From 3c6dab479bf24ade4ad6cf405f5b37ef7d5a7544 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Wed, 6 May 2026 11:54:34 +0900 Subject: [PATCH] fix: update dependencies to resolve security vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update package-lock.json to address multiple Dependabot security alerts: - lodash: 4.17.23 → 4.18.1 (fixes prototype pollution and code injection) - lodash-es: 4.17.23 → 4.18.1 (fixes prototype pollution and code injection) - handlebars: 4.7.8 → 4.7.9 (fixes critical JavaScript injection vulnerabilities) - undici: 6.23.0 → 6.25.0 (fixes WebSocket parser crashes and CRLF injection) - npm: 11.11.0 → 11.13.0 (includes minimatch 10.2.5 to fix ReDoS vulnerabilities) This update resolves 1 critical, 7 high, and 2 moderate severity vulnerabilities. The remaining moderate vulnerability (ip-address) is a bundled npm dependency that cannot be fixed at the project level. Co-Authored-By: Claude Sonnet 4.5 --- package-lock.json | 217 ++++++++++++++++++++-------------------------- 1 file changed, 95 insertions(+), 122 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9056a236..41f3f06b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4,6 +4,7 @@ "requires": true, "packages": { "": { + "name": "coco-pattern", "devDependencies": { "@semantic-release/changelog": "^6.0.3", "@semantic-release/commit-analyzer": "^13.0.1", @@ -46,9 +47,9 @@ } }, "node_modules/@actions/http-client/node_modules/undici": { - "version": "6.23.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz", - "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==", + "version": "6.25.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz", + "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==", "dev": true, "license": "MIT", "engines": { @@ -1928,9 +1929,9 @@ "license": "ISC" }, "node_modules/handlebars": { - "version": "4.7.8", - "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.8.tgz", - "integrity": "sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==", + "version": "4.7.9", + "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.7.9.tgz", + "integrity": "sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==", "dev": true, "license": "MIT", "dependencies": { @@ -2362,16 +2363,16 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "dev": true, "license": "MIT" }, "node_modules/lodash-es": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.23.tgz", - "integrity": "sha512-kVI48u3PZr38HdYz98UmfPnXl2DXrpdctLrFLCd3kOx1xUkOmpFPx7gCWWM5MPkL/fD8zb+Ph0QzjGFs4+hHWg==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.18.1.tgz", + "integrity": "sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==", "dev": true, "license": "MIT" }, @@ -2618,9 +2619,9 @@ } }, "node_modules/npm": { - "version": "11.11.0", - "resolved": "https://registry.npmjs.org/npm/-/npm-11.11.0.tgz", - "integrity": "sha512-82gRxKrh/eY5UnNorkTFcdBQAGpgjWehkfGVqAGlJjejEtJZGGJUqjo3mbBTNbc5BTnPKGVtGPBZGhElujX5cw==", + "version": "11.13.0", + "resolved": "https://registry.npmjs.org/npm/-/npm-11.13.0.tgz", + "integrity": "sha512-cRmhaghDWA1lFgl3Ug4/VxDJdPBK/U+tNtnrl9kXunFqhWw1x4xL5txkNn7qzPuVfvXOmXyjHpMwsuk2uisbkg==", "bundleDependencies": [ "@isaacs/string-locale-compare", "@npmcli/arborist", @@ -2699,19 +2700,19 @@ ], "dependencies": { "@isaacs/string-locale-compare": "^1.1.0", - "@npmcli/arborist": "^9.4.0", - "@npmcli/config": "^10.7.1", + "@npmcli/arborist": "^9.4.3", + "@npmcli/config": "^10.8.1", "@npmcli/fs": "^5.0.0", "@npmcli/map-workspaces": "^5.0.3", "@npmcli/metavuln-calculator": "^9.0.3", "@npmcli/package-json": "^7.0.5", "@npmcli/promise-spawn": "^9.0.1", "@npmcli/redact": "^4.0.0", - "@npmcli/run-script": "^10.0.3", - "@sigstore/tuf": "^4.0.1", + "@npmcli/run-script": "^10.0.4", + "@sigstore/tuf": "^4.0.2", "abbrev": "^4.0.0", "archy": "~1.0.0", - "cacache": "^20.0.3", + "cacache": "^20.0.4", "chalk": "^5.6.2", "ci-info": "^4.4.0", "fastest-levenshtein": "^1.0.16", @@ -2721,24 +2722,24 @@ "hosted-git-info": "^9.0.2", "ini": "^6.0.0", "init-package-json": "^8.2.5", - "is-cidr": "^6.0.3", + "is-cidr": "^6.0.4", "json-parse-even-better-errors": "^5.0.0", "libnpmaccess": "^10.0.3", - "libnpmdiff": "^8.1.3", - "libnpmexec": "^10.2.3", - "libnpmfund": "^7.0.17", + "libnpmdiff": "^8.1.6", + "libnpmexec": "^10.2.6", + "libnpmfund": "^7.0.20", "libnpmorg": "^8.0.1", - "libnpmpack": "^9.1.3", + "libnpmpack": "^9.1.6", "libnpmpublish": "^11.1.3", "libnpmsearch": "^9.0.1", "libnpmteam": "^8.0.2", "libnpmversion": "^8.0.3", - "make-fetch-happen": "^15.0.4", - "minimatch": "^10.2.2", + "make-fetch-happen": "^15.0.5", + "minimatch": "^10.2.5", "minipass": "^7.1.3", "minipass-pipeline": "^1.2.4", "ms": "^2.1.2", - "node-gyp": "^12.2.0", + "node-gyp": "^12.3.0", "nopt": "^9.0.0", "npm-audit-report": "^7.0.0", "npm-install-checks": "^8.0.0", @@ -2748,7 +2749,7 @@ "npm-registry-fetch": "^19.1.1", "npm-user-validate": "^4.0.0", "p-map": "^7.0.4", - "pacote": "^21.4.0", + "pacote": "^21.5.0", "parse-conflict-json": "^5.0.1", "proc-log": "^6.1.0", "qrcode-terminal": "^0.12.0", @@ -2757,7 +2758,7 @@ "spdx-expression-parse": "^4.0.0", "ssri": "^13.0.1", "supports-color": "^10.2.2", - "tar": "^7.5.9", + "tar": "^7.5.13", "text-table": "~0.2.0", "tiny-relative-date": "^2.0.2", "treeverse": "^3.0.0", @@ -2786,26 +2787,14 @@ } }, "node_modules/npm/node_modules/@gar/promise-retry": { - "version": "1.0.2", + "version": "1.0.3", "dev": true, "inBundle": true, "license": "MIT", - "dependencies": { - "retry": "^0.13.1" - }, "engines": { "node": "^20.17.0 || >=22.9.0" } }, - "node_modules/npm/node_modules/@gar/promise-retry/node_modules/retry": { - "version": "0.13.1", - "dev": true, - "inBundle": true, - "license": "MIT", - "engines": { - "node": ">= 4" - } - }, "node_modules/npm/node_modules/@isaacs/fs-minipass": { "version": "4.0.1", "dev": true, @@ -2841,11 +2830,12 @@ } }, "node_modules/npm/node_modules/@npmcli/arborist": { - "version": "9.4.0", + "version": "9.4.3", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { + "@gar/promise-retry": "^1.0.0", "@isaacs/string-locale-compare": "^1.1.0", "@npmcli/fs": "^5.0.0", "@npmcli/installed-package-contents": "^4.0.0", @@ -2888,7 +2878,7 @@ } }, "node_modules/npm/node_modules/@npmcli/config": { - "version": "10.7.1", + "version": "10.8.1", "dev": true, "inBundle": true, "license": "ISC", @@ -3054,7 +3044,7 @@ } }, "node_modules/npm/node_modules/@npmcli/run-script": { - "version": "10.0.3", + "version": "10.0.4", "dev": true, "inBundle": true, "license": "ISC", @@ -3063,8 +3053,7 @@ "@npmcli/package-json": "^7.0.0", "@npmcli/promise-spawn": "^9.0.0", "node-gyp": "^12.1.0", - "proc-log": "^6.0.0", - "which": "^6.0.0" + "proc-log": "^6.0.0" }, "engines": { "node": "^20.17.0 || >=22.9.0" @@ -3083,7 +3072,7 @@ } }, "node_modules/npm/node_modules/@sigstore/core": { - "version": "3.1.0", + "version": "3.2.0", "dev": true, "inBundle": true, "license": "Apache-2.0", @@ -3092,7 +3081,7 @@ } }, "node_modules/npm/node_modules/@sigstore/protobuf-specs": { - "version": "0.5.0", + "version": "0.5.1", "dev": true, "inBundle": true, "license": "Apache-2.0", @@ -3101,24 +3090,24 @@ } }, "node_modules/npm/node_modules/@sigstore/sign": { - "version": "4.1.0", + "version": "4.1.1", "dev": true, "inBundle": true, "license": "Apache-2.0", "dependencies": { + "@gar/promise-retry": "^1.0.2", "@sigstore/bundle": "^4.0.0", - "@sigstore/core": "^3.1.0", + "@sigstore/core": "^3.2.0", "@sigstore/protobuf-specs": "^0.5.0", - "make-fetch-happen": "^15.0.3", - "proc-log": "^6.1.0", - "promise-retry": "^2.0.1" + "make-fetch-happen": "^15.0.4", + "proc-log": "^6.1.0" }, "engines": { "node": "^20.17.0 || >=22.9.0" } }, "node_modules/npm/node_modules/@sigstore/tuf": { - "version": "4.0.1", + "version": "4.0.2", "dev": true, "inBundle": true, "license": "Apache-2.0", @@ -3234,7 +3223,7 @@ } }, "node_modules/npm/node_modules/brace-expansion": { - "version": "5.0.3", + "version": "5.0.5", "dev": true, "inBundle": true, "license": "MIT", @@ -3246,7 +3235,7 @@ } }, "node_modules/npm/node_modules/cacache": { - "version": "20.0.3", + "version": "20.0.4", "dev": true, "inBundle": true, "license": "ISC", @@ -3260,8 +3249,7 @@ "minipass-flush": "^1.0.5", "minipass-pipeline": "^1.2.4", "p-map": "^7.0.2", - "ssri": "^13.0.0", - "unique-filename": "^5.0.0" + "ssri": "^13.0.0" }, "engines": { "node": "^20.17.0 || >=22.9.0" @@ -3304,7 +3292,7 @@ } }, "node_modules/npm/node_modules/cidr-regex": { - "version": "5.0.3", + "version": "5.0.4", "dev": true, "inBundle": true, "license": "BSD-2-Clause", @@ -3360,7 +3348,7 @@ } }, "node_modules/npm/node_modules/diff": { - "version": "8.0.3", + "version": "8.0.4", "dev": true, "inBundle": true, "license": "BSD-3-Clause", @@ -3380,7 +3368,6 @@ "node_modules/npm/node_modules/err-code": { "version": "2.0.3", "dev": true, - "inBundle": true, "license": "MIT" }, "node_modules/npm/node_modules/exponential-backoff": { @@ -3509,7 +3496,6 @@ "node_modules/npm/node_modules/imurmurhash": { "version": "0.1.4", "dev": true, - "inBundle": true, "license": "MIT", "engines": { "node": ">=0.8.19" @@ -3551,12 +3537,12 @@ } }, "node_modules/npm/node_modules/is-cidr": { - "version": "6.0.3", + "version": "6.0.4", "dev": true, "inBundle": true, "license": "BSD-2-Clause", "dependencies": { - "cidr-regex": "^5.0.1" + "cidr-regex": "^5.0.4" }, "engines": { "node": ">=20" @@ -3624,12 +3610,12 @@ } }, "node_modules/npm/node_modules/libnpmdiff": { - "version": "8.1.3", + "version": "8.1.6", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "@npmcli/arborist": "^9.4.0", + "@npmcli/arborist": "^9.4.3", "@npmcli/installed-package-contents": "^4.0.0", "binary-extensions": "^3.0.0", "diff": "^8.0.2", @@ -3643,13 +3629,13 @@ } }, "node_modules/npm/node_modules/libnpmexec": { - "version": "10.2.3", + "version": "10.2.6", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { "@gar/promise-retry": "^1.0.0", - "@npmcli/arborist": "^9.4.0", + "@npmcli/arborist": "^9.4.3", "@npmcli/package-json": "^7.0.0", "@npmcli/run-script": "^10.0.0", "ci-info": "^4.0.0", @@ -3666,12 +3652,12 @@ } }, "node_modules/npm/node_modules/libnpmfund": { - "version": "7.0.17", + "version": "7.0.20", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "@npmcli/arborist": "^9.4.0" + "@npmcli/arborist": "^9.4.3" }, "engines": { "node": "^20.17.0 || >=22.9.0" @@ -3691,12 +3677,12 @@ } }, "node_modules/npm/node_modules/libnpmpack": { - "version": "9.1.3", + "version": "9.1.6", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "@npmcli/arborist": "^9.4.0", + "@npmcli/arborist": "^9.4.3", "@npmcli/run-script": "^10.0.0", "npm-package-arg": "^13.0.0", "pacote": "^21.0.2" @@ -3766,7 +3752,7 @@ } }, "node_modules/npm/node_modules/lru-cache": { - "version": "11.2.6", + "version": "11.3.5", "dev": true, "inBundle": true, "license": "BlueOak-1.0.0", @@ -3775,13 +3761,14 @@ } }, "node_modules/npm/node_modules/make-fetch-happen": { - "version": "15.0.4", + "version": "15.0.5", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { "@gar/promise-retry": "^1.0.0", "@npmcli/agent": "^4.0.0", + "@npmcli/redact": "^4.0.0", "cacache": "^20.0.1", "http-cache-semantics": "^4.1.1", "minipass": "^7.0.2", @@ -3797,12 +3784,12 @@ } }, "node_modules/npm/node_modules/minimatch": { - "version": "10.2.2", + "version": "10.2.5", "dev": true, "inBundle": true, "license": "BlueOak-1.0.0", "dependencies": { - "brace-expansion": "^5.0.2" + "brace-expansion": "^5.0.5" }, "engines": { "node": "18 || 20 || >=22" @@ -3850,35 +3837,17 @@ } }, "node_modules/npm/node_modules/minipass-flush": { - "version": "1.0.5", + "version": "1.0.6", "dev": true, "inBundle": true, - "license": "ISC", - "dependencies": { - "minipass": "^3.0.0" - }, - "engines": { - "node": ">= 