Security Concerns with Dependency Vulnerabilities in AdminLTE 4

[Paulo-AndradeDev]

Hey team,

Recently, while working on a project with AdminLTE 4.0.0-beta2, we encountered several security vulnerabilities flagged by GitHub's Dependabot. These include:

DOM Clobbering leading to potential XSS attacks via Rollup and Vite scripts
Prototype Pollution in dset
Backtracking regular expressions in path-to-regexp
These vulnerabilities were identified in the package-lock.json file. While we resolved the issue by updating:

• Rollup from 4.21.0 to 4.22.5
• path-to-regexp from 6.2.2 to 6.3.0 ,
• dset from 3.1.3 to 3.1.4
• vite from 5.4.0 to 5.4.6

it raises concerns about the security of dependencies we rely on.

Question: What steps can be taken to ensure ongoing security for AdminLTE 4 users, especially regarding dependency management? Would it be feasible to introduce a more frequent audit or automation for dependency updates to avoid potential future risks?

Thanks for your attention, and I look forward to hearing your thoughts!

[MrSuddenJoy]

@Paulo-AndradeDev Without write access to the repo in question there is not much you can do Im affraid.