From 0608549a95d65c7d4ba7e8c71235c25a617fbc3d Mon Sep 17 00:00:00 2001 From: John Alden Date: Tue, 31 Mar 2026 15:58:49 -0700 Subject: [PATCH] Fix flatted prototype pollution vulnerability (GHSA-rf6f-7fwh-wjgh) Add yarn resolution to force flatted ^3.4.2, fixing Prototype Pollution via parse() in NodeJS flatted. Transitive dep via eslint -> file-entry-cache -> flat-cache. Co-Authored-By: Claude Opus 4.6 (1M context) --- package.json | 3 ++- yarn.lock | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 4dd4b25..ff091ab 100644 --- a/package.json +++ b/package.json @@ -41,7 +41,8 @@ }, "resolutions": { "serialize-javascript": "^7.0.5", - "picomatch": "^2.3.2" + "picomatch": "^2.3.2", + "flatted": "^3.4.2" }, "keywords": [ "FileWatcher", diff --git a/yarn.lock b/yarn.lock index bac0784..59b131b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -431,10 +431,10 @@ flat@^5.0.2: resolved "https://registry.npmjs.org/flat/-/flat-5.0.2.tgz#8ca6fe332069ffa9d324c327198c598259ceb241" integrity sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ== -flatted@^3.2.9: - version "3.3.1" - resolved "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz#21db470729a6734d4997002f439cb308987f567a" - integrity sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw== +flatted@^3.2.9, flatted@^3.4.2: + version "3.4.2" + resolved "https://registry.yarnpkg.com/flatted/-/flatted-3.4.2.tgz#f5c23c107f0f37de8dbdf24f13722b3b98d52726" + integrity sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA== fs-extra@^11.2.0: version "11.2.0"