8" - } - }, - "node_modules/npm/node_modules/minipass-flush/node_modules/minipass": { - "version": "3.3.6", - "dev": true, - "inBundle": true, - "license": "ISC", + "license": "BlueOak-1.0.0", "dependencies": { - "yallist": "^4.0.0" + "minipass": "^7.1.3" }, "engines": { - "node": ">=8" + "node": ">=16 || 14 >=14.17" } }, - "node_modules/npm/node_modules/minipass-flush/node_modules/yallist": { - "version": "4.0.0", - "dev": true, - "inBundle": true, - "license": "ISC" - }, "node_modules/npm/node_modules/minipass-pipeline": { "version": "1.2.4", "dev": true, @@ -3958,7 +3927,7 @@ } }, "node_modules/npm/node_modules/node-gyp": { - "version": "12.2.0", + "version": "12.3.0", "dev": true, "inBundle": true, "license": "MIT", @@ -3966,12 +3935,12 @@ "env-paths": "^2.2.0", "exponential-backoff": "^3.1.1", "graceful-fs": "^4.2.6", - "make-fetch-happen": "^15.0.0", "nopt": "^9.0.0", "proc-log": "^6.0.0", "semver": "^7.3.5", "tar": "^7.5.4", "tinyglobby": "^0.2.12", + "undici": "^6.25.0", "which": "^6.0.0" }, "bin": { @@ -4135,7 +4104,7 @@ } }, "node_modules/npm/node_modules/pacote": { - "version": "21.4.0", + "version": "21.5.0", "dev": true, "inBundle": true, "license": "ISC", @@ -4247,7 +4216,6 @@ "node_modules/npm/node_modules/promise-retry": { "version": "2.0.1", "dev": true, - "inBundle": true, "license": "MIT", "dependencies": { "err-code": "^2.0.2", @@ -4301,7 +4269,6 @@ "node_modules/npm/node_modules/retry": { "version": "0.12.0", "dev": true, - "inBundle": true, "license": "MIT", "engines": { "node": ">= 4" @@ -4440,7 +4407,7 @@ } }, "node_modules/npm/node_modules/tar": { - "version": "7.5.9", + "version": "7.5.13", "dev": true, "inBundle": true, "license": "BlueOak-1.0.0", @@ -4468,13 +4435,13 @@ "license": "MIT" }, "node_modules/npm/node_modules/tinyglobby": { - "version": "0.2.15", + "version": "0.2.16", "dev": true, "inBundle": true, "license": "MIT", "dependencies": { "fdir": "^6.5.0", - "picomatch": "^4.0.3" + "picomatch": "^4.0.4" }, "engines": { "node": ">=12.0.0" @@ -4501,7 +4468,7 @@ } }, "node_modules/npm/node_modules/tinyglobby/node_modules/picomatch": { - "version": "4.0.3", + "version": "4.0.4", "dev": true, "inBundle": true, "license": "MIT", @@ -4535,10 +4502,18 @@ "node": "^20.17.0 || >=22.9.0" } }, + "node_modules/npm/node_modules/undici": { + "version": "6.25.0", + "dev": true, + "inBundle": true, + "license": "MIT", + "engines": { + "node": ">=18.17" + } + }, "node_modules/npm/node_modules/unique-filename": { "version": "5.0.0", "dev": true, - "inBundle": true, "license": "ISC", "dependencies": { "unique-slug": "^6.0.0" @@ -4550,7 +4525,6 @@ "node_modules/npm/node_modules/unique-slug": { "version": "6.0.0", "dev": true, - "inBundle": true, "license": "ISC", "dependencies": { "imurmurhash": "^0.1.4" @@ -4599,12 +4573,11 @@ } }, "node_modules/npm/node_modules/write-file-atomic": { - "version": "7.0.0", + "version": "7.0.1", "dev": true, "inBundle": true, "license": "ISC", "dependencies": { - "imurmurhash": "^0.1.4", "signal-exit": "^4.0.1" }, "engines": { @@ -4879,9 +4852,9 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", - "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz", + "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==", "dev": true, "license": "MIT", "engines": { @@ -5950,9 +5923,9 @@ } }, "node_modules/tinyglobby/node_modules/picomatch": { - "version": "4.0.3", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", - "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", + "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "dev": true, "license": "MIT", "engines": { @@ -6026,9 +5999,9 @@ } }, "node_modules/undici": { - "version": "7.22.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz", - "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==", + "version": "7.25.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz", + "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==", "dev": true, "license": "MIT", "engines": {