From 70cca543a4458844fefcfce129820094eec4d7c8 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Mon, 16 Mar 2026 10:08:30 +0000
Subject: [PATCH] fix(deps): address security advisories for flatted and
 devalue
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add flatted override (^3.4.0) to fix CVE-2026-32141 (unbounded
  recursion DoS in parse(), GHSA-25h7-pfq9-p65f)
- Bump devalue override to ^5.6.4 in docs/ to fix CVE-2026-30226
  (prototype pollution, GHSA-cfw5-2vxh-hr84) and GHSA-mwv9-gp5h-frr4
  (__proto__ property emission)
- Dismiss yauzl alert #125 (CVE-2026-31988) as inaccurate — the
  vulnerable NTFS timestamp parser exists only in yauzl 3.x; our
  version (2.10.0 via extract-zip) is not affected
---
 docs/package.json   |  2 +-
 docs/pnpm-lock.yaml | 10 +++++-----
 package.json        |  3 ++-
 pnpm-lock.yaml      |  9 +++++----
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/docs/package.json b/docs/package.json
index eb753a86..48d97b60 100644
--- a/docs/package.json
+++ b/docs/package.json
@@ -15,7 +15,7 @@
   "pnpm": {
     "overrides": {
       "h3": "^1.15.5",
-      "devalue": "^5.6.3",
+      "devalue": "^5.6.4",
       "rollup": "^4.59.0",
       "svgo": "^4.0.1"
     }
diff --git a/docs/pnpm-lock.yaml b/docs/pnpm-lock.yaml
index ed1446e1..61e610d3 100644
--- a/docs/pnpm-lock.yaml
+++ b/docs/pnpm-lock.yaml
@@ -6,7 +6,7 @@ settings:
 
 overrides:
   h3: ^1.15.5
-  devalue: ^5.6.3
+  devalue: ^5.6.4
   rollup: ^4.59.0
   svgo: ^4.0.1
 
@@ -953,8 +953,8 @@ packages:
     resolution: {integrity: sha512-KxektNH63SrbfUyDiwXqRb1rLwKt33AmMv+5Nhsw1kqZ13SJBRTgZHtGbE+hH3a1mVW1cz+4pqSWVPAtLVXTzQ==}
     engines: {node: '>=18'}
 
-  devalue@5.6.3:
-    resolution: {integrity: sha512-nc7XjUU/2Lb+SvEFVGcWLiKkzfw8+qHI7zn8WYXKkLMgfGSHbgCEaR6bJpev8Cm6Rmrb19Gfd/tZvGqx9is3wg==}
+  devalue@5.6.4:
+    resolution: {integrity: sha512-Gp6rDldRsFh/7XuouDbxMH3Mx8GMCcgzIb1pDTvNyn8pZGQ22u+Wa+lGV9dQCltFQ7uVw0MhRyb8XDskNFOReA==}
 
   devlop@1.1.0:
     resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==}
@@ -2631,7 +2631,7 @@ snapshots:
       cssesc: 3.0.0
       debug: 4.4.3
       deterministic-object-hash: 2.0.2
-      devalue: 5.6.3
+      devalue: 5.6.4
       diff: 8.0.3
       dlv: 1.1.3
       dset: 3.1.4
@@ -2844,7 +2844,7 @@ snapshots:
     dependencies:
       base-64: 1.0.0
 
-  devalue@5.6.3: {}
+  devalue@5.6.4: {}
 
   devlop@1.1.0:
     dependencies:
diff --git a/package.json b/package.json
index b69b9f80..37a8a99f 100644
--- a/package.json
+++ b/package.json
@@ -104,7 +104,8 @@
       "fast-xml-parser": "^5.3.4",
       "minimatch": "^10.2.1",
       "ajv@<6.14.0": "^6.14.0",
-      "rollup": "^4.59.0"
+      "rollup": "^4.59.0",
+      "flatted": "^3.4.0"
     }
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 9b1b7ab6..70d4551b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -9,6 +9,7 @@ overrides:
   minimatch: ^10.2.1
   ajv@<6.14.0: ^6.14.0
   rollup: ^4.59.0
+  flatted: ^3.4.0
 
 importers:
 
@@ -2287,8 +2288,8 @@ packages:
     resolution: {integrity: sha512-f7ccFPK3SXFHpx15UIGyRJ/FJQctuKZ0zVuN3frBo4HnK3cay9VEW0R6yPYFHC0AgqhukPzKjq22t5DmAyqGyw==}
     engines: {node: '>=16'}
 
-  flatted@3.3.3:
-    resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==}
+  flatted@3.4.1:
+    resolution: {integrity: sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==}
 
   foreground-child@3.3.1:
     resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==}
@@ -5659,10 +5660,10 @@ snapshots:
 
   flat-cache@4.0.1:
     dependencies:
-      flatted: 3.3.3
+      flatted: 3.4.1
       keyv: 4.5.4
 
-  flatted@3.3.3: {}
+  flatted@3.4.1: {}
 
   foreground-child@3.3.1:
     dependencies: