fix: override yauzl to 3.2.1 to resolve moderate vulnerability

yauzl <3.2.1 has an off-by-one error (GHSA-gmq8-994r-jv83). Transitive dependency via puppeteer → @puppeteer/browsers → extract-zip. npm overrides pins yauzl@3.2.1 without changing puppeteer version. npm audit now reports 0 vulnerabilities.
2026-03-14 08:02:50 +01:00 · 2026-03-14 08:02:50 +01:00 · 14181d17a7
commit 14181d17a7
parent 8f70a32f77
2 changed files with 11 additions and 14 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -2531,15 +2531,6 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/fd-slicer": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/fd-slicer/-/fd-slicer-1.1.0.tgz",
-      "integrity": "sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g==",
-      "license": "MIT",
-      "dependencies": {
-        "pend": "~1.2.0"
-      }
-    },
    "node_modules/fdir": {
      "version": "6.5.0",
      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
@ -5469,13 +5460,16 @@
      }
    },
    "node_modules/yauzl": {
-      "version": "2.10.0",
-      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.10.0.tgz",
-      "integrity": "sha512-p4a9I6X6nu6IhoGmBqAcbJy1mlC4j27vEPZX9F4L4/vZT3Lyq1VkFHw/V/PUcB9Buo+DG3iHkT0x3Qya58zc3g==",
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-3.2.1.tgz",
+      "integrity": "sha512-k1isifdbpNSFEHFJ1ZY4YDewv0IH9FR61lDetaRMD3j2ae3bIXGV+7c+LHCqtQGofSd8PIyV4X6+dHMAnSr60A==",
      "license": "MIT",
      "dependencies": {
        "buffer-crc32": "~0.2.3",
-        "fd-slicer": "~1.1.0"
+        "pend": "~1.2.0"
+      },
+      "engines": {
+        "node": ">=12"
      }
    },
    "node_modules/z-schema": {
--- a/package.json
+++ b/package.json
@ -41,5 +41,8 @@
    "typescript": "^5.9.3",
    "vitest": "^4.1.0"
  },
-  "type": "module"
+  "type": "module",
+  "overrides": {
+    "yauzl": "3.2.1"
+  }
 }