fix(deps): bump h3 and flatted overrides to fix security vulnerabilities (#1281)

BYK · web-flow · commit 34679a3789fd · 2026-03-20T14:00:03.000Z
Bump `pnpm.overrides` floor versions to resolve 3 open Dependabot alerts: | Alert | Package | Severity | Vulnerability | Override Change | |-------|---------|----------|---------------|-----------------| | #188 | `flatted` | HIGH | Prototype Pollution via `parse()` (CVE-2026-33228) | `>=3.4.0` → `>=3.4.2` | | #187 | `h3` | HIGH | SSE Injection via unsanitized newlines (CVE-2026-33128) | `>=1.15.5` → `>=1.15.6` | | #186 | `h3` | MEDIUM | Path Traversal via `%2e%2e` in `serveStatic` | `>=1.15.5` → `>=1.15.6` | Both parent packages (`flat-cache ^3.4.1`, `unstorage ^1.15.5`) accept the patched versions via semver — no forced incompatible upgrades. **Resolved versions:** flatted 3.4.2, h3 1.15.9
diff --git a/package.json b/package.json
@@ -24,10 +24,10 @@
     "overrides": {
       "vite@>=6.0.0 <6.3.6": ">=6.3.6",
       "tar": ">=7.5.11",
-      "h3": ">=1.15.5",
+      "h3": ">=1.15.6",
       "@sveltejs/kit": ">=2.49.5",
       "diff": ">=5.2.2",
-      "flatted": ">=3.4.0",
+      "flatted": ">=3.4.2",
       "yauzl@>=3.0.0": ">=3.2.1",
       "devalue": ">=5.6.4",
       "rollup@>=4.0.0": ">=4.59.0",
diff --git a/packages/spotlight/package.json b/packages/spotlight/package.json
@@ -32,9 +32,7 @@
     "test:e2e:electron": "playwright test tests/electron.test.ts",
     "sample": "node ./_fixtures/send_to_sidecar.cjs"
   },
-  "files": [
-    "dist"
-  ],
+  "files": ["dist"],
   "bin": {
     "spotlight": "./dist/run.js"
   },
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
