# Overview Fixes high-severity vulnerabilities reported by `pnpm audit --prod`. ## Key Changes - **@eslint-react/eslint-plugin 1.31.0 → 1.53.1 in packages/eslint-config** - Direct minor bump. Eliminates the transitive `picomatch` 4.x dependency since 1.47.0+ replaced it with other packages. - **Lockfile updates for happy-dom, picomatch, and path-to-regexp** - [GHSA-6q6h-j7hj-3r64](GHSA-6q6h-j7hj-3r64) (CVE-2026-33943) — happy-dom code injection via unsanitized export names. - [GHSA-w4gp-fjgq-3q4g](GHSA-w4gp-fjgq-3q4g) (CVE-2026-34226) — happy-dom fetch credentials leak on cross-origin requests. - [GHSA-c2c7-rcm5-vvqj](GHSA-c2c7-rcm5-vvqj) (CVE-2026-33671) — picomatch ReDoS via extglob quantifiers. - Existing semver ranges already allowed the fixed versions; the lockfile was just stale. ## Design Decisions Direct dependency bumps were preferred over pnpm overrides. The only `package.json` change beyond lockfile updates is the @eslint-react bump. All other vulnerabilities resolved through lockfile updates alone since their semver ranges already permitted the patched versions. The `effect` vulnerability ([GHSA-38f7-945m-qr2g](GHSA-38f7-945m-qr2g)) is not addressed here — `uploadthing` and `@uploadthing/shared` both pin `effect@3.17.7` (latest), below the fix at 3.20.0. Waiting for a new uploadthing release. `path-to-regexp` >=8.4.0 fixes a ReDoS vulnerability but has breaking API changes. It was not upgraded; the lockfile resolved to a non-vulnerable version (6.3.0) naturally.
-Original file line number
+Diff line change
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "dependencies": {
 -    "@eslint-react/eslint-plugin": "1.31.0",
 +    "@eslint-react/eslint-plugin": "1.53.1",
     "@eslint/js": "9.39.2",
     "@payloadcms/eslint-plugin": "workspace:*",
     "@types/eslint": "9.6.1",