Skip to content

fix(security): update dependencies with known vulnerabilities#829

Open
racmarques wants to merge 1 commit intoRevenueCat:mainfrom
racmarques:fix/security-dependency-updates
Open

fix(security): update dependencies with known vulnerabilities#829
racmarques wants to merge 1 commit intoRevenueCat:mainfrom
racmarques:fix/security-dependency-updates

Conversation

@racmarques
Copy link
Copy Markdown

@racmarques racmarques commented Apr 7, 2026

Motivation / Description

Update dependencies with known security vulnerabilities:

  • lodash 4.17.23 → 4.18.1 (CVE-2026-2950: prototype pollution)
  • eslint-config-prettier ^9.1.0 → ^9.1.2 (CVE-2025-54313: supply chain attack)
  • storybook + @storybook/* ^8.6.15 → ^8.6.18 (CVE-2026-27148: WebSocket hijacking RCE)

Changes introduced

  • Updated lodash to 4.18.1 to fix prototype pollution via _.unset/_.omit
  • Updated eslint-config-prettier minimum to ^9.1.2 to exclude compromised version 9.1.1
  • Updated storybook and all @storybook/* packages to ^8.6.17+ to fix WebSocket hijacking RCE (CVSS 8.9)
  • Regenerated pnpm-lock.yaml

Linear ticket (if any)

N/A

Additional comments

lodash 4.17.23 remains as a transitive dependency via @microsoft/api-extractor →@rushstack/ts-command-line. This poses no practical risk as it only runs during local API report generation with deterministic input.

All 547 tests pass.

fix(security): update dependencies with known vulnerabilities
f6a185f 
- lodash 4.17.23 → 4.18.1 (CVE-2026-2950: prototype pollution via _.unset/_.omit)
- eslint-config-prettier ^9.1.0 → ^9.1.2 (CVE-2025-54313: supply chain attack, 9.1.1 compromised)
- storybook + @storybook/* ^8.6.15 → ^8.6.18 (CVE-2026-27148: WebSocket hijacking RCE, CVSS 8.9)

Note: lodash 4.17.23 remains as a transitive dependency via @microsoft/api-extractor → @rushstack/ts-command-line. This poses no practical risk as it only runs during local API report generation with deterministic input.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@racmarques