5f75f67a27
Removes caret (^) ranges from all 74 dependencies in package.json, locking each to the exact version resolved in bun.lock. Motivation: the axios supply chain attack of March 31 2026 demonstrated that caret ranges are a live attack vector. axios@^1.14.0 would have resolved to the trojanized 1.14.1 (bundled plain-crypto-js RAT, C2 sfrclak.com). Both 1.14.1 and 0.30.4 were unpublished within 24h. Key pins: axios ^1.14.0 → 1.14.0 (trojanized 1.14.1 blocked) undici ^7.3.0 → 7.24.6 (7 CVEs between 7.3 and 7.24) yaml ^2.7.0 → 2.8.3 (CVE-2026-33532 fix) ajv ^8.17.0 → 8.18.0 (ReDoS fix) lodash-es ^4.17.21 → 4.17.23 (prototype pollution fix) zod ^3.24.0 → 3.25.76 (large range locked) All 74 deps verified: integrity hashes match npm registry, no known supply chain incidents, no postinstall scripts in lockfile.
4.9 KiB
4.9 KiB