@codyswann/lisa 1.74.1 → 1.75.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/all/copy-overwrite/.claude/rules/security-audit-handling.md +14 -1
- package/package.json +1 -1
- package/plugins/lisa/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-cdk/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-expo/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-nestjs/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-rails/.claude-plugin/plugin.json +1 -1
- package/plugins/lisa-typescript/.claude-plugin/plugin.json +1 -1
|
@@ -9,9 +9,22 @@ If `git push` fails because the pre-push hook reports security vulnerabilities,
|
|
|
9
9
|
3. If a patched version exists: add a resolution/override in package.json to force the patched version (add to both `resolutions` and `overrides` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push
|
|
10
10
|
4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
|
|
11
11
|
|
|
12
|
+
### Critical: Override the vulnerable package, not its parent
|
|
13
|
+
|
|
14
|
+
When the audit output shows a dependency chain like `@expo/cli › glob › minimatch`, the vulnerable package is **minimatch**, not glob. Always override the **leaf package** that has the actual vulnerability.
|
|
15
|
+
|
|
16
|
+
**Never override a parent package to force a lower major version** — other packages in the project may depend on a newer major version, and a resolution/override forces ALL installations to the specified version. For example, overriding `glob` to `^8.1.0` will break `@expo/cli` which requires `glob@^13.0.0`, causing `expo prebuild` to fail with `files.map is not a function`.
|
|
17
|
+
|
|
18
|
+
Before adding a resolution/override, verify:
|
|
19
|
+
- You are targeting the **actually vulnerable package**, not a parent in the chain
|
|
20
|
+
- The override version is **compatible with all dependents** (check with `bun why <package>` or `npm ls <package>`)
|
|
21
|
+
- The override does not **downgrade** a package across a major version boundary that other dependencies require
|
|
22
|
+
|
|
12
23
|
## Rails Projects (bundler-audit)
|
|
13
24
|
|
|
14
25
|
1. Note the advisory ID, affected gem, and advisory URL from the error output
|
|
15
26
|
2. Check if a patched version of the gem exists
|
|
16
|
-
3. If a patched version exists:
|
|
27
|
+
3. If a patched version exists:
|
|
28
|
+
- If the gem is a **direct dependency** (listed in Gemfile): update its version constraint in Gemfile, run `bundle update <gem>`, commit the changes, and retry the push
|
|
29
|
+
- If the gem is a **transitive dependency** (not in Gemfile, only in Gemfile.lock): run `bundle update <gem>` to pull the patched version without changing the Gemfile, commit the lockfile change, and retry the push
|
|
17
30
|
4. If no patched version exists and the vulnerability is safe for this project: document the exception and retry the push
|
package/package.json
CHANGED
|
@@ -74,7 +74,7 @@
|
|
|
74
74
|
"flatted": "^3.4.2"
|
|
75
75
|
},
|
|
76
76
|
"name": "@codyswann/lisa",
|
|
77
|
-
"version": "1.
|
|
77
|
+
"version": "1.75.0",
|
|
78
78
|
"description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
|
|
79
79
|
"main": "dist/index.js",
|
|
80
80
|
"exports": {
|