Remove UI for Undo, Redo, Delete, and Duplicate; Relocate Alignment Options#21
Merged
Merged
Conversation
Tainan404
added a commit
that referenced
this pull request
May 15, 2026
fix: pin vm2 to 3.11.3 to resolve CVE-2023-37903 and related sandbox escapes Adds npm override to enforce vm2 == 3.11.3 (community security patch), patching critical sandbox escape vulnerabilities (GHSA-g644-9gfx-q4q4 and related vm2 CVEs). The vulnerable 3.9.19 was a transitive dev dependency via @remix-run/dev → proxy-agent → pac-proxy-agent → pac-resolver → degenerator → vm2. No production runtime exposure. fix: upgrade form-data to 4.0.5 to resolve CVE-2025-7783 Adds npm override to enforce form-data == 4.0.5, patching the unsafe Math.random() boundary vulnerability (GHSA-fjxv-7rqg-78g4). The vulnerable 4.0.0 was a transitive dev dependency via @types/node-fetch and jsdom → jest-environment-jsdom. No production runtime exposure. fix: upgrade ws to >=8.17.1 with nested @remix-run/dev override to resolve CVE-2024-37890 Patches both 7.x and 8.x instances (GHSA-3h5v-q93c-6h6q). Uses global "ws":">=8.17.1" plus nested "@remix-run/dev":{"ws":">=7.5.10 <8.0.0"} to keep @remix-run/dev on its expected ws 7.x API while everything else gets patched 8.x. Resolves alerts #12 and #13. fix: upgrade body-parser to >=1.20.3 to resolve CVE-2024-45590 Adds npm override to enforce body-parser >= 1.20.3 < 2.0.0, patching the URL-encoding DoS vulnerability (GHSA-qwcr-r2fm-qrc7). Resolves to 1.20.5. The vulnerable 1.20.2 was a transitive dev dependency via @remix-run/dev → express → body-parser. No production runtime exposure. fix: upgrade rollup to >=3.29.5/>=4.22.4 to resolve CVE-2024-47068 Adds npm override for rollup with multi-range patch (GHSA-gcx4-mw62-g8wm). Hoisted rollup 4.18.0 → 4.60.4; vite-nested rollup 3.29.4 → 3.29.5. Resolves alerts #25 and #26. Both are devDependencies; XSS only affects bundled output served to end users, not the build process. fix: upgrade cross-spawn to >=7.0.5 to resolve CVE-2024-21538 Adds npm override to enforce cross-spawn >= 7.0.5, patching ReDoS vulnerability (GHSA-3xgq-45jj-v275). Resolves to 7.0.6. The vulnerable 7.0.3 was a shared transitive dev dependency (eslint, lazyrepo, lint-staged, node-gyp chain). No production runtime exposure. fix: upgrade tar-fs to >=2.1.4 to resolve CVE-2024-12905 and related Adds npm override to enforce tar-fs >= 2.1.4, patching three path traversal CVEs (alerts #43, #53, tldraw#60). The vulnerable 2.1.1 was a shared transitive dev dependency (vsce/prebuild-install and vercel/@remix-run/dev chains). No production runtime exposure. fix: upgrade playwright to >=1.55.1 to resolve CVE-2025-59288 Upgrades playwright and @playwright/test from ^1.46.0/^1.38.1 to ^1.55.1 (resolved to 1.60.0), patching SSL certificate verification bypass (GHSA-7mvr-c777-76hp). Both packages updated together since @playwright/test pins playwright with an exact version. Dev-only tooling; no production exposure. fix: upgrade glob (10.x) to 10.5.0 to resolve CVE-2025-64756 Manually patches two vulnerable glob@10.4.1 lockfile entries (node-gyp and cacache chains) to 10.5.0, fixing CLI command injection (GHSA-5j98-mcp5-4vw2). Broad npm override was avoided to preserve 7.x/8.x instances used by jest, eslint, etc. Dev-only; no production exposure. fix: upgrade validator to >=13.15.22 to resolve CVE-2025-12758 Adds npm override to enforce validator >= 13.15.22 (resolves to 13.15.35), patching incomplete filtering vulnerability (GHSA-vghf-hv5q-vc2g). Transitive devDependency via @microsoft/api-extractor -> z-schema chain. No production exposure. fix: upgrade @remix-run/router to >=1.23.2 to resolve CVE-2026-22029 Upgrades react-router-dom (6.23.1->6.30.3) and adds npm override for @remix-run/router >=1.23.2, patching XSS via open redirects (GHSA-2w69-qvjg-hvjx). Both previous instances (1.16.1 and 1.5.0) are now deduplicated to 1.23.2. Dev-only tooling; no BBB production exposure. fix: patch minimatch to safe versions across all major branches Manually patches 8 minimatch lockfile entries (3.x->3.1.4, 4.x->4.2.5, 5.x->5.1.8, 8.x->8.0.6, 9.x->9.0.7) to resolve 9 Dependabot alerts (tldraw#84, tldraw#88, tldraw#91, tldraw#95-#100). A broad override was avoided to prevent cross-major version coercion. All instances are dev tooling only. fix: patch serialize-javascript to 7.0.3 to resolve GHSA-5c6j-r48x-rmvq Manually patches serialize-javascript lockfile entry from 6.0.0 to 7.0.3, fixing RCE via RegExp.flags/Date.prototype.toISOString. mocha@9.2.2 pins an exact version so npm override is not viable. Dev-only tooling (VSCode extension tests); no production exposure. fix: upgrade svgo to >=3.3.3 to resolve CVE-2026-29074 Updates svgo direct dependency from ^3.0.2 to ^3.3.3 (resolves to 3.3.3), patching DoS via DOCTYPE entity expansion (GHSA-xpqw-6gx7-v673). The upgrade also transitions svgo's XML parser from @trysound/sax to sax. Build tool; no production runtime exposure. fix: upgrade flatted to >=3.4.2 to resolve GHSA-25h7-pfq9-p65f/rf6f-7fwh-wjgh Adds npm override to enforce flatted >= 3.4.2, patching unbounded recursion DoS (tldraw#107) and prototype pollution (#108). Transitive devDependency via eslint -> flat-cache chain. No production exposure. fix: patch picomatch to 2.3.2 to resolve GHSA-c2c7-rcm5-vvqj and related Manually patches picomatch lockfile entry from 2.3.1 to 2.3.2, fixing ReDoS via extglob quantifiers (#111) and method injection (tldraw#112). Broad npm override was avoided to prevent cross-major version coercion. Dev tooling only; no production exposure. fix: upgrade lodash to >=4.18.0 to resolve CVEs (tldraw#76, #117, #118) Adds npm override to enforce lodash >= 4.18.0 (resolves to 4.18.1), patching GHSA-xxjr-mmjv-4gpg (medium), GHSA-f23m-r3pf-42rh (medium), and GHSA-r5fr-rjxr-66jc (high). All consumers share the single hoisted entry. fix: upgrade @babel/plugin-transform-modules-systemjs to >=7.29.4 (CVE-2026-44728) Adds npm override to enforce @babel/plugin-transform-modules-systemjs >= 7.29.4, patching arbitrary code generation from malicious input (GHSA-fv7c-fp4j-7gwp). Transitive devDependency via vercel -> @remix-run/dev -> @babel/preset-env chain. fix: upgrade vite 4.x to 4.5.14 and patch nested 5.x instances to 5.4.21 Resolves 16 Dependabot alerts (#21-tldraw#52, #58, tldraw#59, tldraw#63): upgrades the hoisted vite 4.x instance to 4.5.14 (CVE-2024-45811, CVE-2024-45812, CVE-2025-24010, CVE-2025-30208, CVE-2025-31125, CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751, CVE-2025-58752) and manually patches nested vite 5.x entries to 5.4.21 via lockfile. fix: upgrade micromatch to >=4.0.8 to resolve CVE-2024-4067 fix: patch xml2js to 0.5.0 to resolve CVE-2023-0842 fix: patch nanoid 3.x instances to 3.3.12 to resolve CVE-2024-55565 fix: upgrade @babel/helpers+runtime