From 6a007def0a1c6917801fcafffbd2231b312cb744 Mon Sep 17 00:00:00 2001 From: gusthoff Date: Sat, 25 Apr 2026 01:57:43 +0200 Subject: [PATCH] Frontend: fix Dependabot security alerts (follow-redirects, picomatch, uuid) Add yarn resolutions to force patched versions of three more vulnerable transitive dependencies (all introduced via webpack-dev-server): - follow-redirects 1.16.0 (custom auth headers leaked on cross-domain redirects) - picomatch 4.0.4 (method injection via POSIX character class bracket expressions) - uuid 14.0.0 (missing bounds check in v3/v5/v6 with caller-provided buffer) Note: uuid is used by webpack-dev-server; manual dev-server smoke test recommended since the test suite does not exercise it. Co-Authored-By: Claude Sonnet 4.6 --- frontend/package.json | 5 ++++- frontend/yarn.lock | 33 +++++++++++++-------------------- 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index e4ad94490..4383e8596 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -86,7 +86,10 @@ "whatwg-url": "^14", "lodash": "4.18.1", "serialize-javascript": "7.0.5", - "globule/minimatch": "3.1.5" + "globule/minimatch": "3.1.5", + "follow-redirects": "1.16.0", + "picomatch": "4.0.4", + "uuid": "14.0.0" }, "scripts": { "dev": "webpack serve --open --config webpack.dev.cjs --mode=development", diff --git a/frontend/yarn.lock b/frontend/yarn.lock index ee1c1e881..ca4d61afc 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -5409,13 +5409,13 @@ __metadata: languageName: node linkType: hard -"follow-redirects@npm:^1.0.0": - version: 1.15.11 - resolution: "follow-redirects@npm:1.15.11" +"follow-redirects@npm:1.16.0": + version: 1.16.0 + resolution: "follow-redirects@npm:1.16.0" peerDependenciesMeta: debug: optional: true - checksum: 10c0/d301f430542520a54058d4aeeb453233c564aaccac835d29d15e050beb33f339ad67d9bddbce01739c5dc46a6716dbe3d9d0d5134b1ca203effa11a7ef092343 + checksum: 10c0/a1e2900163e6f1b4d1ed5c221b607f41decbab65534c63fe7e287e40a5d552a6496e7d9d7d976fa4ba77b4c51c11e5e9f683f10b43011ea11e442ff128d0e181 languageName: node linkType: hard @@ -7960,17 +7960,10 @@ __metadata: languageName: node linkType: hard -"picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.3.1": - version: 2.3.2 - resolution: "picomatch@npm:2.3.2" - checksum: 10c0/a554d1709e59be97d1acb9eaedbbc700a5c03dbd4579807baed95100b00420bc729335440ef15004ae2378984e2487a7c1cebd743cfdb72b6fa9ab69223c0d61 - languageName: node - linkType: hard - -"picomatch@npm:^4.0.3": - version: 4.0.3 - resolution: "picomatch@npm:4.0.3" - checksum: 10c0/9582c951e95eebee5434f59e426cddd228a7b97a0161a375aed4be244bd3fe8e3a31b846808ea14ef2c8a2527a6eeab7b3946a67d5979e81694654f939473ae2 +"picomatch@npm:4.0.4": + version: 4.0.4 + resolution: "picomatch@npm:4.0.4" + checksum: 10c0/e2c6023372cc7b5764719a5ffb9da0f8e781212fa7ca4bd0562db929df8e117460f00dff3cb7509dacfc06b86de924b247f504d0ce1806a37fac4633081466b0 languageName: node linkType: hard @@ -10114,12 +10107,12 @@ __metadata: languageName: node linkType: hard -"uuid@npm:^8.3.2": - version: 8.3.2 - resolution: "uuid@npm:8.3.2" +"uuid@npm:14.0.0": + version: 14.0.0 + resolution: "uuid@npm:14.0.0" bin: - uuid: dist/bin/uuid - checksum: 10c0/bcbb807a917d374a49f475fae2e87fdca7da5e5530820ef53f65ba1d12131bd81a92ecf259cc7ce317cbe0f289e7d79fdfebcef9bfa3087c8c8a2fa304c9be54 + uuid: dist-node/bin/uuid + checksum: 10c0/a57ae7794c45005c1a9208989196c5baf79a7679c30f43c1bee9033a2c4d113a2cea216fa6fcc9663b08b0d55635df1a7c6eb7e7f3d21c3e50688c698fa39a50 languageName: node linkType: hard