mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-06 23:19:35 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
8e4604741008cc2a8f9f58017692dbcba7c4d0d7
keycloak/js/package.json
T
Stan Silvert 8e46047410 Fix high-severity npm transitive dependency vulnerabilities via pnpm … (#48139) 
* Fix high-severity npm transitive dependency vulnerabilities via pnpm overrides (#47657)

Apply pnpm.overrides in js/package.json to force patched versions of
vulnerable transitive dependencies:

- picomatch ^2.3.1 → ^2.3.2 (ReDoS via extglob quantifiers)
- flatted ^3.2.9 → ^3.4.2 (Prototype Pollution and unbounded recursion DoS)
- minimatch ~3 → ^3.1.4 (multiple ReDoS vectors)
- minimatch ~9 → ^9.0.7 (ReDoS via repeated wildcards)
- @isaacs/brace-expansion ^5 → ^5.0.1 (uncontrolled resource consumption)
- serialize-javascript ^6 → ^7.0.3 (RCE via RegExp.flags)

pnpm.overrides is used here because none of the direct dependencies that
pull in these transitive packages have released fixes upstream yet:

- wireit 0.14.12 (latest stable) → picomatch 2.3.1 via chokidar/micromatch
- eslint 9.x → flatted 3.3.3 via flat-cache, minimatch 3.1.2
- mocha 11.x → serialize-javascript 6.0.2
- vite-plugin-dts 4.x → minimatch 9.0.5, @isaacs/brace-expansion 5.0.0

Since the vulnerable ranges (e.g. ^2.3.1, ^3.2.9) already permit the
patched versions, overrides simply force pnpm to resolve to the fixed
minor/patch release rather than the previously locked version.

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
(cherry picked from commit e556494cec)

* Fix linting errors.

Signed-off-by: Stan Silvert <ssilvert@redhat.com>

---------

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
Signed-off-by: Stan Silvert <ssilvert@redhat.com>
Co-authored-by: Bruno Oliveira da Silva <bruno@abstractj.com>
2026-04-17 11:01:31 +02:00

95 lines
2.5 KiB
JSON
Raw Blame History

{
"name": "root",
"private": true,
"type": "module",
"packageManager": "pnpm@10.4.1+sha512.c753b6c3ad7afa13af388fa6d808035a008e30ea9993f58c6663e2bc5ff21679aa834db094987129aa4d488b86df57f7b634981b2f827cdcacc698cc0cfb88af",
"scripts": {
"prepare": "cd .. && husky js/.husky",
"build": "wireit"
},
"wireit": {
"build": {
"dependencies": [
"./apps/account-ui:build",
"./apps/admin-ui:build",
"./libs/keycloak-admin-client:build",
"./libs/ui-shared:build",
"./themes-vendor:build"
]
}
},
"devDependencies": {
"@eslint/compat": "^1.2.8",
"@eslint/eslintrc": "^3.3.1",
"@eslint/js": "^9.24.0",
"@types/node": "^22.14.0",
"eslint": "^9.24.0",
"eslint-config-prettier": "^10.1.1",
"eslint-plugin-lodash": "^8.0.0",
"eslint-plugin-playwright": "^2.2.0",
"eslint-plugin-prettier": "^5.2.6",
"eslint-plugin-react": "^7.37.5",
"eslint-plugin-react-compiler": "19.0.0-beta-714736e-20250131",
"eslint-plugin-react-hooks": "~5.2.0",
"husky": "^9.1.7",
"lint-staged": "^15.5.0",
"prettier": "^3.5.3",
"tslib": "^2.8.1",
"typescript": "^5.8.2",
"typescript-eslint": "^8.29.0",
"wireit": "^0.14.11"
},
"pnpm": {
"ignoredOptionalDependencies": [
"@types/c3",
"bootstrap-datepicker",
"bootstrap-sass",
"bootstrap-select",
"bootstrap-slider",
"bootstrap-switch",
"bootstrap-touchspin",
"c3",
"d3",
"datatables.net",
"datatables.net-colreorder",
"datatables.net-colreorder-bs",
"datatables.net-select",
"drmonty-datatables-colvis",
"eonasdan-bootstrap-datetimepicker",
"font-awesome-sass",
"google-code-prettify",
"jquery-match-height",
"moment",
"moment-timezone",
"patternfly-bootstrap-combobox",
"patternfly-bootstrap-treeview"
],
"overrides": {
"picomatch@^2": "^2.3.2",
"flatted": "^3.4.2",
"minimatch@~3": "^3.1.4",
"minimatch@~9": "^9.0.7",
"@isaacs/brace-expansion@^5": "^5.0.1",
"serialize-javascript": "^7.0.3"
},
"onlyBuiltDependencies": [
"@swc/core",
"esbuild"
]
},
"lint-staged": {
"*.{js,jsx,mjs,ts,tsx}": "eslint --cache --fix"
},
"author": {
"name": "Red Hat, Inc.",
"url": "https://www.keycloak.org/"
},
"license": "Apache-2.0",
"repository": {
"type": "git",
"url": "https://github.com/keycloak/keycloak.git",
"directory": "js/"
},
"homepage": "https://www.keycloak.org/"
}
Reference in New Issue View Git Blame Copy Permalink