mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-07-01 00:05:43 +08:00
7c79602c77
### What problem does this PR solve? This PR fixes two security vulnerabilities in web dependencies identified by Trivy: 1. CVE-2025-13465 (lodash): Prototype pollution vulnerability in _.unset and _.omit functions 2. CVE-2026-0540 (dompurify): Cross-site scripting (XSS) vulnerability **Changes:** - Upgraded lodash from 4.17.21 to 4.17.23 - Upgraded dompurify from 3.3.1 to 3.3.2 - Added npm override to force monaco-editor's transitive dependency on dompurify to use 3.3.2 (monaco-editor still depends on vulnerable 3.2.7) Both upgrades are backward-compatible patch versions. Build verified successfully with no breaking changes. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)
6.4 KiB
6.4 KiB