fix: pin dashboard follow-redirects security patch (#110)

xiaojiou176 · web-flow · commit b6c966db98e5 · 2026-04-14T19:18:32.000-07:00
diff --git a/README.md b/README.md
@@ -647,6 +647,10 @@ repo-owned override layer so `lighthouse@13.0.3` no longer resolves the
 vulnerable `lodash-es@4.17.23` path on either the root or dashboard lock
 surface, which keeps the Dependabot follow-up narrow instead of turning it
 into a broader Lighthouse upgrade.
+Current dashboard lock maintenance also pins `follow-redirects@1.16.0`
+through both the root and dashboard override surfaces so the maintained
+dashboard lockfile no longer carries the cross-domain redirect header-leak
+advisory on its isolated install path.
 Current lock maintenance also removes the optional dashboard `depcheck`
 dependency and pins patched `picomatch` / `brace-expansion` paths so GitHub
 security findings do not linger on an otherwise unused dependency chain.
diff --git a/apps/dashboard/README.md b/apps/dashboard/README.md
@@ -139,6 +139,10 @@ repository is already a finished consumer product.
   both the root workspace and `apps/dashboard` override surfaces so the
   tracked `lighthouse@13.0.3` transitive chain does not fall back to the
   vulnerable `lodash-es@4.17.23` path on either maintained lockfile.
+- Current security-only lock maintenance also pins `follow-redirects@1.16.0`
+  through both the root workspace and `apps/dashboard` override surfaces so
+  the maintained dashboard lockfile does not keep the cross-domain redirect
+  header-leak advisory on its isolated install path.
 - When a dashboard security-only lock refresh lands, keep this module README in
   the same change set so doc-drift gates can trace the maintenance decision to
   the dashboard surface that actually owns the lockfile.
diff --git a/apps/dashboard/package.json b/apps/dashboard/package.json
@@ -47,6 +47,7 @@
       "axios": "1.15.0",
       "basic-ftp": "5.2.2",
       "brace-expansion@5": "5.0.5",
+      "follow-redirects": "1.16.0",
       "lodash-es": "4.18.1",
       "minimatch@3": "3.1.4",
       "minimatch@7": "7.4.8",
diff --git a/apps/dashboard/pnpm-lock.yaml b/apps/dashboard/pnpm-lock.yaml
diff --git a/package.json b/package.json
@@ -155,6 +155,7 @@
       "basic-ftp": "5.2.2",
       "brace-expansion@5": "5.0.5",
       "cosmiconfig@7.1.0>yaml": "1.10.3",
+      "follow-redirects": "1.16.0",
       "lodash-es": "4.18.1",
       "minimatch@3": "3.1.4",
       "minimatch@7": "7.4.8",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
