Skip to content

fix(security): Bump svgo and tar to fix vulnerabilities in release 3.12#5881

Merged
jbocce merged 1 commit intoOHIF:release/3.12from
jbocce:fix/OHIF-2536-svgo-and-tar-security-release-3.12
Mar 6, 2026
Merged

fix(security): Bump svgo and tar to fix vulnerabilities in release 3.12#5881
jbocce merged 1 commit intoOHIF:release/3.12from
jbocce:fix/OHIF-2536-svgo-and-tar-security-release-3.12

Conversation

@jbocce
Copy link
Copy Markdown
Collaborator

@jbocce jbocce commented Mar 6, 2026
edited by greptile-apps bot
Loading

Context

Changes & Results

Patched the vulnerable packages.

Testing

Run the automated tests.

Checklist

PR

  • My Pull Request title is descriptive, accurate and follows the
    semantic-release format and guidelines.

Code

  • My code has been well-documented (function documentation, inline comments,
    etc.)

Public Documentation Updates

  • The documentation page has been updated as necessary for any public API
    additions or removals.

Greptile Summary

This PR patches two known security vulnerabilities in the release/3.12 branch by bumping tar from 7.5.9 to 7.5.10 (fixes GHSA-qffp-2rhf-9h96) and pinning svgo to 3.3.3 via the resolutions field (fixes GHSA-xpqw-6gx7-v673, which was caused by the now-removed @trysound/sax dependency, replaced by sax@1.5.0).

Key changes:

  • tar bumped 7.5.9 → 7.5.10 in root package.json resolutions and all lock files.
  • svgo pinned to 3.3.3 in root and docs package.json resolutions; @trysound/sax (vulnerable SAX parser) is replaced by sax@^1.5.0 in the dependency tree.
  • Transitive orphaned packages (stable, css-tree@1.1.x, csso@4.x, mdn-data@2.0.14, @trysound/sax) are pruned from lock files.
  • The resolutions override also forces svgo@^2.7.0 (previously 2.8.0) to resolve to 3.3.3 — a major-version upgrade that affects transitive consumers like postcss-svgo. Both lock files are consistently updated.

The security intent is correct and the approach (using Yarn resolutions) is the standard pattern for patching transitive vulnerabilities.

Confidence Score: 5/5

  • Security patches are correctly applied; dependency resolutions are consistently updated across all lock files.
  • The PR applies well-established security patches using Yarn's standard resolutions pattern. Both vulnerabilities are addressed with correct version bumps (tar 7.5.10, svgo 3.3.3 with sax@1.5.0 replacing the vulnerable @trysound/sax). The package.json resolutions are mirrored consistently across root and docs sub-project, and all three lock files (yarn.lock, bun.lock, platform/docs/yarn.lock) are updated together. The author has committed to running automated tests which will validate the integrity of the build and any transitive dependency interactions.
  • No files require special attention

Last reviewed commit: 2fd4c00

@jbocce jbocce merged commit 6772deb into OHIF:release/3.12 Mar 6, 2026
3 checks passed
@jbocce jbocce deleted the fix/OHIF-2536-svgo-and-tar-security-release-3.12 branch March 6, 2026 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jbocce