to >=7.26.0 and serialize-javascript to 7.0.5 Resolves CVE-2025-27789 (@babel), CVE-2024-11831 and CVE-2026-34043 (serialize-javascript). fix: patch postcss, qs, js-yaml, yaml 1.x, and brace-expansion CVEs - postcss 8.4.38→8.5.14 (CVE-2026-41305) - qs 6.11.0→6.15.1, typed-rest-client qs 6.12.1→6.15.0 (CVE-2025-15284, CVE-2026-2391) - js-yaml 4.1.0→4.1.1 (CVE-2025-64718) via manual patch - js-yaml 3.14.1→3.14.2 for @istanbuljs and gray-matter (CVE-2025-64718) - yaml 1.10.2→1.10.3 for cosmiconfig (CVE-2026-33532) - brace-expansion 2.0.1→2.0.3 and 1.1.11→1.1.13 (tldraw#54, tldraw#55, #113, tldraw#114) fix: patch ajv to 6.14.0 to resolve CVE-2025-69873 fix: upgrade yaml, brace-expansion 2.x, and cookie to patch CVEs - yaml 2.4.2→2.9.0 (CVE-2026-33532: stack overflow in deeply nested YAML) - brace-expansion 2.0.1→2.0.3 (CVE-2025-5889 + CVE-2026-33750) - cookie 0.4.2+0.6.0→0.7.2 (CVE-2024-47764) fix: upgrade express, send, serve-static, and tmp (vsce) to patch CVEs - express 4.19.2→4.22.2 (CVE-2024-43796: XSS via response.redirect()) - send 0.18.0→0.19.2 (CVE-2024-43799: template injection XSS) - serve-static 1.15.0→1.16.3 (CVE-2024-43800: template injection XSS) - vsce/tmp 0.2.3→0.2.5 (CVE-2025-54798: symlink attack via dir param) Note: hoisted tmp 0.0.33 (external-editor) has no fix in 0.0.x range. fix: refine ws override to nested pattern for @remix-run/dev compatibility Switch from flat ">=7.5.10 <8.0.0 || >=8.17.1" to: - global "ws": ">=8.17.1" (all packages get patched 8.x) - nested "@remix-run/dev": { "ws": ">=7.5.10 <8.0.0" } (keeps @remix-run/dev on ws 7.x as designed) @remix-run/dev 1.15.0 declares ws ^7.4.5; the flat union range was resolving it to 8.20.1 (npm picks highest), giving it an incompatible major version.
Tainan404
added a commit
that referenced
this pull request
May 15, 2026
fix: pin vm2 to 3.11.3 to resolve CVE-2023-37903 and related sandbox escapes Adds npm override to enforce vm2 == 3.11.3 (community security patch), patching critical sandbox escape vulnerabilities (GHSA-g644-9gfx-q4q4 and related vm2 CVEs). The vulnerable 3.9.19 was a transitive dev dependency via @remix-run/dev → proxy-agent → pac-proxy-agent → pac-resolver → degenerator → vm2. No production runtime exposure. fix: upgrade form-data to 4.0.5 to resolve CVE-2025-7783 Adds npm override to enforce form-data == 4.0.5, patching the unsafe Math.random() boundary vulnerability (GHSA-fjxv-7rqg-78g4). The vulnerable 4.0.0 was a transitive dev dependency via @types/node-fetch and jsdom → jest-environment-jsdom. No production runtime exposure. fix: upgrade ws to >=8.17.1 with nested @remix-run/dev override to resolve CVE-2024-37890 Patches both 7.x and 8.x instances (GHSA-3h5v-q93c-6h6q). Uses global "ws":">=8.17.1" plus nested "@remix-run/dev":{"ws":">=7.5.10 <8.0.0"} to keep @remix-run/dev on its expected ws 7.x API while everything else gets patched 8.x. Resolves alerts #12 and #13. fix: upgrade body-parser to >=1.20.3 to resolve CVE-2024-45590 Adds npm override to enforce body-parser >= 1.20.3 < 2.0.0, patching the URL-encoding DoS vulnerability (GHSA-qwcr-r2fm-qrc7). Resolves to 1.20.5. The vulnerable 1.20.2 was a transitive dev dependency via @remix-run/dev → express → body-parser. No production runtime exposure. fix: upgrade rollup to >=3.29.5/>=4.22.4 to resolve CVE-2024-47068 Adds npm override for rollup with multi-range patch (GHSA-gcx4-mw62-g8wm). Hoisted