Skip to content

security: fix vulnerable transitive npm dependencies#346

Merged
ruvnet merged 1 commit intoruvnet:mainfrom
BAS-More:fix/security-deps-update
Apr 20, 2026
Merged

security: fix vulnerable transitive npm dependencies#346
ruvnet merged 1 commit intoruvnet:mainfrom
BAS-More:fix/security-deps-update

Conversation

@Avi-Bendetsky
Copy link
Copy Markdown
Contributor

@Avi-Bendetsky Avi-Bendetsky commented Apr 13, 2026

Summary

Context

These were flagged by Dependabot in the downstream consumer BAS-More/RuView which uses ruvector as a git submodule.

Test plan

  • cd npm && npm install resolves without errors
  • npm audit shows no high/critical vulnerabilities from overridden packages

🤖 Generated with claude-flow

@Avi-Bendetsky @ruvnet
security: add npm overrides for vulnerable transitive dependencies
44323c9 
Pins node-forge>=1.4.0, flatted>=3.3.3, picomatch>=4.0.3,
lodash>=4.17.22, brace-expansion>=2.0.2 via package.json overrides
to resolve Dependabot alerts downstream in BAS-More/RuView.

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet ruvnet merged commit 9ad08d3 into ruvnet:main Apr 20, 2026
@ruvnet
Copy link
Copy Markdown
Owner

ruvnet commented Apr 20, 2026

Thanks @Avi-Bendetsky — clean security fix, merged! 🔒

ruvnet added a commit that referenced this pull request Apr 20, 2026
@ruvnet
chore(npm): patch bump packages for security overrides (#346)
b062a17 
Bump consumer-facing npm packages after adding overrides for
vulnerable transitive deps (node-forge, flatted, picomatch, lodash,
brace-expansion). Thanks @Avi-Bendetsky for the fix.

Co-Authored-By: claude-flow <ruv@ruv.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Avi-Bendetsky @ruvnet