Merge pull request #315 from tbrandenburg/fix/issue-282-flatted-vulnerability

tbrandenburg · web-flow · commit 5395642f26d3 · 2026-03-27T15:20:55.000+01:00
Fix: Security vulnerability in flatted (GHSA-25h7-pfq9-p65f) (#282)
diff --git a/.claude/PRPs/issues/completed/issue-282.md b/.claude/PRPs/issues/completed/issue-282.md
@@ -0,0 +1,42 @@
+# Implementation: Issue #282 - flatted Security Vulnerability
+
+**Issue**: #282 - Security Vulnerability: flatted has high severity vulnerability (GHSA-25h7-pfq9-p65f)
+**Type**: CHORE
+**Completed**: 2026-03-27
+**Branch**: `fix/issue-282-flatted-vulnerability`
+**PR**: #315
+
+## Problem Statement
+
+The `flatted` package (version <3.4.0) had a high severity vulnerability (GHSA-25h7-pfq9-p65f) that allowed unbounded recursion DoS attacks in the parse() revive phase.
+
+## Solution
+
+Added npm override to `packages/frontend/package.json`:
+
+```json
+"overrides": {
+  "picomatch": "4.0.4",
+  "flatted": ">=3.4.0"
+}
+```
+
+## Changes Made
+
+| File | Change |
+|------|--------|
+| `packages/frontend/package.json` | Added flatted override to ensure >=3.4.0 |
+
+## Validation
+
+| Check | Result |
+|-------|--------|
+| npm audit | ✅ 0 vulnerabilities |
+| npm run lint | ✅ Pass |
+| npm run build | ✅ Pass |
+
+## Notes
+
+- The vulnerability existed as a transitive dependency through ESLint
+- Override ensures the fix cannot be accidentally reverted
+- No code changes required - pure dependency fix
diff --git a/packages/frontend/package.json b/packages/frontend/package.json
@@ -45,6 +45,7 @@
     "vitest": "^4.0.18"
   },
   "overrides": {
-    "picomatch": "4.0.4"
+    "picomatch": "4.0.4",
+    "flatted": ">=3.4.0"
   }
 }
