muneebs · muneebs · Apr 5, 2026 · Apr 5, 2026
diff --git a/.changeset/fix-vulnerable-deps.md b/.changeset/fix-vulnerable-deps.md
diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @csrf-armor/core
 
+## 1.2.2
+
+### Patch Changes
+
+- [#46](https://github.com/muneebs/csrf-armor/pull/46) [`2eded88`](https://github.com/muneebs/csrf-armor/commit/2eded88f07c8c199fb16fd84ea13149c8864f56f) Thanks [@muneebs](https://github.com/muneebs)! - fix: resolve high/moderate severity vulnerabilities in transitive dependencies
+
+  Added pnpm overrides to force patched versions of `lodash` (>=4.18.0) and `defu` (>=6.1.5), which were pulled in transitively through the nuxt dependency chain. Addresses GHSA-r5fr-rjxr-66jc (lodash code injection), GHSA-f23m-r3pf-42rh (lodash prototype pollution), and GHSA-737v-mqg7-c878 (defu prototype pollution).
+
 ## 1.2.1
 
 ### Patch Changes

diff --git a/packages/core/package.json b/packages/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/core",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "description": "Framework-agnostic CSRF protection core functionality",
   "type": "module",
   "main": "./dist/index.mjs",

diff --git a/packages/express/CHANGELOG.md b/packages/express/CHANGELOG.md
@@ -1,5 +1,16 @@
 # @csrf-armor/express
 
+## 1.2.2
+
+### Patch Changes
+
+- [#46](https://github.com/muneebs/csrf-armor/pull/46) [`2eded88`](https://github.com/muneebs/csrf-armor/commit/2eded88f07c8c199fb16fd84ea13149c8864f56f) Thanks [@muneebs](https://github.com/muneebs)! - fix: resolve high/moderate severity vulnerabilities in transitive dependencies
+
+  Added pnpm overrides to force patched versions of `lodash` (>=4.18.0) and `defu` (>=6.1.5), which were pulled in transitively through the nuxt dependency chain. Addresses GHSA-r5fr-rjxr-66jc (lodash code injection), GHSA-f23m-r3pf-42rh (lodash prototype pollution), and GHSA-737v-mqg7-c878 (defu prototype pollution).
+
+- Updated dependencies [[`2eded88`](https://github.com/muneebs/csrf-armor/commit/2eded88f07c8c199fb16fd84ea13149c8864f56f)]:
+  - @csrf-armor/core@1.2.2
+
 ## 1.2.1
 
 ### Patch Changes

diff --git a/packages/express/package.json b/packages/express/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/express",
-  "version": "1.2.1",
+  "version": "1.2.2",
   "description": "Express.js adapter for CSRF Armor - Advanced CSRF protection for Express.js applications",
   "type": "module",
   "types": "./dist/index.d.ts",

diff --git a/packages/nextjs/CHANGELOG.md b/packages/nextjs/CHANGELOG.md
@@ -1,5 +1,16 @@
 # @csrf-armor/nextjs
 
+## 1.4.2
+
+### Patch Changes
+
+- [#46](https://github.com/muneebs/csrf-armor/pull/46) [`2eded88`](https://github.com/muneebs/csrf-armor/commit/2eded88f07c8c199fb16fd84ea13149c8864f56f) Thanks [@muneebs](https://github.com/muneebs)! - fix: resolve high/moderate severity vulnerabilities in transitive dependencies
+
+  Added pnpm overrides to force patched versions of `lodash` (>=4.18.0) and `defu` (>=6.1.5), which were pulled in transitively through the nuxt dependency chain. Addresses GHSA-r5fr-rjxr-66jc (lodash code injection), GHSA-f23m-r3pf-42rh (lodash prototype pollution), and GHSA-737v-mqg7-c878 (defu prototype pollution).
+
+- Updated dependencies [[`2eded88`](https://github.com/muneebs/csrf-armor/commit/2eded88f07c8c199fb16fd84ea13149c8864f56f)]:
+  - @csrf-armor/core@1.2.2
+
 ## 1.4.1
 
 ### Patch Changes

diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/nextjs",
-  "version": "1.4.1",
+  "version": "1.4.2",
   "description": "CSRF protection middleware for Next.js applications",
   "type": "module",
   "main": "./dist/index.js",
@@ -35,7 +35,10 @@
   ],
   "author": "Muneeb Samuels",
   "contributors": [
-    { "name": "Raul", "url": "https://github.com/raulcrisan" }
+    {
+      "name": "Raul",
+      "url": "https://github.com/raulcrisan"
+    }
   ],
   "license": "MIT",
   "repository": {

diff --git a/packages/nuxt/CHANGELOG.md b/packages/nuxt/CHANGELOG.md
@@ -1,5 +1,16 @@
 # @csrf-armor/nuxt
 
+## 1.1.1
+
+### Patch Changes
+
+- [#46](https://github.com/muneebs/csrf-armor/pull/46) [`2eded88`](https://github.com/muneebs/csrf-armor/commit/2eded88f07c8c199fb16fd84ea13149c8864f56f) Thanks [@muneebs](https://github.com/muneebs)! - fix: resolve high/moderate severity vulnerabilities in transitive dependencies
+
+  Added pnpm overrides to force patched versions of `lodash` (>=4.18.0) and `defu` (>=6.1.5), which were pulled in transitively through the nuxt dependency chain. Addresses GHSA-r5fr-rjxr-66jc (lodash code injection), GHSA-f23m-r3pf-42rh (lodash prototype pollution), and GHSA-737v-mqg7-c878 (defu prototype pollution).
+
+- Updated dependencies [[`2eded88`](https://github.com/muneebs/csrf-armor/commit/2eded88f07c8c199fb16fd84ea13149c8864f56f)]:
+  - @csrf-armor/core@1.2.2
+
 ## 1.1.0
 
 ### Minor Changes

diff --git a/packages/nuxt/package.json b/packages/nuxt/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@csrf-armor/nuxt",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Nuxt module for CSRF protection powered by csrf-armor",
   "type": "module",
   "license": "MIT",