rollup 4.18.0 → 4.60.4; vite-nested rollup 3.29.4 → 3.29.5. Resolves alerts #25 and #26. Both are devDependencies; XSS only affects bundled output served to end users, not the build process. fix: upgrade cross-spawn to >=7.0.5 to resolve CVE-2024-21538 Adds npm override to enforce cross-spawn >= 7.0.5, patching ReDoS vulnerability (GHSA-3xgq-45jj-v275). Resolves to 7.0.6. The vulnerable 7.0.3 was a shared transitive dev dependency (eslint, lazyrepo, lint-staged, node-gyp chain). No production runtime exposure. fix: upgrade tar-fs to >=2.1.4 to resolve CVE-2024-12905 and related Adds npm override to enforce tar-fs >= 2.1.4, patching three path traversal CVEs (alerts #43, #53, tldraw#60). The vulnerable 2.1.1 was a shared transitive dev dependency (vsce/prebuild-install and vercel/@remix-run/dev chains). No production runtime exposure. fix: upgrade playwright to >=1.55.1 to resolve CVE-2025-59288 Upgrades playwright and @playwright/test from ^1.46.0/^1.38.1 to ^1.55.1 (resolved to 1.60.0), patching SSL certificate verification bypass (GHSA-7mvr-c777-76hp). Both packages updated together since @playwright/test pins playwright with an exact version. Dev-only tooling; no production exposure. fix: upgrade glob (10.x) to 10.5.0 to resolve CVE-2025-64756 Manually patches two vulnerable glob@10.4.1 lockfile entries (node-gyp and cacache chains) to 10.5.0, fixing CLI command injection (GHSA-5j98-mcp5-4vw2). Broad npm override was avoided to preserve 7.x/8.x instances used by jest, eslint, etc. Dev-only; no production exposure. fix: upgrade validator to >=13.15.22 to resolve CVE-2025-12758 Adds npm override to enforce validator >= 13.15.22 (resolves to 13.15.35), patching incomplete filtering vulnerability (GHSA-vghf-hv5q-vc2g). Transitive devDependency via @microsoft/api-extractor -> z-schema chain. No production exposure. fix: upgrade @remix-run/router to >=1.23.2 to resolve CVE-2026-22029 Upgrades react-router-dom (6.23.1->6.30.3) and adds npm override for @remix-run/router >=1.23.2, patching XSS via open redirects (GHSA-2w69-qvjg-hvjx). Both previous instances (1.16.1 and 1.5.0) are now deduplicated to 1.23.2. Dev-only tooling; no BBB production exposure. fix: patch minimatch to safe versions across all major branches Manually patches 8 minimatch lockfile entries (3.x->3.1.4, 4.x->4.2.5, 5.x->5.1.8, 8.x->8.0.6, 9.x->9.0.7) to resolve 9 Dependabot alerts (tldraw#84, tldraw#88, tldraw#91, tldraw#95-#100). A broad override was avoided to prevent cross-major version coercion. All instances are dev tooling only. fix: patch serialize-javascript to 7.0.3 to resolve GHSA-5c6j-r48x-rmvq Manually patches serialize-javascript lockfile entry from 6.0.0 to 7.0.3, fixing RCE via RegExp.flags/Date.prototype.toISOString. mocha@9.2.2 pins an exact version so npm override is not viable. Dev-only tooling (VSCode extension tests); no production exposure. fix: upgrade svgo to >=3.3.3 to resolve CVE-2026-29074 Updates svgo direct dependency from ^3.0.2 to ^3.3.3 (resolves to 3.3.3), patching DoS via DOCTYPE entity expansion (GHSA-xpqw-6gx7-v673). The upgrade also transitions svgo's XML parser from @trysound/sax to sax. Build tool; no production runtime exposure. fix: upgrade flatted to >=3.4.2 to resolve GHSA-25h7-pfq9-p65f/rf6f-7fwh-wjgh Adds npm override to enforce flatted >= 3.4.2, patching unbounded recursion DoS (tldraw#107) and prototype pollution (#108). Transitive