fix(deps): pin vulnerable transitive dependencies#1250
Conversation
Add resolutions/overrides to pin lodash, lodash-es, @xmldom/xmldom, flatted, serialize-javascript, node-forge, basic-ftp, fast-uri, picomatch, undici, path-to-regexp, tar, systeminformation, axios, and @babel/plugin-transform-modules-systemjs to non-vulnerable versions. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
lucas-zimerman
changed the title
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| version "4.0.8" | ||
| resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.8.tgz#d66fa18f3a47076789320b9b1af32bd86d9fa202" | ||
| integrity sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA== | ||
| dependencies: |
There was a problem hiding this comment.
micromatch lockfile entry lost its required dependencies
Medium Severity
The [email protected] lockfile entry had its dependencies section (braces and picomatch) removed entirely. The npm package [email protected] requires both braces@^3.0.3 and picomatch@^2.3.1. Without these listed in the lockfile, yarn may not install them as transitive dependencies of micromatch, causing runtime failures when glob matching is used.
Reviewed by Cursor Bugbot for commit d2fa10a. Configure here.
Remove [email protected] resolution — express@4 (webpack-dev-server) uses the 0.1.x API and would crash with v8. Bump undici resolution from 6.24.0 to 7.22.0 to match @angular/build@21's exact version requirement. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Previous yarn install accidentally stripped micromatch's dependencies block, causing 'Cannot find module braces' in CI. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
- Bump lodash/lodash-es from 4.18.0 to 4.18.1 (fixes ReferenceError bugs in template/fromPairs) - Bump serialize-javascript from 7.0.3 to 7.0.4 across angular example apps - Remove picomatch override to avoid forcing incompatible v4 on v2 consumers (anymatch, readdirp, micromatch) Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Commit 4750206 removed picomatch from micromatch's deps block but accidentally took braces with it, causing 'Cannot find module braces' in CI. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
[email protected] (pinned to fix RCE CVE) requires Node >=20. Adding the engines field makes the constraint explicit so local builds on older Node fail with a clear message instead of silently during webpack minification. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 21be112. Configure here.
| "basic-ftp": "5.2.2", | ||
| "fast-uri": "3.1.2", | ||
| "@babel/plugin-transform-modules-systemjs": "7.29.4", | ||
| "undici": "7.22.0" |
There was a problem hiding this comment.
Undici pinned to still-vulnerable version 7.22.0
High Severity
The undici resolution is pinned to 7.22.0, which is still affected by multiple high-severity CVEs (CVE-2026-1528, CVE-2026-2229, CVE-2026-1526, among others). The security fixes for the v7 line are in 7.24.0. The PR description itself mentions pinning to 6.24.0, but the code uses 7.22.0 instead — neither matching the stated intent nor actually resolving the vulnerabilities.
Reviewed by Cursor Bugbot for commit 21be112. Configure here.
|
Lets fix the remaining issues on a separated PR |
1 participant
📢 Type of change
📜 Description
Pins vulnerable transitive dependencies to safe versions across all example apps (
ionic-angular-v7,ionic-angular-v8,ionic-vue3) and the root package by addingresolutions/overridesentries.Packages pinned:
lodash→ 4.18.0lodash-es→ 4.18.0@xmldom/xmldom→ 0.8.13flatted→ 3.4.2serialize-javascript→ 7.0.3node-forge→ 1.4.0basic-ftp→ 5.2.2fast-uri→ 3.1.2@babel/plugin-transform-modules-systemjs→ 7.29.4picomatch→ 4.0.4undici→ 6.24.0 (ionic-angular-v8 only)path-to-regexp→ 8.4.0 (ionic-angular-v8 only)tar→ 7.5.11 (ionic-vue3 only)systeminformation→ 5.31.6 (ionic-vue3 only)axios→ 1.15.2 (root only)💡 Motivation and Context
GitHub Dependabot flagged 123 vulnerabilities on the repo's default branch. This PR silences security warnings from vulnerable transitive dependencies by pinning them to known-safe versions.
💚 How did you test it?
Verified the yarn.lock files resolve to the pinned versions after running
yarn install.📝 Checklist
sendDefaultPIIis enabled🔮 Next steps
Monitor Dependabot to confirm the vulnerability count drops after merge.