Baoyuantop opened a new pull request, #3364: URL: https://github.com/apache/apisix-dashboard/pull/3364
## Description Resolve all 7 open Dependabot security alerts by adding pnpm overrides for vulnerable transitive dependencies. ### Security Fixes | Package | Vulnerable Version | Patched Version | Severity | CVE Summary | |---------|-------------------|----------------|----------|-------------| | `path-to-regexp` | 8.2.0 | 8.4.2 | high/medium | ReDoS via wildcards and sequential optional groups | | `brace-expansion` | 5.0.4 | 5.0.5 | medium | Zero-step sequence causes process hang and memory exhaustion | | `picomatch` | 2.3.1 / 4.0.3 | 4.0.4 | high/medium | ReDoS via extglob quantifiers; method injection in POSIX character classes | ### Changes - Added `path-to-regexp`, `brace-expansion`, and `picomatch` to `pnpm.overrides` in `package.json` - Updated `pnpm-lock.yaml` accordingly ### Verification - `pnpm build` ✅ - `pnpm lint` ✅ - All vulnerable packages resolved to patched versions verified via `pnpm why` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