devDependency via eslint -> flat-cache chain. No production exposure. fix: patch picomatch to 2.3.2 to resolve GHSA-c2c7-rcm5-vvqj and related Manually patches picomatch lockfile entry from 2.3.1 to 2.3.2, fixing ReDoS via extglob quantifiers (#111) and method injection (tldraw#112). Broad npm override was avoided to prevent cross-major version coercion. Dev tooling only; no production exposure. fix: upgrade lodash to >=4.18.0 to resolve CVEs (tldraw#76, #117, #118) Adds npm override to enforce lodash >= 4.18.0 (resolves to 4.18.1), patching GHSA-xxjr-mmjv-4gpg (medium), GHSA-f23m-r3pf-42rh (medium), and GHSA-r5fr-rjxr-66jc (high). All consumers share the single hoisted entry. fix: upgrade @babel/plugin-transform-modules-systemjs to >=7.29.4 (CVE-2026-44728) Adds npm override to enforce @babel/plugin-transform-modules-systemjs >= 7.29.4, patching arbitrary code generation from malicious input (GHSA-fv7c-fp4j-7gwp). Transitive devDependency via vercel -> @remix-run/dev -> @babel/preset-env chain. fix: upgrade vite 4.x to 4.5.14 and patch nested 5.x instances to 5.4.21 Resolves 16 Dependabot alerts (#21-tldraw#52, #58, tldraw#59, tldraw#63): upgrades the hoisted vite 4.x instance to 4.5.14 (CVE-2024-45811, CVE-2024-45812, CVE-2025-24010, CVE-2025-30208, CVE-2025-31125, CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751, CVE-2025-58752) and manually patches nested vite 5.x entries to 5.4.21 via lockfile. fix: upgrade micromatch to >=4.0.8 to resolve CVE-2024-4067 fix: patch xml2js to 0.5.0 to resolve CVE-2023-0842 fix: patch nanoid 3.x instances to 3.3.12 to resolve CVE-2024-55565 fix: upgrade @babel/helpers+runtime to >=7.26.0 and serialize-javascript to 7.0.5 Resolves CVE-2025-27789 (@babel), CVE-2024-11831 and CVE-2026-34043 (serialize-javascript). fix: patch postcss, qs, js-yaml, yaml 1.x, and brace-expansion CVEs - postcss 8.4.38→8.5.14 (CVE-2026-41305) - qs 6.11.0→6.15.1, typed-rest-client qs 6.12.1→6.15.0 (CVE-2025-15284, CVE-2026-2391) - js-yaml 4.1.0→4.1.1 (CVE-2025-64718) via manual patch - js-yaml 3.14.1→3.14.2 for @istanbuljs and gray-matter (CVE-2025-64718) - yaml 1.10.2→1.10.3 for cosmiconfig (CVE-2026-33532) - brace-expansion 2.0.1→2.0.3 and 1.1.11→1.1.13 (tldraw#54, tldraw#55, #113, tldraw#114) fix: patch ajv to 6.14.0 to resolve CVE-2025-69873 fix: upgrade yaml, brace-expansion 2.x, and cookie to patch CVEs - yaml 2.4.2→2.9.0 (CVE-2026-33532: stack overflow in deeply nested YAML) - brace-expansion 2.0.1→2.0.3 (CVE-2025-5889 + CVE-2026-33750) - cookie 0.4.2+0.6.0→0.7.2 (CVE-2024-47764) fix: upgrade express, send, serve-static, and tmp (vsce) to patch CVEs - express 4.19.2→4.22.2 (CVE-2024-43796: XSS via response.redirect()) - send 0.18.0→0.19.2 (CVE-2024-43799: template injection XSS) - serve-static 1.15.0→1.16.3 (CVE-2024-43800: template injection XSS) - vsce/tmp 0.2.3→0.2.5 (CVE-2025-54798: symlink attack via dir param) Note: hoisted tmp 0.0.33 (external-editor) has no fix in 0.0.x range. fix: refine ws override to nested pattern for @remix-run/dev compatibility Switch from flat ">=7.5.10 <8.0.0 || >=8.17.1" to: - global "ws": ">=8.17.1" (all packages get patched 8.x) - nested "@remix-run/dev": { "ws": ">=7.5.10 <8.0.0" } (keeps @remix-run/dev on ws 7.x as designed) @remix-run/dev 1.15.0 declares ws ^7.4.5; the flat union range was resolving it to 8.20.1 (npm picks highest), giving it an incompatible major version.
