fix(deps): pin vulnerable transitive dependencies#1250
Conversation
Add resolutions/overrides to pin lodash, lodash-es, @xmldom/xmldom, flatted, serialize-javascript, node-forge, basic-ftp, fast-uri, picomatch, undici, path-to-regexp, tar, systeminformation, axios, and @babel/plugin-transform-modules-systemjs to non-vulnerable versions. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
lucas-zimerman
changed the title
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| [email protected], [email protected], [email protected], picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^4.0.2, picomatch@^4.0.3: | ||
| version "4.0.4" | ||
| resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-4.0.4.tgz#fd6f5e00a143086e074dffe4c924b8fb293b0589" | ||
| integrity sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A== |
There was a problem hiding this comment.
picomatch resolution forces v2 dependents to use v4
Medium Severity
The picomatch resolution collapses all version specifiers — including ^2.0.4 and ^2.2.1 (used by anymatch and readdirp) — into version 4.0.4. This is a major-version jump from v2 to v4, violating semver. Picomatch v4 removed the process global and os dependency, among other changes. Packages expecting v2 API behavior may break at runtime.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit d2fa10a. Configure here.
| version "4.0.8" | ||
| resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.8.tgz#d66fa18f3a47076789320b9b1af32bd86d9fa202" | ||
| integrity sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA== | ||
| dependencies: |
There was a problem hiding this comment.
micromatch lockfile entry lost its required dependencies
Medium Severity
The [email protected] lockfile entry had its dependencies section (braces and picomatch) removed entirely. The npm package [email protected] requires both braces@^3.0.3 and picomatch@^2.3.1. Without these listed in the lockfile, yarn may not install them as transitive dependencies of micromatch, causing runtime failures when glob matching is used.
Reviewed by Cursor Bugbot for commit d2fa10a. Configure here.
| "minimatch": "10.2.3" | ||
| "minimatch": "10.2.3", | ||
| "lodash": "4.18.0", | ||
| "lodash-es": "4.18.0", |
There was a problem hiding this comment.
Lodash pinned to version with known ReferenceError bug
Medium Severity
Both lodash and lodash-es are pinned to 4.18.0, which has a known ReferenceError bug in the template and fromPairs functions (caused by missing internal dependency imports in modular builds). Version 4.18.1, released the day after on April 1, 2026, fixes this defect while retaining all the same security patches. Pinning to 4.18.0 instead of 4.18.1 risks runtime crashes if any transitive dependency uses those affected functions.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit d2fa10a. Configure here.
Remove [email protected] resolution — express@4 (webpack-dev-server) uses the 0.1.x API and would crash with v8. Bump undici resolution from 6.24.0 to 7.22.0 to match @angular/build@21's exact version requirement. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
| "basic-ftp": "5.2.2", | ||
| "fast-uri": "3.1.2", | ||
| "@babel/plugin-transform-modules-systemjs": "7.29.4", | ||
| "picomatch": "4.0.4" |
There was a problem hiding this comment.
Picomatch 2.x consumers forced to incompatible 4.x
High Severity
The "picomatch": "4.0.4" resolution forces all picomatch ranges — including ^2.0.4 and ^2.2.1 — to resolve to version 4.0.4. Packages like anymatch, readdirp, and micromatch declare picomatch@^2.x dependencies but now receive a major-version-incompatible 4.x. Picomatch 4.x has known breaking changes (removed process global, changed flags option type). This can cause runtime failures in file watching (chokidar/readdirp) and glob matching (micromatch/anymatch) used by webpack and other build tools.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 5d7188f. Configure here.
| "lodash-es": "4.18.0", | ||
| "@xmldom/xmldom": "0.8.13", | ||
| "flatted": "3.4.2", | ||
| "serialize-javascript": "7.0.3", |
There was a problem hiding this comment.
serialize-javascript downgraded from 7.0.4 to 7.0.3
Medium Severity
The resolution pins serialize-javascript to 7.0.3, but the lockfiles previously had 7.0.4 installed for ^7.0.3 consumers. Version 7.0.4 contained additional security improvements beyond the RCE fix in 7.0.3. A PR aiming to fix security vulnerabilities is downgrading a package that already had a newer security patch applied. Pinning to 7.0.4 or later would be more appropriate.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 5d7188f. Configure here.
Previous yarn install accidentally stripped micromatch's dependencies block, causing 'Cannot find module braces' in CI. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 6 total unresolved issues (including 5 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit c833dcd. Configure here.
| "test-exclude": "7.0.1", | ||
| "lodash": "4.17.23" | ||
| "lodash": "4.18.0", | ||
| "lodash-es": "4.18.0", |
There was a problem hiding this comment.
Lodash 4.18.0 has known ReferenceError bugs
High Severity
lodash and lodash-es are pinned to 4.18.0, a version with confirmed bugs causing ReferenceError exceptions in _.template() (missing assignWith import) and _.fromPairs() (missing baseAssignValue import). Version 4.18.1, released the following day, fixes these issues. Any transitive dependency invoking these functions will crash at runtime.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit c833dcd. Configure here.
1 participant
📢 Type of change
📜 Description
Pins vulnerable transitive dependencies to safe versions across all example apps (
ionic-angular-v7,ionic-angular-v8,ionic-vue3) and the root package by addingresolutions/overridesentries.Packages pinned:
lodash→ 4.18.0lodash-es→ 4.18.0@xmldom/xmldom→ 0.8.13flatted→ 3.4.2serialize-javascript→ 7.0.3node-forge→ 1.4.0basic-ftp→ 5.2.2fast-uri→ 3.1.2@babel/plugin-transform-modules-systemjs→ 7.29.4picomatch→ 4.0.4undici→ 6.24.0 (ionic-angular-v8 only)path-to-regexp→ 8.4.0 (ionic-angular-v8 only)tar→ 7.5.11 (ionic-vue3 only)systeminformation→ 5.31.6 (ionic-vue3 only)axios→ 1.15.2 (root only)💡 Motivation and Context
GitHub Dependabot flagged 123 vulnerabilities on the repo's default branch. This PR silences security warnings from vulnerable transitive dependencies by pinning them to known-safe versions.
💚 How did you test it?
Verified the yarn.lock files resolve to the pinned versions after running
yarn install.📝 Checklist
sendDefaultPIIis enabled🔮 Next steps
Monitor Dependabot to confirm the vulnerability count drops after merge.