mirror of
https://github.com/keycloak/keycloak.git
synced 2026-04-15 14:06:42 -04:00
e556494cec
Apply pnpm.overrides in js/package.json to force patched versions of vulnerable transitive dependencies: - picomatch ^2.3.1 → ^2.3.2 (ReDoS via extglob quantifiers) - flatted ^3.2.9 → ^3.4.2 (Prototype Pollution and unbounded recursion DoS) - minimatch ~3 → ^3.1.4 (multiple ReDoS vectors) - minimatch ~9 → ^9.0.7 (ReDoS via repeated wildcards) - @isaacs/brace-expansion ^5 → ^5.0.1 (uncontrolled resource consumption) - serialize-javascript ^6 → ^7.0.3 (RCE via RegExp.flags) pnpm.overrides is used here because none of the direct dependencies that pull in these transitive packages have released fixes upstream yet: - wireit 0.14.12 (latest stable) → picomatch 2.3.1 via chokidar/micromatch - eslint 9.x → flatted 3.3.3 via flat-cache, minimatch 3.1.2 - mocha 11.x → serialize-javascript 6.0.2 - vite-plugin-dts 4.x → minimatch 9.0.5, @isaacs/brace-expansion 5.0.0 Since the vulnerable ranges (e.g. ^2.3.1, ^3.2.9) already permit the patched versions, overrides simply force pnpm to resolve to the fixed minor/patch release rather than the previously locked version. Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
66 lines
1.8 KiB
JSON
66 lines
1.8 KiB
JSON
{
|
|
"name": "root",
|
|
"private": true,
|
|
"type": "module",
|
|
"packageManager": "pnpm@10.14.0+sha512.ad27a79641b49c3e481a16a805baa71817a04bbe06a38d17e60e2eaee83f6a146c6a688125f5792e48dd5ba30e7da52a5cda4c3992b9ccf333f9ce223af84748",
|
|
"scripts": {
|
|
"prepare": "cd .. && husky js/.husky",
|
|
"build": "wireit"
|
|
},
|
|
"wireit": {
|
|
"build": {
|
|
"dependencies": [
|
|
"./apps/account-ui:build",
|
|
"./apps/admin-ui:build",
|
|
"./libs/keycloak-admin-client:build",
|
|
"./libs/ui-shared:build",
|
|
"./themes-vendor:build"
|
|
]
|
|
}
|
|
},
|
|
"devDependencies": {
|
|
"@eslint/compat": "^2.0.0",
|
|
"@eslint/eslintrc": "^3.3.3",
|
|
"@eslint/js": "^9.39.2",
|
|
"@types/node": "^25.0.3",
|
|
"eslint": "^9.39.2",
|
|
"eslint-config-prettier": "^10.1.8",
|
|
"eslint-plugin-lodash": "^8.0.0",
|
|
"eslint-plugin-playwright": "^2.4.0",
|
|
"eslint-plugin-prettier": "^5.5.4",
|
|
"eslint-plugin-react": "^7.37.5",
|
|
"eslint-plugin-react-compiler": "19.1.0-rc.2",
|
|
"eslint-plugin-react-hooks": "~6.1.0",
|
|
"husky": "^9.1.7",
|
|
"lint-staged": "^16.4.0",
|
|
"prettier": "^3.6.2",
|
|
"tslib": "^2.8.1",
|
|
"typescript": "^5.9.3",
|
|
"typescript-eslint": "^8.42.0",
|
|
"wireit": "^0.14.12"
|
|
},
|
|
"lint-staged": {
|
|
"*.{js,jsx,mjs,ts,tsx}": "eslint --cache --fix"
|
|
},
|
|
"author": {
|
|
"name": "Red Hat, Inc.",
|
|
"url": "https://www.keycloak.org/"
|
|
},
|
|
"license": "Apache-2.0",
|
|
"repository": {
|
|
"type": "git",
|
|
"url": "https://github.com/keycloak/keycloak.git",
|
|
"directory": "js/"
|
|
},
|
|
"homepage": "https://www.keycloak.org/",
|
|
"pnpm": {
|
|
"overrides": {
|
|
"picomatch@^2": "^2.3.2",
|
|
"flatted": "^3.4.2",
|
|
"minimatch@~3": "^3.1.4",
|
|
"minimatch@~9": "^9.0.7",
|
|
"@isaacs/brace-expansion@^5": "^5.0.1",
|
|
"serialize-javascript": "^7.0.3"
|
|
}
|
|
}
|
|
}
|