Skip to content

fix(deps): bump flatted 3.3.1 to 3.4.2 to fix CVE-2026-32141#19842

Merged
chargome merged 1 commit intodevelopfrom
fix/dependabot-alert-1146
Mar 18, 2026
Merged

fix(deps): bump flatted 3.3.1 to 3.4.2 to fix CVE-2026-32141#19842
chargome merged 1 commit intodevelopfrom
fix/dependabot-alert-1146

Conversation

@chargome
Copy link
Member

@chargome chargome commented Mar 17, 2026

Fixes Dependabot alert #1146.

@chargome @claude
fix(deps): bump flatted 3.3.1 to 3.4.2 to fix CVE-2026-32141
4040ae9 
Fixes Dependabot alert #1146.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@chargome chargome self-assigned this Mar 17, 2026
cursor[bot]
cursor bot reviewed Mar 17, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is kicking off a free cloud agent to fix this issue. This run is complimentary, but you can enable autofix for all future PRs in the Cursor dashboard.

yarn.lock
integrity sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==
version "3.4.2"
resolved "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz"
integrity sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==
Copy link

@cursor cursor bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile references non-existent flatted version 3.4.2

High Severity

The lockfile pins flatted to version 3.4.2, but this version does not exist on npm — the latest published version is 3.4.1. The resolved URL and integrity hash are therefore invalid, which will cause yarn install to fail for any fresh install. The missing hash suffix in the resolved URL (compared to the previous entry and other registry.npmjs.org entries) also suggests this entry was manually edited rather than generated by yarn.

Fix in Cursor Fix in Web

Copy link

@cursor cursor bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bugbot Autofix determined this is a false positive.

Version 3.4.2 exists on npm (published March 17, 2026), the integrity hash is valid, and yarn install completes successfully.

This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.

Copy link
Member Author

@chargome chargome Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well done

Copy link
Member

@Lms24 Lms24 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lol bugbot correcting itself :D (pretty cool but what a waste of energy lol)

@github-actions
Copy link
Contributor

github-actions bot commented Mar 17, 2026

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.64 kB - -
@sentry/browser - with treeshaking flags 24.14 kB - -
@sentry/browser (incl. Tracing) 42.62 kB - -
@sentry/browser (incl. Tracing, Profiling) 47.28 kB - -
@sentry/browser (incl. Tracing, Replay) 81.42 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 71 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 86.12 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 98.37 kB - -
@sentry/browser (incl. Feedback) 42.45 kB - -
@sentry/browser (incl. sendFeedback) 30.31 kB - -
@sentry/browser (incl. FeedbackAsync) 35.36 kB - -
@sentry/browser (incl. Metrics) 26.92 kB - -
@sentry/browser (incl. Logs) 27.07 kB - -
@sentry/browser (incl. Metrics & Logs) 27.74 kB - -
@sentry/react 27.39 kB - -
@sentry/react (incl. Tracing) 44.95 kB - -
@sentry/vue 30.08 kB - -
@sentry/vue (incl. Tracing) 44.48 kB - -
@sentry/svelte 25.66 kB - -
CDN Bundle 28.28 kB +0.04% +11 B 🔺
CDN Bundle (incl. Tracing) 43.51 kB +0.03% +10 B 🔺
CDN Bundle (incl. Logs, Metrics) 29.14 kB +0.05% +12 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) 44.36 kB +0.03% +11 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) 68.21 kB +0.02% +12 B 🔺
CDN Bundle (incl. Tracing, Replay) 80.33 kB +0.02% +13 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 81.23 kB +0.02% +13 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) 85.87 kB +0.02% +12 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.77 kB +0.02% +12 B 🔺
CDN Bundle - uncompressed 82.62 kB +0.08% +59 B 🔺
CDN Bundle (incl. Tracing) - uncompressed 128.56 kB +0.05% +59 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed 85.49 kB +0.07% +59 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 131.43 kB +0.05% +59 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 209.12 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed 245.41 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 248.26 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 258.32 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 261.17 kB +0.03% +59 B 🔺
@sentry/nextjs (client) 47.37 kB - -
@sentry/sveltekit (client) 43.07 kB - -
@sentry/node-core 56.35 kB +0.06% +29 B 🔺
@sentry/node 173.17 kB -0.02% -18 B 🔽
@sentry/node - without tracing 96.35 kB +0.01% +6 B 🔺
@sentry/aws-serverless 113.35 kB +0.01% +11 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Mar 17, 2026

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,320 - 9,359 -0%
GET With Sentry 1,649 18% 1,711 -4%
GET With Sentry (error only) 6,112 66% 6,183 -1%
POST Baseline 1,201 - 1,188 +1%
POST With Sentry 570 47% 597 -5%
POST With Sentry (error only) 1,068 89% 1,053 +1%
MYSQL Baseline 3,275 - 3,289 -0%
MYSQL With Sentry 507 15% 453 +12%
MYSQL With Sentry (error only) 2,594 79% 2,663 -3%

View base workflow run

@chargome chargome requested review from a team, nicohrubec and stephanie-anderson and removed request for a team March 17, 2026 17:04
@chargome chargome merged commit d1ea777 into develop Mar 18, 2026
455 of 457 checks passed
@chargome chargome deleted the fix/dependabot-alert-1146 branch March 18, 2026 08:43
@sentry-release-bot sentry-release-bot bot mentioned this pull request Mar 19, 2026
Closed
45 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Lms24 Lms24 Lms24 approved these changes

@nicohrubec nicohrubec nicohrubec approved these changes

@stephanie-anderson stephanie-anderson Awaiting requested review from stephanie-anderson stephanie-anderson was automatically assigned from getsentry/team-javascript-sdks

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chargome @Lms24 @nicohrubec