fix(security): CVE-2026-27212 and CVE-2026-26996 addressed for release/3.12

[jbocce]

Context

GHSA-hmx5-qpq5-p643
GHSA-3ppc-4f35-3m26

Changes & Results

CVE-2026-27212 patched.
Various dependency updates as a result of CVE-2026-26996. Ultimately CVE-2026-26996 was ignored because it is only exposed in itk-wasm via CLI and OHIF's other use of minimatch is limited to build/dev environments.

Testing

All CLI checks and builds should work.
Automated tests should all pass.

Checklist

PR

• My Pull Request title is descriptive, accurate and follows the
  semantic-release format and guidelines.

Code

• My code has been well-documented (function documentation, inline comments,
  etc.)

Public Documentation Updates

• The documentation page has been updated as necessary for any public API
  additions or removals.

Greptile Summary

This PR addresses CVE-2026-27212 and CVE-2026-26996 on the release/3.12 branch through a combination of dependency removals, version bumps, and a security audit ignore-list update.

• CVE-2026-27212: Patched by removing vulnerable transitive dependencies — swiper removed from platform/ui, istanbul and patch-package removed from root, and babel-plugin-istanbul bumped to 7.0.1. Several unused eslint-related packages (@babel/eslint-parser, eslint-loader, babel-plugin-module-resolver, eslint-plugin-flowtype, eslint-webpack-plugin) removed across multiple extension/mode packages and CLI templates.
• CVE-2026-26996 (minimatch): Explicitly ignored in CI security audit (.circleci/config.yml) with clear justification that OHIF's usage of minimatch via glob/itk-wasm is limited to CLI and build/dev environments, not exposed to end users.
• Dependency modernization in addOns/externals/devDependencies: ESLint ecosystem bumped significantly (eslint 8→10, @typescript-eslint/* 6→8, eslint-plugin-react-hooks 4→7, eslint-config-react-app 6→7, serve 14.2.4→14.2.5). The eslint 10 bump warrants attention as it drops legacy .eslintrc config support — though this package is a dependency manifest for external add-ons and doesn't directly affect the main project's linting.
• Lock files (bun.lock, yarn.lock) updated accordingly with large diffs from transitive dependency resolution.

Confidence Score: 4/5

• This PR is safe to merge — it removes unused dependencies and patches CVEs with no runtime code changes, though the eslint 10 bump in externals should be verified.
• Score of 4 reflects that all changes are dependency-only (no application logic modified), removed packages are confirmed unused in source code, and the security justification for ignoring CVE-2026-26996 is sound. Deducted 1 point because the eslint 8→10 major version bump in addOns/externals/devDependencies may introduce peer dependency conflicts for external add-on consumers, and the large lock file diffs are difficult to fully audit.
• addOns/externals/devDependencies/package.json — eslint 10.0.1 is a major version bump that drops legacy config support and may conflict with peer dependencies of co-listed plugins.

Important Files Changed

Filename	Overview
.circleci/config.yml	Adds CVE-2026-26996 (GHSA-3ppc-4f35-3m26) to the security audit ignore list with clear justification that OHIF's use of minimatch is limited to build/CLI contexts.
package.json	Removes unused istanbul and patch-package devDependencies, bumps babel-plugin-istanbul from 7.0.0 to 7.0.1. All removed packages are confirmed unused in the codebase.
platform/ui/package.json	Removes unused swiper dependency (8.4.7). Confirmed no imports of swiper exist in the platform/ui source code.
addOns/externals/devDependencies/package.json	Major version bumps: eslint 8.57.1→10.0.1, eslint-plugin-react-hooks 4.6.2→7.0.1, eslint-plugin-promise 5.2.0→7.2.1, eslint-config-react-app 6.0.0→7.0.1; removes several unused packages. ESLint 10 requires flat config format which may conflict with legacy .eslintrc usage in add-ons.
extensions/usAnnotation/package.json	Removes unused devDependencies: @babel/eslint-parser, babel-plugin-module-resolver, eslint, and eslint-loader. None are referenced in source code or eslint configs.
modes/segmentation/package.json	Removes unused devDependencies: @babel/eslint-parser, eslint, and eslint-loader. Consistent cleanup matching other extension/mode packages.
modes/usAnnotation/package.json	Removes unused devDependencies: @babel/eslint-parser, eslint, and eslint-loader. Consistent cleanup matching other extension/mode packages.
platform/cli/templates/extension/dependencies.json	Removes @babel/eslint-parser, babel-plugin-module-resolver, eslint, and eslint-loader from the CLI extension template. Keeps templates aligned with the updated dependency strategy.
platform/cli/templates/mode/dependencies.json	Removes @babel/eslint-parser, eslint, and eslint-loader from the CLI mode template. Consistent with extension template cleanup.
bun.lock	Lock file updated to reflect all package.json changes. Large diff (+1357/-) due to transitive dependency resolution from multiple version bumps and removals.
yarn.lock	Lock file updated to reflect all package.json changes. Large diff (+1913/-) due to transitive dependency resolution. New babel core and eslint versions pulled in as transitive dependencies.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["CVE-2026-27212"] --> B["Remove vulnerable deps"]
    A --> C["Bump babel-plugin-istanbul\n7.0.0 → 7.0.1"]
    B --> D["Remove swiper\nfrom platform/ui"]
    B --> E["Remove istanbul,\npatch-package\nfrom root"]
    B --> F["Remove unused eslint pkgs\nfrom extensions/modes/templates"]
    
    G["CVE-2026-26996\n(minimatch)"] --> H["Add to CI ignore list\n.circleci/config.yml"]
    H --> I["Justification: only used\nin CLI & build/dev contexts"]

    J["Dependency Modernization\naddOns/externals"] --> K["eslint 8 → 10"]
    J --> L["@typescript-eslint/* 6 → 8"]
    J --> M["eslint-plugin-react-hooks 4 → 7"]
    J --> N["eslint-config-react-app 6 → 7"]
    J --> O["serve 14.2.4 → 14.2.5"]

    B --> P["Update lock files\nbun.lock + yarn.lock"]
    C --> P
    J --> P

Loading

_{Last reviewed commit: bb4a3c8}

[greptile-apps]

_{11 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

ESLint 10 requires flat config format

ESLint 10 dropped support for the legacy .eslintrc configuration format and only supports the flat config (eslint.config.js). The repository currently uses .eslintrc.json at the root. While this @externals/devDependencies package is a dependency manifest for external add-ons (not the main project), any add-on consuming this eslint version would need a flat config file.

Additionally, several plugins listed here have peer dependency constraints that may conflict with eslint 10:

• eslint-config-react-app@7.0.1 has a peer dependency on eslint ^8.0.0
• eslint-plugin-node@11.1.0 has a peer dependency on eslint >=5.16.0 <9.0.0
• eslint-config-prettier@7.2.0 supports eslint >=7.0.0 but hasn't been tested with 10

If external add-ons that consume these dependencies actually run eslint, this could cause peer dependency warnings or runtime failures. Consider verifying that eslint 10 is intentional here, or pin to eslint@9.x which still supports the ESLINT_USE_FLAT_CONFIG=false escape hatch.

[jbocce]

Ok @greptileai the dependency was updated. Please check again.