@@ -37,14 +37,27 @@ function readPackage(packageJson, context) {
3737 // Security overrides for transitive dependencies (high/critical vulnerabilities).
3838 // Each entry targets a specific major version line to avoid breaking cross-major deps.
3939 const securityOverrides = [
40- { pkg : 'form-data' , major : '4' , minSafe : '>=4.0.4 <5.0.0' } , // GHSA-fjxv-7rqg-78g4 (critical)
41- { pkg : 'axios' , major : '1' , minSafe : '>=1.12.0 <2.0.0' } , // GHSA-4hjh-wcwx-xvwj, GHSA-jr5f-v2jv-69x6 (high)
42- { pkg : 'tar-fs' , major : '2' , minSafe : '>=2.1.4 <3.0.0' } , // GHSA-vj76-c3g6-qr5v, GHSA-8cj5-5rvv-wf4v (high)
43- { pkg : 'glob' , major : '10' , minSafe : '>=10.5.0 <11.0.0' } , // GHSA-5j98-mcp5-4vw2 (high)
44- { pkg : 'qs' , major : '6' , minSafe : '>=6.14.1 <7.0.0' } , // GHSA-6rw7-vpxm-498p (high)
45- { pkg : 'jws' , major : '3' , minSafe : '>=3.2.3 <4.0.0' } , // GHSA-869p-cjfg-cm3x (high)
46- { pkg : 'jws' , major : '4' , minSafe : '>=4.0.1 <5.0.0' } , // GHSA-869p-cjfg-cm3x (high)
47- { pkg : 'undici' , major : '7' , minSafe : '>=7.24.0 <8.0.0' } , // GHSA-f269, GHSA-vrm6, GHSA-v9p9 (high)
40+ { pkg : 'form-data' , major : '4' , minSafe : '>=4.0.4 <5.0.0' } , // GHSA-fjxv-7rqg-78g4 (critical)
41+ { pkg : 'axios' , major : '1' , minSafe : '>=1.12.0 <2.0.0' } , // GHSA-4hjh-wcwx-xvwj, GHSA-jr5f-v2jv-69x6 (high)
42+ { pkg : 'tar-fs' , major : '2' , minSafe : '>=2.1.4 <3.0.0' } , // GHSA-vj76-c3g6-qr5v, GHSA-8cj5-5rvv-wf4v (high)
43+ { pkg : 'glob' , major : '10' , minSafe : '>=10.5.0 <11.0.0' } , // GHSA-5j98-mcp5-4vw2 (high)
44+ { pkg : 'qs' , major : '6' , minSafe : '>=6.15.2 <7.0.0' } , // GHSA-q8mj-m7cp-5q26 (moderate)
45+ { pkg : 'jws' , major : '3' , minSafe : '>=3.2.3 <4.0.0' } , // GHSA-869p-cjfg-cm3x (high)
46+ { pkg : 'jws' , major : '4' , minSafe : '>=4.0.1 <5.0.0' } , // GHSA-869p-cjfg-cm3x (high)
47+ { pkg : 'undici' , major : '7' , minSafe : '>=7.24.0 <8.0.0' } , // GHSA-f269, GHSA-vrm6, GHSA-v9p9 (high)
48+ { pkg : 'shell-quote' , major : '1' , minSafe : '>=1.8.4 <2.0.0' } , // GHSA-58qx-3vcg-4xpx (critical)
49+ { pkg : 'tar' , major : '6' , minSafe : '>=6.2.1 <7.0.0' } , // CVE-2024-28863 etc.
50+ { pkg : 'tar' , major : '7' , minSafe : '>=7.5.11 <8.0.0' } , // GHSA series on tar 7.x (high)
51+ { pkg : 'serialize-javascript' , major : '6' , minSafe : '>=6.0.2 <7.0.0' } , // GHSA-76p7-773f-r4q5 (moderate)
52+ { pkg : 'serialize-javascript' , major : '7' , minSafe : '>=7.0.5 <8.0.0' } , // GHSA on 7.x (high)
53+ { pkg : 'flatted' , major : '3' , minSafe : '>=3.4.2 <4.0.0' } , // GHSA on flatted (high)
54+ { pkg : 'minimatch' , major : '5' , minSafe : '>=5.1.8 <6.0.0' } , // GHSA series on minimatch 5 (high)
55+ { pkg : 'brace-expansion' , major : '5' , minSafe : '>=5.0.6 <6.0.0' } , // GHSA-jxxr-4gwj-5jf2 (moderate)
56+ { pkg : 'ws' , major : '8' , minSafe : '>=8.20.1 <9.0.0' } , // GHSA on ws 8.x (moderate)
57+ { pkg : 'nanoid' , major : '3' , minSafe : '>=3.3.8 <4.0.0' } , // GHSA on nanoid (moderate); replaces prior >=3.1.31 pin
58+ { pkg : 'js-yaml' , major : '4' , minSafe : '>=4.1.1 <5.0.0' } , // GHSA on js-yaml (moderate)
59+ { pkg : 'yaml' , major : '1' , minSafe : '>=1.10.3 <2.0.0' } , // GHSA on yaml 1.x (moderate)
60+ { pkg : 'follow-redirects' , major : '1' , minSafe : '>=1.16.0 <2.0.0' } , // GHSA on follow-redirects (moderate)
4861 ] ;
4962
5063 for ( const { pkg, major, minSafe } of securityOverrides ) {
0 commit comments