Commit 8071cac
Fix security vulnerabilities in dependencies (#437)
Update direct dependencies to resolve security vulnerabilities:
Root package.json:
- @mapbox/node-pre-gyp: ^1.0.11 → ^2.0.3 (fixes tar vulnerability)
- node-gyp: ^9.3.1 → ^11.0.0 (fixes tar vulnerability)
schemaregistry/package.json:
- @aws-sdk/client-kms: ^3.637.0 → ^3.975.0 (fixes @smithy/config-resolver)
- @aws-sdk/credential-providers: ^3.637.0 → ^3.975.0 (fixes @smithy/config-resolver)
- @azure/identity: ^4.4.1 → ^4.13.0 (fixes jws vulnerability)
- @google-cloud/kms: ^4.5.0 → ^5.2.1 (fixes jws vulnerability)
- node-gyp: ^9.3.1 → ^11.0.0 (fixes tar vulnerability)
- node-vault: ^0.10.2 → ^0.10.9 (latest version)
Vulnerabilities fixed:
- tar (CVE high severity) - arbitrary file overwrite
- jws (CVE high severity) - improper HMAC signature verification
- @smithy/config-resolver (low severity) - defense in depth enhancement
- qs (high severity) - DoS via memory exhaustion
- form-data (critical severity) - unsafe random function
- tough-cookie (moderate severity) - prototype pollution
- lodash (moderate severity) - prototype pollution
- js-yaml (moderate severity) - prototype pollution
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>1 parent b8c131e commit 8071cac
3 files changed
Lines changed: 3713 additions & 1465 deletions
0 commit comments