From 9a6673295b0bc90bf90e9e1d0e83d4675bb0a56e Mon Sep 17 00:00:00 2001 From: CVE Bot Date: Wed, 15 Apr 2026 21:29:59 -0400 Subject: [PATCH 1/2] fix(deps): address CVEs for lodash, immutable, qs (New Jira scope) - Yarn resolutions: lodash@4.18.1, qs@6.14.2 - Bump immutable@3.x lock entry to 3.8.3 (CVE-2026-29063) Relates to New-status OCPBUGS on openshift-4.19. --- package.json | 4 +++- yarn.lock | 40 +++++++++++++--------------------------- 2 files changed, 16 insertions(+), 28 deletions(-) diff --git a/package.json b/package.json index e9c5c845..eaeca8db 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,9 @@ }, "resolutions": { "webpack": "^5.68.0", - "@types/react": "17.0.40" + "@types/react": "17.0.40", + "lodash": "4.18.1", + "qs": "6.14.2" }, "dependencies": { "@preact/signals-react": "^3.0.1", diff --git a/yarn.lock b/yarn.lock index e68278b7..2c1fef28 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5128,9 +5128,9 @@ immer@^9.0.16: integrity sha512-bc4NBHqOqSfRW7POMkHd51LvClaeMXpm8dx0e8oE2GORbq5aRK7Bxl4FyzVLdGtLmvLKL7BTDBG5ACQm4HWjTA== immutable@3.x: - version "3.8.2" - resolved "https://registry.yarnpkg.com/immutable/-/immutable-3.8.2.tgz#c2439951455bb39913daf281376f1530e104adf3" - integrity sha512-15gZoQ38eYjEjxkorfbcgBKBL6R7T459OuK+CpcWt7O3KF4uPCx2tD0uFETlUDIyo+1789crbMhTvQBSR5yBMg== + version "3.8.3" + resolved "https://registry.yarnpkg.com/immutable/-/immutable-3.8.3.tgz#0a8d2494a94d4b2d4f0e99986e74dd25d1e9a859" + integrity sha512-AUY/VyX0E5XlibOmWt10uabJzam1zlYjwiEgQSDc5+UIkFNaF9WM0JxXKaNMGf+F/ffUF+7kRKXM9A7C0xXqMg== immutable@^4.0.0: version "4.3.5" @@ -6315,10 +6315,10 @@ lodash.once@^4.1.1: resolved "https://registry.yarnpkg.com/lodash.once/-/lodash.once-4.1.1.tgz#0dd3971213c7c56df880977d504c88fb471a97ac" integrity sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg== -lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.21: - version "4.17.21" - resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" - integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== +lodash@4.18.1, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.21: + version "4.18.1" + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.18.1.tgz#ff2b66c1f6326d59513de2407bf881439812771c" + integrity sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q== log-symbols@^4.0.0, log-symbols@^4.1.0: version "4.1.0" @@ -7199,26 +7199,12 @@ punycode@^2.1.0, punycode@^2.1.1, punycode@^2.3.1: resolved "https://registry.yarnpkg.com/punycode/-/punycode-2.3.1.tgz#027422e2faec0b25e1549c3e1bd8309b9133b6e5" integrity sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg== -qs@6.13.0: - version "6.13.0" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.13.0.tgz#6ca3bd58439f7e245655798997787b0d88a51906" - integrity sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg== - dependencies: - side-channel "^1.0.6" - -qs@^6.4.0: - version "6.12.0" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.12.0.tgz#edd40c3b823995946a8a0b1f208669c7a200db77" - integrity sha512-trVZiI6RMOkO476zLGaBIzszOdFPnCCXHPG9kn0yuS1uz6xdVxPfZdB3vUig9pxPFDM9BRAgz/YUIVQ1/vuiUg== +qs@6.13.0, qs@6.14.2, qs@^6.4.0, qs@~6.10.3: + version "6.14.2" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.2.tgz#b5634cf9d9ad9898e31fba3504e866e8efb6798c" + integrity sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q== dependencies: - side-channel "^1.0.6" - -qs@~6.10.3: - version "6.10.5" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.10.5.tgz#974715920a80ff6a262264acd2c7e6c2a53282b4" - integrity sha512-O5RlPh0VFtR78y79rgcgKK4wbAI0C5zGVLztOIdpWX6ep368q5Hv6XRxDvXuZ9q3C6v+e3n8UfZZJw7IIG27eQ== - dependencies: - side-channel "^1.0.4" + side-channel "^1.1.0" querystringify@^2.1.1: version "2.2.0" @@ -7940,7 +7926,7 @@ side-channel-weakmap@^1.0.2: object-inspect "^1.13.3" side-channel-map "^1.0.1" -side-channel@^1.0.4, side-channel@^1.0.6: +side-channel@^1.0.4, side-channel@^1.0.6, side-channel@^1.1.0: version "1.1.0" resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.1.0.tgz#c3fcff9c4da932784873335ec9765fa94ff66bc9" integrity sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw== From e7d2c58605d67d58f10f1ff8fa070c4d561ecc0b Mon Sep 17 00:00:00 2001 From: CVE Bot Date: Thu, 16 Apr 2026 08:58:21 -0400 Subject: [PATCH 2/2] fix(deps): address CVE-2026-22029 (React Router / @remix-run/router) - Bump react-router-dom-v5-compat to ^6.30.3 - Yarn resolution: @remix-run/router@1.23.2 (GHSA-2w69-qvjg-hvjx) --- package.json | 5 +++-- yarn.lock | 26 +++++++++++++++++++++----- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/package.json b/package.json index eaeca8db..7aaf4b9b 100644 --- a/package.json +++ b/package.json @@ -69,7 +69,7 @@ "react-i18next": "^11.7.3", "react-router": "5.3.x", "react-router-dom": "5.3.x", - "react-router-dom-v5-compat": "^6.22.3", + "react-router-dom-v5-compat": "^6.30.3", "sass": "^1.57.1", "sass-loader": "^13.2.0", "style-loader": "^3.3.1", @@ -87,7 +87,8 @@ "webpack": "^5.68.0", "@types/react": "17.0.40", "lodash": "4.18.1", - "qs": "6.14.2" + "qs": "6.14.2", + "@remix-run/router": "1.23.2" }, "dependencies": { "@preact/signals-react": "^3.0.1", diff --git a/yarn.lock b/yarn.lock index 2c1fef28..d9aaf1d0 100644 --- a/yarn.lock +++ b/yarn.lock @@ -890,10 +890,10 @@ "@preact/signals-core" "^1.7.0" use-sync-external-store "^1.2.0" -"@remix-run/router@1.15.3": - version "1.15.3" - resolved "https://registry.yarnpkg.com/@remix-run/router/-/router-1.15.3.tgz#d2509048d69dbb72d5389a14945339f1430b2d3c" - integrity sha512-Oy8rmScVrVxWZVOpEF57ovlnhpZ8CCPlnIIumVcV9nFdiSIrus99+Lw78ekXyGvVDlIsFJbSfmSovJUhCWYV3w== +"@remix-run/router@1.15.3", "@remix-run/router@1.23.2": + version "1.23.2" + resolved "https://registry.yarnpkg.com/@remix-run/router/-/router-1.23.2.tgz#156c4b481c0bee22a19f7924728a67120de06971" + integrity sha512-Ic6m2U/rMjTkhERIa/0ZtXJP17QUi2CbWE7cqx4J58M8aA3QTfW+2UlQ4psvTX9IO1RfNVhK3pcpdjej7L+t2w== "@sinclair/typebox@^0.24.1": version "0.24.51" @@ -7321,7 +7321,7 @@ react-redux@7.2.2: prop-types "^15.7.2" react-is "^16.13.1" -react-router-dom-v5-compat@^6.11.2, react-router-dom-v5-compat@^6.22.3: +react-router-dom-v5-compat@^6.11.2: version "6.22.3" resolved "https://registry.yarnpkg.com/react-router-dom-v5-compat/-/react-router-dom-v5-compat-6.22.3.tgz#4889b46d060492a58c401700c987bddcc8b915f4" integrity sha512-icbyLKEUdMqWjehsRrQv0g/N4C33KFC2ZmnOBF7vvy1hudYSJWY4VTOjy3ey2YY+r3WtcdEH72M7IIGVHAkEtw== @@ -7329,6 +7329,15 @@ react-router-dom-v5-compat@^6.11.2, react-router-dom-v5-compat@^6.22.3: history "^5.3.0" react-router "6.22.3" +react-router-dom-v5-compat@^6.30.3: + version "6.30.3" + resolved "https://registry.yarnpkg.com/react-router-dom-v5-compat/-/react-router-dom-v5-compat-6.30.3.tgz#0bd5ccc0d9fc0e81ceabade75acc55240279aaaf" + integrity sha512-WWZtwGYyoaeUDNrhzzDkh4JvN5nU0MIz80Dxim6pznQrfS+dv0mvtVoHTA6HlUl/OiJl7WWjbsQwjTnYXejEHg== + dependencies: + "@remix-run/router" "1.23.2" + history "^5.3.0" + react-router "6.30.3" + react-router-dom@5.3.x: version "5.3.4" resolved "https://registry.yarnpkg.com/react-router-dom/-/react-router-dom-5.3.4.tgz#2ed62ffd88cae6db134445f4a0c0ae8b91d2e5e6" @@ -7364,6 +7373,13 @@ react-router@6.22.3: dependencies: "@remix-run/router" "1.15.3" +react-router@6.30.3: + version "6.30.3" + resolved "https://registry.yarnpkg.com/react-router/-/react-router-6.30.3.tgz#994b3ccdbe0e81fe84d4f998100f62584dfbf1cf" + integrity sha512-XRnlbKMTmktBkjCLE8/XcZFlnHvr2Ltdr1eJX4idL55/9BbORzyZEaIkBFDhFGCEWBBItsVrDxwx3gnisMitdw== + dependencies: + "@remix-run/router" "1.23.2" + react@^17.0.1: version "17.0.2" resolved "https://registry.yarnpkg.com/react/-/react-17.0.2.tgz#d0b5cc516d29eb3eee383f75b62864cfb6800037"