From 1bf5b7f4f01bd6518a2b27f6f1a0c2e66c453f20 Mon Sep 17 00:00:00 2001 From: "Vic Perdana (MSFT)" <7114832+vicperdana@users.noreply.github.com> Date: Mon, 11 May 2026 10:15:34 +1000 Subject: [PATCH] fix: resolve 7 dependency security vulnerabilities (4 high, 3 medium) Force-pin transitive dependencies via npm overrides to address all open Dependabot alerts. No source-code changes required. Pinned versions: - fast-uri ^3.1.2 (was 3.1.0) fixes #69, #70 - lodash ^4.18.1 (was 4.17.23) fixes #66, #67 - picomatch ^2.3.2 (was 2.3.1) fixes #61, #62 - serialize-javascript ^7.0.5 (was 7.0.4) fixes #65 Detail: - GHSA-q3j6-qgpj-74h6 / CVE-2026-6321 fast-uri path traversal (high) #69 - GHSA-v39h-62p7-jpjc / CVE-2026-6322 fast-uri host confusion (high) #70 - GHSA-r5fr-rjxr-66jc / CVE-2026-4800 lodash code injection (high) #66 - GHSA-f23m-r3pf-42rh / CVE-2026-2950 lodash prototype pollution (medium) #67 - GHSA-c2c7-rcm5-vvqj / CVE-2026-33671 picomatch ReDoS (high) #61 - GHSA-3v7f-55p6-f55p / CVE-2026-33672 picomatch method injection (medium) #62 - GHSA-qj8w-gfj5-8c6v / CVE-2026-34043 serialize-javascript DoS (medium, dev) #65 Validation: - npm audit reports 0 vulnerabilities - All resolved versions verified in package-lock.json - npm run pack loads the full @secretlint/@vscode/vsce dependency chain successfully (existing engines.vscode pre-flight error is unrelated) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- package-lock.json | 25 +++++++++++++------------ package.json | 5 ++++- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/package-lock.json b/package-lock.json index cb37845..ede0a97 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3007,9 +3007,9 @@ "dev": true }, "node_modules/fast-uri": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz", - "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", "funding": [ { "type": "github", @@ -3966,9 +3966,9 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "license": "MIT" }, "node_modules/lodash.includes": { @@ -4808,9 +4808,10 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", + "license": "MIT", "engines": { "node": ">=8.6" }, @@ -5171,9 +5172,9 @@ } }, "node_modules/serialize-javascript": { - "version": "7.0.4", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.4.tgz", - "integrity": "sha512-DuGdB+Po43Q5Jxwpzt1lhyFSYKryqoNjQSA9M92tyw0lyHIOur+XCalOUe0KTJpyqzT8+fQ5A0Jf7vCx/NKmIg==", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz", + "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==", "dev": true, "license": "BSD-3-Clause", "engines": { diff --git a/package.json b/package.json index 5539d02..8101dd1 100644 --- a/package.json +++ b/package.json @@ -90,8 +90,11 @@ "@vscode/vsce": "^3.7.1" }, "overrides": { + "fast-uri": "^3.1.2", + "lodash": "^4.18.1", + "picomatch": "^2.3.2", + "serialize-javascript": "^7.0.5", "mocha": { - "serialize-javascript": "^7.0.4", "diff": "^8.0.3" } }