Skip to content

v1.1.3 - Security fixes

Choose a tag to compare

View all tags
@QuietWireDev QuietWireDev released this 17 Jun 22:36
· 2 commits to main since this release
v1.1.3
0ff542c

Security

Dependency updates resolving all open Dependabot alerts plus one npm-audit finding. No functional changes; all fixes verified on the test fleet.

  • python-multipart 0.0.27 to 0.0.30. Clears four advisories: quadratic-time querystring parsing causing CPU DoS (CVE-2026-53539), negative Content-Length buffering the entire body in memory, semicolon-as-separator parameter smuggling (CVE-2026-53538), and Content-Disposition smuggling via RFC 2231/5987. This is the only fix that ships in the runtime image.
  • vite to 8.0.16. Fixes server.fs.deny bypass on Windows alternate paths (CVE-2026-53571) and the bundled launch-editor NTLMv2 hash disclosure (build-time only).
  • js-yaml to 4.2.0. Quadratic-complexity DoS in merge key handling (CVE-2026-53550, dev only).
  • @babel/core to 7.29.7. Arbitrary file read via sourceMappingURL comment (CVE-2026-49356, dev only).
  • brace-expansion bumped. Large numeric range defeats the documented max DoS protection (GHSA-jxxr-4gwj-5jf2, dev only).

Frontend changes are lockfile-only. npm audit reports zero vulnerabilities and the production build is unchanged.

Full changelog: https://github.com/QuietWireDev/QuietKeep/blob/main/CHANGELOG.md

Assets 2
Loading