Tainan404
pushed a commit
that referenced
this pull request
May 20, 2026
Remove UI for Undo, Redo, Delete, and Duplicate; Relocate Alignment Options
Tainan404
added a commit
that referenced
this pull request
May 20, 2026
fix: pin vm2 to 3.11.3 to resolve CVE-2023-37903 and related sandbox escapes Adds npm override to enforce vm2 == 3.11.3 (community security patch), patching critical sandbox escape vulnerabilities (GHSA-g644-9gfx-q4q4 and related vm2 CVEs). The vulnerable 3.9.19 was a transitive dev dependency via @remix-run/dev → proxy-agent → pac-proxy-agent → pac-resolver → degenerator → vm2. No production runtime exposure. fix: upgrade form-data to 4.0.5 to resolve CVE-2025-7783 Adds npm override to enforce form-data == 4.0.5, patching the unsafe Math.random() boundary vulnerability (GHSA-fjxv-7rqg-78g4). The vulnerable 4.0.0 was a transitive dev dependency via @types/node-fetch and jsdom → jest-environment-jsdom. No production runtime exposure. fix: upgrade ws to >=8.17.1 with nested @remix-run/dev override to resolve CVE-2024-37890 Patches both 7.x and 8.x instances (GHSA-3h5v-q93c-6h6q). Uses global "ws":">=8.17.1" plus nested "@remix-run/dev":{"ws":">=7.5.10 <8.0.0"} to keep @remix-run/dev on its expected ws 7.x API while everything else gets patched 8.x. Resolves alerts #12 and #13. fix: upgrade body-parser to >=1.20.3 to resolve CVE-2024-45590 Adds npm override to enforce body-parser >= 1.20.3 < 2.0.0, patching the URL-encoding DoS vulnerability (GHSA-qwcr-r2fm-qrc7). Resolves to 1.20.5. The vulnerable 1.20.2 was a transitive dev dependency via @remix-run/dev → express → body-parser. No production runtime exposure. fix: upgrade rollup to >=3.29.5/>=4.22.4 to resolve CVE-2024-47068 Adds npm override for rollup with multi-range patch (GHSA-gcx4-mw62-g8wm). Hoisted rollup 4.18.0 → 4.60.4; vite-nested rollup 3.29.4 → 3.29.5. Resolves alerts #25 and #26. Both are devDependencies; XSS only affects bundled output served to end users, not the build process. fix: upgrade cross-spawn to >=7.0.5 to resolve CVE-2024-21538 Adds npm override to enforce cross-spawn >= 7.0.5, patching ReDoS vulnerability (GHSA-3xgq-45jj-v275). Resolves to 7.0.6. The vulnerable 7.0.3 was a shared transitive dev dependency (eslint, lazyrepo, lint-staged, node-gyp chain). No production runtime exposure. fix: upgrade tar-fs to >=2.1.4 to resolve CVE-2024-12905 and related Adds npm override to enforce tar-fs >= 2.1.4, patching three path traversal CVEs (alerts #43, #53, tldraw#60). The vulnerable 2.1.1 was a shared transitive dev dependency (vsce/prebuild-install and vercel/@remix-run/dev chains). No production runtime exposure. fix: upgrade playwright to >=1.55.1 to resolve CVE-2025-59288 Upgrades playwright and @playwright/test from ^1.46.0/^1.38.1 to ^1.55.1 (resolved to 1.60.0), patching SSL certificate verification bypass (GHSA-7mvr-c777-76hp). Both packages updated together since @playwright/test pins playwright with an exact