Skip to content

fix(security): 修复新增的 Dependabot 安全告警#428

Merged
tbphp merged 1 commit into
mainfrom
fix/dependabot-round2
Jul 2, 2026
Merged

fix(security): 修复新增的 Dependabot 安全告警#428
tbphp merged 1 commit into
mainfrom
fix/dependabot-round2

Conversation

@tbphp

@tbphp tbphp commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

  • 升级 golang.org/x/net 0.49.0 → 0.55.0,修复 HTML 解析器拒绝服务漏洞(GHSA-5cv4-jp36-h3mw / CVE-2026-25680),间接依赖,通过 go get + go mod tidy 升级,连带最小提升了 x/cryptox/syncx/sysx/text 以满足依赖图版本约束
  • 升级 js-yaml 4.1.1 → 4.2.0,修复 merge key(<<)重复别名导致的二次方复杂度 CPU 耗尽 DoS(GHSA-h67p-54hq-rp68 / CVE-2026-53550),为 eslint 的间接依赖,仅影响开发环境,已放入 devDependencies

Test plan

  • go build ./... 通过
  • go vet ./... 无报错
  • go test ./... 通过
  • npm run buildvue-tsc -b && vite build)通过
  • npm run lint:check / npm run type-check 无报错
  • npm audit 显示 0 个漏洞

升级 golang.org/x/net 至 0.55.0,修复 HTML 解析器拒绝服务漏洞(CVE-2026-25680)
升级 js-yaml 至 4.2.0,修复 merge key 处理中的二次方复杂度 DoS 漏洞(CVE-2026-53550
@tbphp tbphp merged commit 5d25028 into main Jul 2, 2026
5 checks passed
@tbphp tbphp added the dependencies Pull requests that update a dependency file label Jul 2, 2026
@tbphp tbphp self-assigned this Jul 2, 2026
@tbphp tbphp added this to the v1.4.9 milestone Jul 2, 2026
@tbphp tbphp deleted the fix/dependabot-round2 branch July 2, 2026 04:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant