fix(security): Resolve HIGH severity Dependabot alerts#741
Conversation
- Add pnpm overrides for @isaacs/brace-expansion (^5.0.1) and fast-xml-parser (^5.3.4) to fix CVE-2026-25547 and CVE-2026-25128 - Update @aws-sdk/client-lambda from ^3.723.0 to ^3.984.0
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| "diff": "^8.0.3" | ||
| "diff": "^8.0.3", | ||
| "@isaacs/brace-expansion": "^5.0.1", | ||
| "fast-xml-parser": "^5.3.4" |
There was a problem hiding this comment.
Override forces breaking major version on GCS dependency
High Severity
The fast-xml-parser pnpm override (^5.3.4) is too broad — it forces all instances of the package to v5, including the one used by @google-cloud/storage@7.18.0, which declares a dependency on fast-xml-parser v4.x. The lockfile confirms it previously resolved to 4.5.3 and now resolves to 5.3.4. Since v4→v5 is a major version bump with breaking API changes (different constructor options, changed class behavior), this could cause runtime failures in Google Cloud Storage XML parsing code paths that tests may not cover.
Additional Locations (1)
1 participant
Summary
Fixes 2 HIGH severity Dependabot alerts:
@isaacs/brace-expansionDoS via unbounded brace range expansionfast-xml-parserRangeError DoS via numeric entitiesChanges
@isaacs/brace-expansion: ^5.0.1 (was 5.0.0)fast-xml-parser: ^5.3.4 (was 5.2.5)@aws-sdk/client-lambdafrom ^3.723.0 to ^3.984.0Verification
pnpm why