fix(security): override 5 transitive dep vulnerabilities from npm audit #100

Merged
maximus merged 1 commit from issue-95-99-deps-overrides into master 2026-07-01 00:33:14 +00:00

1 commit

Author SHA1 Message Date
le king fu
68abfb17f8 fix(security): override 5 transitive dep vulnerabilities from npm audit
Adds scoped overrides for shell-quote (GHSA-w7jw-789q-3m8p, critical),
undici (4 CVEs, high), ws (GHSA-96hv-2xvq-fx4p, high — distinct from the
CVE already fixed in #92/#94), js-yaml (GHSA-h67p-54hq-rp68, moderate,
two incompatible majors need separate scopes), and tar
(GHSA-vmf3-w455-68vh, moderate). All 5 are dev-tooling-only (Expo CLI,
Metro, react-devtools-core) with no runtime app code path.

Verified: npm audit clean on all 5 packages, smoke test passes, Metro
Bundler boots and serves /status normally after the ws bump (the only
scope touching Fast Refresh/dev-middleware runtime).

Fixes #95, Fixes #96, Fixes #97, Fixes #98, Fixes #99

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-06-30 20:20:46 -04:00