version. Dev-only tooling; no production exposure. fix: upgrade glob (10.x) to 10.5.0 to resolve CVE-2025-64756 Manually patches two vulnerable glob@10.4.1 lockfile entries (node-gyp and cacache chains) to 10.5.0, fixing CLI command injection (GHSA-5j98-mcp5-4vw2). Broad npm override was avoided to preserve 7.x/8.x instances used by jest, eslint, etc. Dev-only; no production exposure. fix: upgrade validator to >=13.15.22 to resolve CVE-2025-12758 Adds npm override to enforce validator >= 13.15.22 (resolves to 13.15.35), patching incomplete filtering vulnerability (GHSA-vghf-hv5q-vc2g). Transitive devDependency via @microsoft/api-extractor -> z-schema chain. No production exposure. fix: upgrade @remix-run/router to >=1.23.2 to resolve CVE-2026-22029 Upgrades react-router-dom (6.23.1->6.30.3) and adds npm override for @remix-run/router >=1.23.2, patching XSS via open redirects (GHSA-2w69-qvjg-hvjx). Both previous instances (1.16.1 and 1.5.0) are now deduplicated to 1.23.2. Dev-only tooling; no BBB production exposure. fix: patch minimatch to safe versions across all major branches Manually patches 8 minimatch lockfile entries (3.x->3.1.4, 4.x->4.2.5, 5.x->5.1.8, 8.x->8.0.6, 9.x->9.0.7) to resolve 9 Dependabot alerts (tldraw#84, tldraw#88, tldraw#91, tldraw#95-#100). A broad override was avoided to prevent cross-major version coercion. All instances are dev tooling only. fix: patch serialize-javascript to 7.0.3 to resolve GHSA-5c6j-r48x-rmvq Manually patches serialize-javascript lockfile entry from 6.0.0 to 7.0.3, fixing RCE via RegExp.flags/Date.prototype.toISOString. mocha@9.2.2 pins an exact version so npm override is not viable. Dev-only tooling (VSCode extension tests); no production exposure. fix: upgrade svgo to >=3.3.3 to resolve CVE-2026-29074 Updates svgo direct dependency from ^3.0.2 to ^3.3.3 (resolves to 3.3.3), patching DoS via DOCTYPE entity expansion (GHSA-xpqw-6gx7-v673). The upgrade also transitions svgo's XML parser from @trysound/sax to sax. Build tool; no production runtime exposure. fix: upgrade flatted to >=3.4.2 to resolve GHSA-25h7-pfq9-p65f/rf6f-7fwh-wjgh Adds npm override to enforce flatted >= 3.4.2, patching unbounded recursion DoS (tldraw#107) and prototype pollution (#108). Transitive devDependency via eslint -> flat-cache chain. No production exposure. fix: patch picomatch to 2.3.2 to resolve GHSA-c2c7-rcm5-vvqj and related Manually patches picomatch lockfile entry from 2.3.1 to 2.3.2, fixing ReDoS via extglob quantifiers (#111) and method injection (tldraw#112). Broad npm override was avoided to prevent cross-major version coercion. Dev tooling only; no production exposure. fix: upgrade lodash to >=4.18.0 to resolve CVEs (tldraw#76, #117, #118) Adds npm override to enforce lodash >= 4.18.0 (resolves to 4.18.1), patching GHSA-xxjr-mmjv-4gpg (medium), GHSA-f23m-r3pf-42rh (medium), and GHSA-r5fr-rjxr-66jc (high). All consumers share the single hoisted entry. fix: upgrade @babel/plugin-transform-modules-systemjs to >=7.29.4 (CVE-2026-44728) Adds npm override to enforce @babel/plugin-transform-modules-systemjs >= 7.29.4, patching arbitrary code generation from malicious input (GHSA-fv7c-fp4j-7gwp). Transitive devDependency via vercel -> @remix-run/dev -> @babel/preset-env chain. fix: upgrade vite 4.x to 4.5.14 and patch nested 5.x instances to 5.4.21 Resolves 16 Dependabot alerts (#21-tldraw#52, #58, tldraw#59, tldraw#63): upgrades the hoisted vite 4.x instance to 4.5.14 (CVE-2024-45811, CVE-2024-45812, CVE-2025-24010, CVE-2025-30208, CVE-2025-31125, CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751, CVE-2025-58752) and manually patches nested vite 5.x entries to 5.4.21 via lockfile. fix: upgrade micromatch to >=4.0.8 to resolve CVE-2024-4067 fix: patch xml2js to 0.5.0 to resolve CVE-2023-0842 fix: patch nanoid 3.x instances to 3.3.12 to resolve CVE-2024-55565 fix: upgrade @babel/helpers+runtime to >=7.26.0 and serialize-javascript to 7.0.5 Resolves CVE-2025-27789 (@babel), CVE-2024-11831 and CVE-2026-34043 (serialize-javascript). fix: patch postcss, qs, js-yaml, yaml 1.x, and brace-expansion CVEs - postcss 8.4.38→8.5.14 (CVE-2026-41305) - qs 6.11.0→6.15.1, typed-rest-client qs 6.12.1→6.15.0 (CVE-2025-15284, CVE-2026-2391) - js-yaml 4.1.0→4.1.1 (CVE-2025-64718) via manual patch - js-yaml 3.14.1→3.14.2 for @istanbuljs and gray-matter (CVE-2025-64718) - yaml 1.10.2→1.10.3 for cosmiconfig (CVE-2026-33532) - brace-expansion 2.0.1→2.0.3 and 1.1.11→1.1.13 (tldraw#54, tldraw#55, #113, tldraw#114) fix: patch ajv to 6.14.0 to resolve CVE-2025-69873 fix: upgrade yaml, brace-expansion 2.x, and cookie to patch CVEs - yaml 2.4.2→2.9.0 (CVE-2026-33532: stack overflow in deeply nested YAML) - brace-expansion 2.0.1→2.0.3 (CVE-2025-5889 + CVE-2026-33750) - cookie 0.4.2+0.6.0→0.7.2 (CVE-2024-47764) fix: upgrade express, send, serve-static, and tmp (vsce) to patch CVEs - express 4.19.2→4.22.2 (CVE-2024-43796: XSS via response.redirect()) - send 0.18.0→0.19.2 (CVE-2024-43799: template injection XSS) - serve-static 1.15.0→1.16.3 (CVE-2024-43800: template injection XSS) - vsce/tmp 0.2.3→0.2.5 (CVE-2025-54798: symlink attack via dir param) Note: hoisted tmp 0.0.33 (external-editor) has no fix in 0.0.x range. fix: refine ws override to nested pattern for @remix-run/dev compatibility Switch from flat ">=7.5.10 <8.0.0 || >=8.17.1" to: - global "ws": ">=8.17.1" (all packages get patched 8.x) - nested "@remix-run/dev": { "ws": ">=7.5.10 <8.0.0" } (keeps @remix-run/dev on ws 7.x as designed) @remix-run/dev 1.15.0 declares ws ^7.4.5; the flat union range was resolving it to 8.20.1 (npm picks highest), giving it an incompatible major version.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates the UI by removing the Undo, Redo, Delete, and Duplicate buttons, retaining their functionality through keyboard shortcuts. It also relocates the alignment options dropdown to the last element on the main toolbar.