3b9893b586
* security: force lodash-es 4.18.0 for transitive dependencies PR #225 bumped the direct lodash-es dependency to 4.18.0, but @anthropic-ai/sandbox-runtime still pulled lodash-es@4.17.23 via its own ^4.17.23 range. The transitive copy was vulnerable to: - HIGH: Code Injection via _.template (GHSA-r5fr-rjxr-66jc) - MODERATE: Prototype Pollution via _.unset/_.omit (GHSA-f23m-r3pf-42rh) Added overrides field in package.json to force all copies to 4.18.0. bun audit now reports zero vulnerabilities. * fix: use lodash-es 4.18.1 instead of deprecated 4.18.0 lodash-es 4.18.0 is explicitly deprecated by the maintainer with the message "Bad release. Please use lodash-es@4.17.23 instead." Updated both the direct dependency and the override to 4.18.1, which is the latest non-deprecated release that patches the CVEs.
5.5 KiB
5.5 KiB