chore(deps): bump brace-expansion + ws overrides to clear audit
CI / scan (pull_request) Successful in 3m22s
CI / commits (pull_request) Successful in 3m52s
CI / check (pull_request) Successful in 5m41s
CI / a11y (pull_request) Successful in 2m46s
Docs site / build (pull_request) Successful in 3m57s
CI / perf (pull_request) Successful in 8m57s

Two new GHSA advisories surfaced in pnpm audit:

- brace-expansion >=5.0.0 <5.0.6 — DoS via large numeric range
  (GHSA-jxxr-4gwj-5jf2). The existing override floor was 5.0.5;
  bump to 5.0.6.
- ws >=8.0.0 <8.20.1 — uninitialized memory disclosure
  (GHSA-58qx-3vcg-4xpx). Reached via @nx/angular >
  @nx/module-federation > @module-federation/enhanced >
  @module-federation/dts-plugin > ws@8.18.0. Pinning the override
  to the 8.x range only — lighthouse's transitive ws@7.5.10 sits
  outside the advisory.

Both fixes are pure pnpm.overrides bumps; remove them once Nx's
upstream chain catches up.
This commit is contained in:
Julien Gautier
2026-05-19 12:25:29 +02:00
parent aa61ea0e02
commit 18a9370354
2 changed files with 10 additions and 30 deletions
+2 -1
View File
@@ -38,13 +38,14 @@
"overrides": {
"axios@<1.15.2": ">=1.15.2",
"@angular-devkit/core>ajv@<8.18.0": ">=8.18.0",
"brace-expansion@<5.0.5": ">=5.0.5",
"brace-expansion@<5.0.6": ">=5.0.6",
"esbuild@<0.25.0": ">=0.25.0",
"follow-redirects@<1.16.0": ">=1.16.0",
"ip-address@<10.1.1": ">=10.1.1",
"protobufjs@<8.0.2": ">=8.0.2",
"tmp@<0.2.4": ">=0.2.4",
"vitepress>vite": ">=6.4.2 <7",
"ws@>=8.0.0 <8.20.1": ">=8.20.1",
"yaml@<2.8.3": ">=2.8.3",
"@types/express": "^5.0.6"
}