update vunerable packages as well

2026-01-24 02:27:26 +09:00 · 2026-01-24 02:27:26 +09:00 · 5ab9c4ac13
parent 7dfee56a3e
commit 5ab9c4ac13
3 changed files with 22 additions and 23 deletions
--- a/package.json
+++ b/package.json
@ -52,10 +52,6 @@
 		"clean-all": "node scripts/clean-all.mjs",
 		"cleanall": "pnpm clean-all"
 	},
-	"resolutions": {
-		"chokidar": "5.0.0",
-		"lodash": "4.17.21"
-	},
 	"dependencies": {
 		"cssnano": "7.1.2",
 		"esbuild": "0.27.2",
@ -63,7 +59,7 @@
 		"ignore-walk": "8.0.0",
 		"js-yaml": "4.1.1",
 		"postcss": "8.5.6",
-		"tar": "7.5.2",
+		"tar": "7.5.6",
 		"terser": "5.46.0"
 	},
 	"devDependencies": {
@ -88,7 +84,9 @@
 	},
 	"pnpm": {
 		"overrides": {
-			"@aiscript-dev/aiscript-languageserver": "-"
+			"@aiscript-dev/aiscript-languageserver": "-",
+			"chokidar": "5.0.0",
+			"lodash": "4.17.23"
 		},
 		"ignoredBuiltDependencies": [
 			"@sentry-internal/node-cpu-profiler",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -5,9 +5,9 @@ settings:
  excludeLinksFromLockfile: false

 overrides:
-  chokidar: 5.0.0
-  lodash: 4.17.21
  '@aiscript-dev/aiscript-languageserver': '-'
+  chokidar: 5.0.0
+  lodash: 4.17.23

 importers:

@ -32,8 +32,8 @@ importers:
        specifier: 8.5.6
        version: 8.5.6
      tar:
-        specifier: 7.5.2
-        version: 7.5.2
+        specifier: 7.5.6
+        version: 7.5.6
      terser:
        specifier: 5.46.0
        version: 5.46.0
@ -8024,8 +8024,8 @@ packages:
  lodash.uniq@4.5.0:
    resolution: {integrity: sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==}

-  lodash@4.17.21:
-    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
+  lodash@4.17.23:
+    resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==}

  log-symbols@4.1.0:
    resolution: {integrity: sha512-8XPvpAA8uyhfteu8pIvQxpJZ7SYYdpUivZpGy6sFsBuKRY/7rQGavedeB8aK+Zkyq6upMFVL/9AW6vOYzfRyLg==}
@ -10264,10 +10264,9 @@ packages:
    engines: {node: '>=10'}
    deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exhorbitant rates) by contacting i@izs.me

-  tar@7.5.2:
-    resolution: {integrity: sha512-7NyxrTE4Anh8km8iEy7o0QYPs+0JKBTj5ZaqHg6B39erLg0qYXN3BijtShwbsNSvQ+LN75+KV+C4QR/f6Gwnpg==}
+  tar@7.5.6:
+    resolution: {integrity: sha512-xqUeu2JAIJpXyvskvU3uvQW8PAmHrtXp2KDuMJwQqW8Sqq0CaZBAQ+dKS3RBXVhU4wC5NjAdKrmh84241gO9cA==}
    engines: {node: '>=18'}
-    deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exhorbitant rates) by contacting i@izs.me

  taskkill@5.0.0:
    resolution: {integrity: sha512-+HRtZ40Vc+6YfCDWCeAsixwxJgMbPY4HHuTgzPYH3JXvqHWUlsCfy+ylXlAKhFNcuLp4xVeWeFBUhDk+7KYUvQ==}
@ -13236,7 +13235,7 @@ snapshots:
      '@rushstack/terminal': 0.21.0(@types/node@24.10.9)
      '@rushstack/ts-command-line': 5.1.7(@types/node@24.10.9)
      diff: 8.0.2
-      lodash: 4.17.21
+      lodash: 4.17.23
      minimatch: 10.0.3
      resolve: 1.22.11
      semver: 7.5.4
@ -15167,7 +15166,7 @@ snapshots:
      chalk: 3.0.0
      css.escape: 1.5.1
      dom-accessibility-api: 0.6.3
-      lodash: 4.17.21
+      lodash: 4.17.23
      redent: 3.0.0

  '@testing-library/jest-dom@6.9.1':
@ -16210,7 +16209,7 @@ snapshots:
      graceful-fs: 4.2.11
      is-stream: 2.0.1
      lazystream: 1.0.1
-      lodash: 4.17.21
+      lodash: 4.17.23
      normalize-path: 3.0.0
      readable-stream: 4.7.0

@ -17166,7 +17165,7 @@ snapshots:
      hasha: 5.2.2
      is-installed-globally: 0.4.0
      listr2: 3.14.0(enquirer@2.4.1)
-      lodash: 4.17.21
+      lodash: 4.17.23
      log-symbols: 4.1.0
      minimist: 1.2.8
      ospath: 1.2.2
@ -19637,7 +19636,7 @@ snapshots:

  lodash.uniq@4.5.0: {}

-  lodash@4.17.21: {}
+  lodash@4.17.23: {}

  log-symbols@4.1.0:
    dependencies:
@ -20357,7 +20356,7 @@ snapshots:
      nopt: 9.0.0
      proc-log: 6.1.0
      semver: 7.7.3
-      tar: 7.5.2
+      tar: 7.5.6
      tinyglobby: 0.2.15
      which: 6.0.0
    transitivePeerDependencies:
@ -22231,7 +22230,7 @@ snapshots:
      yallist: 4.0.0
    optional: true

-  tar@7.5.2:
+  tar@7.5.6:
    dependencies:
      '@isaacs/fs-minipass': 4.0.1
      chownr: 3.0.0
@ -22884,7 +22883,7 @@ snapshots:
    dependencies:
      axios: 1.13.2(debug@4.4.3)
      joi: 18.0.1
-      lodash: 4.17.21
+      lodash: 4.17.23
      minimist: 1.2.8
      rxjs: 7.8.2
    transitivePeerDependencies:
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@ -36,3 +36,5 @@ minimumReleaseAge: 10080 # delay 7days to mitigate supply-chain attack
 minimumReleaseAgeExclude:
  - '@syuilo/aiscript'
  - '@fastify/express' # 脆弱性対応。そのうち消すこと
+  - 'lodash' # 脆弱性対応。そのうち消すこと
+  - 'tar' # 脆弱性対応。そのうち消すこと