Revisit remaining vulnerabilities not addressed by PR #2122:
| Package |
Severity |
Blocker |
lodash-es (×3 alerts) |
High/Medium |
chevrotain declares exact 4.17.21; override to 4.18.0 breaks electron-builder |
underscore |
High |
jsonpath declares exact 1.13.6 |
qs (×2 alerts) |
Medium/Low |
body-parser declares exact 6.13.0 |
nodemailer |
Low |
mailparser depends on 7.x; fix requires 8.x (major version gap) |
These cannot be fixed via pnpm overrides because electron-builder's traversalNodeModulesCollector validates that installed versions exactly match declared dependency ranges. When a pnpm override changes the resolved version, the packager fails with "Production dependency not found".
To resolve these, the upstream packages need to update their declared dependency ranges, or electron-builder needs to support pnpm overrides. The following packages also have cross-major-version vulnerabilities that can't use global overrides: brace-expansion (1.x/2.x/5.x), picomatch (2.x/4.x), @xmldom/xmldom (0.8.x/0.9.x), undici (7.x/8.x).
Revisit remaining vulnerabilities not addressed by PR #2122:
lodash-es(×3 alerts)chevrotaindeclares exact4.17.21; override to4.18.0breaks electron-builderunderscorejsonpathdeclares exact1.13.6qs(×2 alerts)body-parserdeclares exact6.13.0nodemailermailparserdepends on7.x; fix requires8.x(major version gap)These cannot be fixed via pnpm overrides because electron-builder's
traversalNodeModulesCollectorvalidates that installed versions exactly match declared dependency ranges. When a pnpm override changes the resolved version, the packager fails with "Production dependency not found".To resolve these, the upstream packages need to update their declared dependency ranges, or electron-builder needs to support pnpm overrides. The following packages also have cross-major-version vulnerabilities that can't use global overrides:
brace-expansion(1.x/2.x/5.x),picomatch(2.x/4.x),@xmldom/xmldom(0.8.x/0.9.x),undici(7.x/8.x).