Skip to content

Bump flatted from 3.4.1 to 3.4.2 in /zeppelin-web-angular/projects/zeppelin-react#5190

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/zeppelin-web-angular/projects/zeppelin-react/flatted-3.4.2
Open

Bump flatted from 3.4.1 to 3.4.2 in /zeppelin-web-angular/projects/zeppelin-react#5190
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/zeppelin-web-angular/projects/zeppelin-react/flatted-3.4.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 21, 2026
edited
Loading

Bumps flatted from 3.4.1 to 3.4.2.

Commits

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 21, 2026
@dididy
Copy link
Copy Markdown
Contributor

dididy commented Mar 22, 2026
edited
Loading

This looks good. It should also fix the npm-audit CI failure on #5184 - same flatted vulnerability.

jongyoul
jongyoul previously approved these changes Apr 4, 2026
View reviewed changes
@jongyoul
Copy link
Copy Markdown
Member

jongyoul commented Apr 4, 2026

@dependabot rebase

@dependabot
Bump flatted in /zeppelin-web-angular/projects/zeppelin-react
dd8c7ef 
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2.
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot changed the title Bump flatted from 3.3.3 to 3.4.2 in /zeppelin-web-angular/projects/zeppelin-react Bump flatted from 3.4.1 to 3.4.2 in /zeppelin-web-angular/projects/zeppelin-react Apr 4, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/zeppelin-web-angular/projects/zeppelin-react/flatted-3.4.2 branch from 59eaecb to dd8c7ef Compare April 4, 2026 12:07
@jongyoul
Copy link
Copy Markdown
Member

jongyoul commented Apr 4, 2026

@dependabot Could you please check the below message and fix them as well?

Run npm audit for details.

npm audit report

brace-expansion <1.1.13 || >=4.0.0 <5.0.5
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
fix available via npm audit fix
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
node_modules/brace-expansion

lodash <=4.17.23
Severity: high
lodash vulnerable to Code Injection via _.template imports key names - GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit - GHSA-f23m-r3pf-42rh
fix available via npm audit fix
node_modules/lodash

path-to-regexp <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - GHSA-37ch-88jc-xwx2
fix available via npm audit fix
node_modules/path-to-regexp

picomatch <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via npm audit fix
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch

4 vulnerabilities (1 moderate, 3 high)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jongyoul jongyoul jongyoul approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dididy @jongyoul