = require('./package-lock.json'); for (const [k,v] of Object.entries(lock.packages||{})) if (k.includes('lodash') && !k.includes('lodash.')) console.log(k, v.version)" → node_modules/lodash 4.18.1 (only one entry) npm audit → found 0 vulnerabilities Lockfile delta is -14 / +0 (the two nested 4.17.23 copies removed, no new entries needed since 4.18.1 was already resolved at the root). The `"lodash": "^4.17.21"` / `~4.17.21` requirements declared by @stoplight/spectral-functions, spectral-rulesets, and orval itself are still satisfied — `^4.17.21` accepts 4.18.x, and the override forces every consumer to the same dedup'd version. Lockfile-regen pattern lesson: per the standing rule from the post-Phase-2 + post-Phase-5 lockfile-drift hotfixes, every commit that edits web/package.json MUST regenerate web/package-lock.json in the same commit via `npm install --package-lock-only --no-audit`. This commit follows that rule. Closes: https://github.com/certctl-io/certctl/security/dependabot/19 https://github.com/certctl-io/certctl/security/dependabot/18
44 lines
1.1 KiB
JSON
44 lines
1.1 KiB
JSON
{
|
|
"name": "certctl-dashboard",
|
|
"version": "1.0.0",
|
|
"private": true,
|
|
"type": "module",
|
|
"scripts": {
|
|
"dev": "vite",
|
|
"build": "tsc && vite build",
|
|
"preview": "vite preview",
|
|
"test": "vitest run",
|
|
"test:watch": "vitest",
|
|
"e2e": "playwright test",
|
|
"e2e:install": "playwright install --with-deps chromium",
|
|
"generate": "orval --config ./orval.config.ts"
|
|
},
|
|
"dependencies": {
|
|
"@tanstack/react-query": "^5.90.21",
|
|
"react": "^18.3.1",
|
|
"react-dom": "^18.3.1",
|
|
"react-router-dom": "^6.30.3",
|
|
"recharts": "^3.8.0"
|
|
},
|
|
"devDependencies": {
|
|
"@playwright/test": "^1.49.0",
|
|
"@testing-library/jest-dom": "^6.9.1",
|
|
"@testing-library/react": "^16.3.2",
|
|
"orval": "^7.0.0",
|
|
"@types/react": "^19.2.14",
|
|
"@types/react-dom": "^19.2.3",
|
|
"@vitejs/plugin-react": "^6.0.1",
|
|
"autoprefixer": "^10.4.27",
|
|
"jsdom": "^29.0.0",
|
|
"postcss": "^8.5.8",
|
|
"tailwindcss": "^3.4.19",
|
|
"typescript": "^5.9.3",
|
|
"vite": "^8.0.10",
|
|
"vitest": "^4.1.0"
|
|
},
|
|
"overrides": {
|
|
"picomatch": "^4.0.4",
|
|
"lodash": ">=4.18.0"
|
|
}
|
|
}
|