npm - @codyswann/lisa - Versions diffs - 1.43.1 → 1.43.2 - Mend

@codyswann/lisa 1.43.1 → 1.43.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/nestjs/copy-overwrite/knip.json CHANGED Viewed

@@ -52,10 +52,10 @@
     "graphql-subscriptions",
     "graphql-ws",
     "lodash",
-    "reflect-metadata",
-    "rxjs",
     "ioredis",
     "pg",
+    "reflect-metadata",
+    "rxjs",
     "typeorm",
     "typeorm-naming-strategies"
   ],

package/package.json CHANGED Viewed

@@ -90,8 +90,12 @@
     "@isaacs/brace-expansion": "^5.0.1",
     "axios": ">=1.13.5"
   },
+  "overrides": {
+    "@isaacs/brace-expansion": "^5.0.1",
+    "axios": ">=1.13.5"
+  },
   "name": "@codyswann/lisa",
-  "version": "1.43.1",
+  "version": "1.43.2",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "bin": {
@@ -119,7 +123,7 @@
     "commander": "^12.0.0",
     "fs-extra": "^11.0.0",
     "lodash.merge": "^4.6.2",
-    "minimatch": "^10.1.1",
+    "minimatch": "^10.2.1",
     "picocolors": "^1.0.0"
   },
   "type": "module"

package/typescript/copy-contents/.husky/pre-push CHANGED Viewed

@@ -85,7 +85,13 @@ elif [ "$PACKAGE_MANAGER" = "bun" ]; then
   # Parent packages pin ^4.4.1; fix requires major version 5.x (incompatible)
   # Risk: None - CLI build tool, not a production runtime dependency
-  if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh; then
+  # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
+  # Transitive dependency in devDependencies (eslint, jest, nodemon, ts-morph, etc.)
+  # Fix requires minimatch v10 which changes export shape (object vs function),
+  # breaking test-exclude (used by Jest coverage). No production code path is affected.
+  # Risk: None - only devDependency tooling, never processes untrusted user input
+  if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-3ppc-4f35-3m26; then
     echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
     exit 1
   fi

package/typescript/copy-overwrite/.github/workflows/quality.yml CHANGED Viewed

@@ -1015,7 +1015,13 @@ jobs:
             # Parent packages pin ^4.4.1; fix requires major version 5.x (incompatible)
             # Risk: None - CLI build tool, not a production runtime dependency
-            if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh; then
+            # Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
+            # Transitive dependency in devDependencies (eslint, jest, nodemon, ts-morph, etc.)
+            # Fix requires minimatch v10 which changes export shape (object vs function),
+            # breaking test-exclude (used by Jest coverage). No production code path is affected.
+            # Risk: None - only devDependency tooling, never processes untrusted user input
+            if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-3ppc-4f35-3m26; then
               echo "::warning::Found high or critical vulnerabilities"
               exit 1
             fi

package/typescript/package-lisa/package.lisa.json CHANGED Viewed

@@ -58,6 +58,10 @@
     "resolutions": {
       "@isaacs/brace-expansion": "^5.0.1",
       "axios": ">=1.13.5"
+    },
+    "overrides": {
+      "@isaacs/brace-expansion": "^5.0.1",
+      "axios": ">=1.13.5"
     }
   },
   "defaults": {