chore(deps): bump flatted from 3.3.2 to 3.4.2

[dependabot]

Bumps flatted from 3.3.2 to 3.4.2.

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

[jordanbrauer]

minimal impact. will merge

llm local review

---

## PR Review: `chore(deps): bump flatted from 3.3.2 to 3.4.2`

**Type:** Dependabot automated security patch  
**Scope:** `yarn.lock` only (3 lines changed)

---

### Summary

This PR bumps the transitive dependency `flatted` from `3.3.2` → `3.4.2`. The actual diff is minimal:

flatted@^3.2.9:

• version "3.3.2"
• resolved "...flatted-3.3.2.tgz#adba1448..."
• integrity sha512-AiwGJM8Y...

• version "3.4.2"
• resolved "...flatted-3.4.2.tgz#f5c23c10..."
• integrity sha512-PjDse7Rz...

---

### Dependency Chain

eslint (devDependency)
└─ flat-cache
└─ flatted ← this package

`flatted` is an **indirect devDependency only** — it is not bundled into any production artifact or published to npm consumers of this SDK.

---

### Security Relevance

The `3.4.2` release includes a fix for **CWE-1321 (Prototype Pollution)**. However, since `flatted` is only reachable through `eslint` during local development/CI linting, this vulnerability has **no production impact** for the SDK or its consumers.

---

### Assessment

**Approve.** This is a low-risk, safe dependency bump:

- Minimal change (3 lines in `yarn.lock`)
- No production code is affected
- Addresses a known CVE in a devDependency
- Standard Dependabot hygiene — routine to merge

No concerns.

@coderabbitai can you look?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@jordanbrauer: Your local LLM review is accurate. Here's my confirmation with a few additional details:

The security advisory is GHSA-rf6f-7fwh-wjgh / CVE-2026-33228, rated High severity. The parse() function in flatted could use attacker-controlled string values from parsed JSON as direct array index keys without numeric validation, allowing an attacker to supply a crafted flatted string that causes the returned object to hold a live reference to Array.prototype — enabling any downstream code that writes to that property to pollute the global prototype chain, potentially causing denial of service or code execution.

Specifically, accessing the internal input buffer (a JavaScript Array) with the key __proto__ returns Array.prototype via the inherited getter; this object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer — and any subsequent writes to that property pollute the global prototype.

The vulnerability exists in flatted prior to version 3.4.2.

Scope assessment: Since flatted is only reachable through eslint → flat-cache → flatted in this repo's dev toolchain, this has no impact on production SDK consumers. The bump is safe, routine, and addresses a real (if low-exploitability-in-context) High-severity CVE. ✅

[approve]

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@jordanbrauer: Happy to confirm — your local LLM's assessment is spot-on, and my earlier analysis stands.

To add precise CVE details: GHSA-rf6f-7fwh-wjgh / CVE-2026-33228 was published March 19, 2026, rated High with a CVSS score of 8.9/10.

The vulnerability mechanics are: the parse() function in flatted could use attacker-controlled string values from parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key __proto__ returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer — any code that subsequently writes to that property will pollute the global prototype.

This issue has been patched in version 3.4.2 — exactly what this PR delivers.

As your LLM noted, since flatted is only reachable through eslint → flat-cache → flatted in the dev toolchain, there is zero production impact for SDK consumers. This is a routine, safe bump that's correct to merge. ✅

[approve]