Commit 43a91fd
committed
chore(sec): 1.17.0 — clear CRITICAL + transitive findings via overrides (non-breaking)
Non-breaking security patch on the 1.x line so consumers can clear
critical/high scanner alerts without waiting for or adopting the breaking
2.0.0 bump (requested on #386).
Adds a package.json `overrides` block pinning transitive/dev deps to
patched versions. Clears:
- 2 CRITICAL: basic-ftp, form-data
- HIGH/MED/LOW across the dev + transitive tree (ws, braces, micromatch,
cross-spawn, serialize-javascript, @babel/*, js-yaml, ip-address,
path-to-regexp, diff, ajv, nanoid, minimatch, follow-redirects, ...)
No engine, runtime-API, or declared-dependency changes -> drop-in patch.
The two remaining HIGH findings are on direct runtime deps whose fixes are
SemVer-major (thrift 0.16->0.23, uuid 9->11); those, plus the engines
>=18 bump, ship in 2.0.0 (#390). Verified with osv-scanner v2.3.8: only
thrift + uuid remain (both "breaking change" per npm audit).
Closes #386
Closes #263
Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>1 parent 9235fc4 commit 43a91fd
3 files changed
Lines changed: 1015 additions & 1198 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
3 | 9 | | |
4 | 10 | | |
5 | 11 | | |
| |||
0 commit comments