From 1052c2744536cc212f58d5764a4980acdcd717a6 Mon Sep 17 00:00:00 2001 From: IEvangelist Date: Fri, 24 Apr 2026 15:10:21 -0500 Subject: [PATCH] Bump transitive deps postcss, fast-xml-parser, uuid to patched versions Addresses Dependabot alerts: - #68 fast-xml-parser < 5.7.0 (XML Comment/CDATA injection) -> 5.7.1 - #71 uuid < 14.0.0 (missing buffer bounds check) -> 14.0.0 - #72 postcss < 8.5.10 (XSS via unescaped ) -> 8.5.10 Updated pnpm overrides in src/frontend/package.json to force patched versions of these transitive dependencies and regenerated pnpm-lock.yaml. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- src/frontend/package.json | 6 ++-- src/frontend/pnpm-lock.yaml | 72 ++++++++++++++++++------------------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/src/frontend/package.json b/src/frontend/package.json index 459a16676..3b0c83760 100644 --- a/src/frontend/package.json +++ b/src/frontend/package.json @@ -112,16 +112,18 @@ "ajv@>=7.0.0-alpha.0 <8.18.0": "8.18.0", "devalue@<5.6.4": ">=5.6.4", "dompurify@<3.4.0": ">=3.4.0", - "fast-xml-parser@<5.5.7": ">=5.5.7", + "fast-xml-parser@<5.7.0": ">=5.7.0", "flatted@<3.4.2": ">=3.4.2", "h3@<1.15.9": ">=1.15.9", "lodash@>=4.0.0 <=4.17.22": ">=4.17.23", "seroval": ">=1.4.1", "lodash-es@>=4.0.0 <=4.17.22": ">=4.17.23", "minimatch@<10.2.3": ">=10.2.3", + "postcss@<8.5.10": ">=8.5.10", "rollup@>=4.0.0 <4.59.0": ">=4.59.0", "simple-git@<3.32.3": ">=3.32.3", - "svgo@=4.0.0": ">=4.0.1" + "svgo@=4.0.0": ">=4.0.1", + "uuid@<14.0.0": ">=14.0.0" } } } diff --git a/src/frontend/pnpm-lock.yaml b/src/frontend/pnpm-lock.yaml index 7c5c7a3ab..c1cf81c36 100644 --- a/src/frontend/pnpm-lock.yaml +++ b/src/frontend/pnpm-lock.yaml @@ -10,16 +10,18 @@ overrides: ajv@>=7.0.0-alpha.0 <8.18.0: 8.18.0 devalue@<5.6.4: '>=5.6.4' dompurify@<3.4.0: '>=3.4.0' - fast-xml-parser@<5.5.7: '>=5.5.7' + fast-xml-parser@<5.7.0: '>=5.7.0' flatted@<3.4.2: '>=3.4.2' h3@<1.15.9: '>=1.15.9' lodash@>=4.0.0 <=4.17.22: '>=4.17.23' seroval: '>=1.4.1' lodash-es@>=4.0.0 <=4.17.22: '>=4.17.23' minimatch@<10.2.3: '>=10.2.3' + postcss@<8.5.10: '>=8.5.10' rollup@>=4.0.0 <4.59.0: '>=4.59.0' simple-git@<3.32.3: '>=3.32.3' svgo@=4.0.0: '>=4.0.1' + uuid@<14.0.0: '>=14.0.0' importers: @@ -956,6 +958,9 @@ packages: '@mermaid-js/parser@1.1.0': resolution: {integrity: sha512-gxK9ZX2+Fex5zu8LhRQoMeMPEHbc73UKZ0FQ54YrQtUxE1VVhMwzeNtKRPAu5aXks4FasbMe4xB4bWrmq6Jlxw==} + '@nodable/entities@2.1.0': + resolution: {integrity: sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==} + '@nodelib/fs.scandir@2.1.5': resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==} engines: {node: '>= 8'} @@ -2205,11 +2210,11 @@ packages: fast-wrap-ansi@0.1.6: resolution: {integrity: sha512-HlUwET7a5gqjURj70D5jl7aC3Zmy4weA1SHUfM0JFI0Ptq987NH2TwbBFLoERhfwk+E+eaq4EK3jXoT+R3yp3w==} - fast-xml-builder@1.1.4: - resolution: {integrity: sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==} + fast-xml-builder@1.1.5: + resolution: {integrity: sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==} - fast-xml-parser@5.5.9: - resolution: {integrity: sha512-jldvxr1MC6rtiZKgrFnDSvT8xuH+eJqxqOBThUVjYrxssYTo1avZLGql5l0a0BAERR01CadYzZ83kVEkbyDg+g==} + fast-xml-parser@5.7.1: + resolution: {integrity: sha512-8Cc3f8GUGUULg34pBch/KGyPLglS+OFs05deyOlY7fL2MTagYPKrVQNmR1fLF/yJ9PH5ZSTd3YDF6pnmeZU+zA==} hasBin: true fastq@1.19.1: @@ -2873,8 +2878,8 @@ packages: resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==} engines: {node: '>=8'} - path-expression-matcher@1.2.0: - resolution: {integrity: sha512-DwmPWeFn+tq7TiyJ2CxezCAirXjFxvaiD03npak3cRjlP9+OjTmSy1EpIrEbh+l6JgUundniloMLDQ/6VTdhLQ==} + path-expression-matcher@1.5.0: + resolution: {integrity: sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==} engines: {node: '>=14.0.0'} path-key@3.1.1: @@ -2924,7 +2929,7 @@ packages: resolution: {integrity: sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ==} engines: {node: '>=12.0'} peerDependencies: - postcss: ^8.2.14 + postcss: '>=8.5.10' postcss-selector-parser@6.1.2: resolution: {integrity: sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==} @@ -2934,10 +2939,6 @@ packages: resolution: {integrity: sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==} engines: {node: ^10 || ^12 || >=14} - postcss@8.5.8: - resolution: {integrity: sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==} - engines: {node: ^10 || ^12 || >=14} - prelude-ls@1.2.1: resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==} engines: {node: '>= 0.8.0'} @@ -3246,8 +3247,8 @@ packages: stringify-entities@4.0.4: resolution: {integrity: sha512-IwfBptatlO+QCJUo19AqvrPNqlVMpW9YEL2LIVY+Rpv2qsjCGxaDLNRgeGsQWJhfItebuJhsGSLjaBbNSQ+ieg==} - strnum@2.2.2: - resolution: {integrity: sha512-DnR90I+jtXNSTXWdwrEy9FakW7UX+qUZg28gj5fk2vxxl7uS/3bpI4fjFYVmdK9etptYBPNkpahuQnEwhwECqA==} + strnum@2.2.3: + resolution: {integrity: sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==} style-to-js@1.1.21: resolution: {integrity: sha512-RjQetxJrrUJLQPHbLku6U/ocGtzyjbJMP9lCNK7Ag0CNh690nSH8woqWH9u16nMjYBAok+i7JO1NP2pOy8IsPQ==} @@ -3496,8 +3497,8 @@ packages: util-deprecate@1.0.2: resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==} - uuid@11.1.0: - resolution: {integrity: sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==} + uuid@14.0.0: + resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==} hasBin: true vanilla-cookieconsent@3.1.0: @@ -3806,7 +3807,7 @@ snapshots: '@astrojs/rss@4.0.18': dependencies: - fast-xml-parser: 5.5.9 + fast-xml-parser: 5.7.1 piccolore: 0.1.3 zod: 4.3.6 @@ -4179,8 +4180,8 @@ snapshots: hast-util-to-html: 9.0.5 hast-util-to-text: 4.0.2 hastscript: 9.0.1 - postcss: 8.5.8 - postcss-nested: 6.2.0(postcss@8.5.8) + postcss: 8.5.10 + postcss-nested: 6.2.0(postcss@8.5.10) unist-util-visit: 5.1.0 unist-util-visit-parents: 6.0.2 @@ -4404,6 +4405,8 @@ snapshots: dependencies: langium: 4.2.2 + '@nodable/entities@2.1.0': {} + '@nodelib/fs.scandir@2.1.5': dependencies: '@nodelib/fs.stat': 2.0.5 @@ -5851,15 +5854,16 @@ snapshots: dependencies: fast-string-width: 1.1.0 - fast-xml-builder@1.1.4: + fast-xml-builder@1.1.5: dependencies: - path-expression-matcher: 1.2.0 + path-expression-matcher: 1.5.0 - fast-xml-parser@5.5.9: + fast-xml-parser@5.7.1: dependencies: - fast-xml-builder: 1.1.4 - path-expression-matcher: 1.2.0 - strnum: 2.2.2 + '@nodable/entities': 2.1.0 + fast-xml-builder: 1.1.5 + path-expression-matcher: 1.5.0 + strnum: 2.2.3 fastq@1.19.1: dependencies: @@ -6524,7 +6528,7 @@ snapshots: roughjs: 4.6.6 stylis: 4.3.6 ts-dedent: 2.2.0 - uuid: 11.1.0 + uuid: 14.0.0 micromark-core-commonmark@2.0.3: dependencies: @@ -6953,7 +6957,7 @@ snapshots: path-exists@4.0.0: {} - path-expression-matcher@1.2.0: {} + path-expression-matcher@1.5.0: {} path-key@3.1.1: {} @@ -6990,9 +6994,9 @@ snapshots: path-data-parser: 0.1.0 points-on-curve: 0.2.0 - postcss-nested@6.2.0(postcss@8.5.8): + postcss-nested@6.2.0(postcss@8.5.10): dependencies: - postcss: 8.5.8 + postcss: 8.5.10 postcss-selector-parser: 6.1.2 postcss-selector-parser@6.1.2: @@ -7006,12 +7010,6 @@ snapshots: picocolors: 1.1.1 source-map-js: 1.2.1 - postcss@8.5.8: - dependencies: - nanoid: 3.3.11 - picocolors: 1.1.1 - source-map-js: 1.2.1 - prelude-ls@1.2.1: {} prettier-plugin-astro@0.14.1: @@ -7479,7 +7477,7 @@ snapshots: character-entities-html4: 2.1.0 character-entities-legacy: 3.0.0 - strnum@2.2.2: {} + strnum@2.2.3: {} style-to-js@1.1.21: dependencies: @@ -7695,7 +7693,7 @@ snapshots: util-deprecate@1.0.2: {} - uuid@11.1.0: {} + uuid@14.0.0: {} vanilla-cookieconsent@3.1.0: {}