Skip to content

Commit a9f8dcb

Browse files
uberbingeuberbinge
committed
fix: resolve lodash-es prototype pollution vulnerability (GHSA-xxjr-mmjv-4gpg)
1 parent 3d31fe6 commit a9f8dcb

File tree

3 files changed

+54
-53
lines changed

3 files changed

+54
-53
lines changed

.projenrc.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,13 @@ project.addDevDeps('jest@^29');
4545
project.addDevDeps('ts-jest@^29');
4646
project.addBundledDeps('js-toml@^1.0.2');
4747

48+
// Fix for GHSA-xxjr-mmjv-4gpg: lodash-es prototype pollution vulnerability
49+
// js-toml -> chevrotain -> lodash-es@4.17.21 is vulnerable
50+
// Force chevrotain@11.1.1+ which uses lodash-es@4.17.23 (patched)
51+
project.package.addField('resolutions', {
52+
'chevrotain': '^11.1.1',
53+
});
54+
4855
project.addGitIgnore('target');
4956
project.gitignore.removePatterns('*.tgz');
5057

package.json

Lines changed: 1 addition & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

yarn.lock

Lines changed: 46 additions & 51 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)