Pin argparse/underscore to 1.13.8 via yarn resolution (#33364)

Fixes GHSA-cf4h-3jhx-xvhq (critical, arbitrary code execution) and GHSA-qpx9-hpmf-5gmw (high, DoS via _.flatten/_.isEqual). Vulnerable underscore@1.7.0 came from js-yaml@2.1.3 → argparse@0.1.16. All other instances were already ≥1.13.8. GitOrigin-RevId: b2ab4bc2682e19709694b7dd686134a439ade90c
2026-05-22 09:55:49 +02:00
parent afaef6a1ef
commit 6fa708982b
2 changed files with 2 additions and 8 deletions
@@ -32,6 +32,7 @@
    "node": ">=20.0.0"
  },
  "resolutions": {
+    "argparse/underscore": "1.13.8",
    "sandboxed-module": "patch:sandboxed-module@npm%3A2.0.4#~/.yarn/patches/sandboxed-module-npm-2.0.4-f8b45aacc9.patch",
    "request/tough-cookie": "5.1.2",
    "request/form-data": "2.5.5",
@@ -33305,20 +33305,13 @@ __metadata:
  languageName: node
  linkType: hard

-"underscore@npm:>=1.8.3, underscore@npm:~1.13.1":
+"underscore@npm:1.13.8, underscore@npm:>=1.8.3, underscore@npm:~1.13.1":
  version: 1.13.8
  resolution: "underscore@npm:1.13.8"
  checksum: 10c0/6677688daeda30484823e77c0b89ce4dcf29964a77d5a06f37299c007ab4bb1c66a0ff75e0d274620b62a1fe2a6ba29879f8214533ca611d71a1ae504f2bfc9b
  languageName: node
  linkType: hard

-"underscore@npm:~1.7.0":
-  version: 1.7.0
-  resolution: "underscore@npm:1.7.0"
-  checksum: 10c0/03d6d187c88031c8bf6fada822f43e956974b87dfd37232960e637dc10036968596b644ba4a65bdf09390493eff121d780e276c016addea6e2b3d5b6dd848696
-  languageName: node
-  linkType: hard
-
 "undici-types@npm:~7.16.0":
  version: 7.16.0
  resolution: "undici-types@npm:7.16.0"