Skip to content

fix(security): update flatted override to >=3.4.2#3010

Merged
marcusrbrown merged 1 commit intomainfrom
security/flatted-3.4.2-override
Mar 24, 2026
Merged

fix(security): update flatted override to >=3.4.2#3010
marcusrbrown merged 1 commit intomainfrom
security/flatted-3.4.2-override

Conversation

@fro-bot
Copy link
Copy Markdown
Owner

@fro-bot fro-bot commented Mar 22, 2026

Summary

Addresses GHSA-7rjr-3q8v-gx5v (HIGH severity) - Prototype Pollution via parse() in flatted.

Vulnerability: Aregular expression in the parse() function of flatted version <= 3.4.1 can be exploited for prototype pollution, potentially allowing attackers to modify the global object prototype, leading to denial of service or arbitrary code execution.

Fix: Updates the pnpm override from >=3.4.0 to >=3.4.2 to ensure the patched version is used.

Changes

  • Updated pnpm.overrides.flatted from >=3.4.0 to >=3.4.2- Regenerated pnpm-lock.yaml

References

Test Plan

  • pnpm check-types passes
  • pnpm lint passes
  • pnpm check-format passes

@fro-bot fro-bot requested a review from marcusrbrown as a code owner March 22, 2026 05:09
This was referenced Mar 22, 2026
Open
Open
Open
Open
@fro-bot
fix(security): update flatted override to >=3.4.2
5adb533 
Addresses GHSA-7rjr-3q8v-gx5v (HIGH severity)
Prototype Pollution via parse() in flatted.

The vulnerability affects versions <= 3.4.1.
This updates the pnpm override from >=3.4.0 to >=3.4.2.
@fro-bot fro-bot force-pushed the security/flatted-3.4.2-override branch from 0d1b94c to 5adb533 Compare March 24, 2026 05:16
@fro-bot
Copy link
Copy Markdown
Owner Author

fro-bot commented Mar 24, 2026

Autohealing Update

Root cause: This PR had diverged from main (3 commits behind).

Fix applied: Rebased branch against main to resolve conflicts and bring the security fix up to date.

Changes:- Updated pnpm.overrides.flatted from >=3.4.0 to >=3.4.2 (addresses GHSA-rf6f-7fwh-wjgh)

  • Resolved merge conflict from recent dependency updates on main

Remaining risk: Low - the override correctly pins flatted to the patched version. CI checks should pass after rebase.

@fro-bot fro-bot mentioned this pull request Mar 24, 2026
Open
@marcusrbrown marcusrbrown enabled auto-merge (squash) March 24, 2026 05:36
@marcusrbrown marcusrbrown merged commit 3559154 into main Mar 24, 2026
6 checks passed
@marcusrbrown marcusrbrown deleted the security/flatted-3.4.2-override branch March 24, 2026 05:37
@fro-bot fro-bot mentioned this pull request Mar 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcusrbrown marcusrbrown marcusrbrown approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fro-bot @marcusrbrown