From 27a88dd17a7beb5e7ca44cfe69b4da074c2de812 Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 9 Apr 2026 15:34:00 +0200 Subject: [PATCH] fix(deps): bump basic-ftp override to 5.2.1 to patch CRLF injection Resolves Dependabot alert #183 (high severity): basic-ftp 5.2.0 is vulnerable to FTP command injection via CRLF. The package is pulled in as a dev-only transitive dependency by @histoire/plugin-screenshot. --- frontend/package.json | 2 +- frontend/pnpm-lock.yaml | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index b2ef2cf99..8508f8d0b 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -168,7 +168,7 @@ "overrides": { "minimatch": "^10.2.3", "rollup": "$rollup", - "basic-ftp": "5.2.0", + "basic-ftp": "5.2.1", "serialize-javascript": "^7.0.5", "flatted": "^3.4.1" } diff --git a/frontend/pnpm-lock.yaml b/frontend/pnpm-lock.yaml index 24973151e..5ae97b6d8 100644 --- a/frontend/pnpm-lock.yaml +++ b/frontend/pnpm-lock.yaml @@ -7,7 +7,7 @@ settings: overrides: minimatch: ^10.2.3 rollup: 4.60.1 - basic-ftp: 5.2.0 + basic-ftp: 5.2.1 serialize-javascript: ^7.0.5 flatted: ^3.4.1 @@ -3321,10 +3321,9 @@ packages: engines: {node: '>=6.0.0'} hasBin: true - basic-ftp@5.2.0: - resolution: {integrity: sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==} + basic-ftp@5.2.1: + resolution: {integrity: sha512-0yaL8JdxTknKDILitVpfYfV2Ob6yb3udX/hK97M7I3jOeznBNxQPtVvTUtnhUkyHlxFWyr5Lvknmgzoc7jf+1Q==} engines: {node: '>=10.0.0'} - deprecated: Security vulnerability fixed in 5.2.1, please upgrade bidi-js@1.0.3: resolution: {integrity: sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==} @@ -10084,7 +10083,7 @@ snapshots: baseline-browser-mapping@2.10.12: {} - basic-ftp@5.2.0: {} + basic-ftp@5.2.1: {} bidi-js@1.0.3: dependencies: @@ -11097,7 +11096,7 @@ snapshots: get-uri@6.0.4: dependencies: - basic-ftp: 5.2.0 + basic-ftp: 5.2.1 data-uri-to-buffer: 6.0.2 debug: 4.4.3 transitivePeerDependencies: