From 067e8671c38e09d4343aecbabe8e6b070a14518b Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:10:39 -0700 Subject: [PATCH 01/15] build(deps): bump tar from 0.4.45 to 0.4.46 Resolves Dependabot alert #94 (GHSA-3pv8-6f4r-ffg2): tar has a PAX header desynchronization issue. Workspace dependency was pinned to 0.4.43; lockfile was at 0.4.45. Bumps workspace minimum and lockfile to 0.4.46 (patch within 0.4.x). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3c932c3ff..6ab9f0c75 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3017,9 +3017,9 @@ dependencies = [ [[package]] name = "tar" -version = "0.4.45" +version = "0.4.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973" +checksum = "3f6221d9a6003c78398e3b239969f352578258df48c8eb051caadae0015bc840" dependencies = [ "filetime", "libc", diff --git a/Cargo.toml b/Cargo.toml index f96d75320..9e2a9d345 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -86,7 +86,7 @@ syn = { version = "2.0.90", features = ["full"] } sys-mount = { version = "3.0.1", default-features = false } # Disable loop device feature sysinfo = "0.30.13" systemd-journal-logger = "2.2.2" -tar = "0.4.43" +tar = "0.4.46" tempfile = "3.14.0" tera = "1.20.0" textwrap = "0.16.2" From 226949363db7797bd6191796ad5968ea1344c0d9 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:11:17 -0700 Subject: [PATCH 02/15] build(deps): bump openssl from 0.10.72 to 0.10.80 Resolves Dependabot alerts #70, #71, #72, #73, #74, #77, #78, #87: - GHSA-phqj-4mhp-q6mq: Potential out-of-bounds write in CipherCtxRef::cipher_update_inplace for AES-KW-PAD ciphers (#87) - GHSA-xv59-967r-8726: Heap buffer overflow when encrypting with AES key-wrap-with-padding (#78) - GHSA-xp3w-r5p5-63rr: Undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs (#77) - GHSA-pqf5-4pqq-29f5: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1 (#74) - GHSA-xmgf-hq76-4vx2: Out-of-bounds read in PEM password callback when returning an oversized length (#73) - GHSA-8c75-8mhr-p7r9: Incorrect bounds assertion in AES key wrap (#72) - GHSA-hppc-g8h3-xhp3: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer (#71) - GHSA-ghm9-cr32-g9qj: MdCtxRef::digest_final() writes past caller buffer with no length check (#70) Patch updates within the 0.10.x line; also bumps openssl-sys 0.9.107 -> 0.9.116. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Cargo.lock | 9 ++++----- Cargo.toml | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6ab9f0c75..d043b0cbc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1799,15 +1799,14 @@ checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "openssl" -version = "0.10.72" +version = "0.10.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da" +checksum = "a45fa2aa886c42762255da344f0a0d313e254066c46aad76f300c3d3da62d967" dependencies = [ "bitflags", "cfg-if", "foreign-types", "libc", - "once_cell", "openssl-macros", "openssl-sys", ] @@ -1831,9 +1830,9 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-sys" -version = "0.9.107" +version = "0.9.116" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8288979acd84749c744a9014b4382d42b8f7b2592847b5afb2ed29e5d16ede07" +checksum = "f28a22dc7140cda5f096e5e7724a6962ca81a7f8bfd2979f9b18c11af56318c4" dependencies = [ "cc", "libc", diff --git a/Cargo.toml b/Cargo.toml index 9e2a9d345..fcc9b62b6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -52,7 +52,7 @@ nix = { version = "0.30.1", features = [ ], default-features = false } oci-client = "0.15.0" once_cell = "1.19" -openssl = "0.10.72" +openssl = "0.10.80" petgraph = "0.6.5" pretty_env_logger = "0.5.0" quick-xml = { version = "0.39.2", features = ["serialize"] } From de20f22a1e631705af617a6fb2713b14d64ddbe1 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:11:49 -0700 Subject: [PATCH 03/15] build(deps): bump rand from 0.9.0 to 0.9.3 Resolves Dependabot alert #68 (GHSA-cq8v-f236-94qc): Rand is unsound with a custom logger using rand::rng() (affects 0.9.0 - 0.9.2). Patch update within the 0.9.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Cargo.lock | 7 +++---- Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d043b0cbc..7b3171c09 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1899,7 +1899,7 @@ dependencies = [ "openssl", "pytest", "pytest_gen", - "rand 0.9.0", + "rand 0.9.3", "regex", "serde", "serde_json", @@ -2313,13 +2313,12 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.0" +version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94" +checksum = "7ec095654a25171c2124e9e3393a930bddbffdc939556c914957a4c3e0a87166" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.0", - "zerocopy 0.8.17", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index fcc9b62b6..d0baaae60 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -61,7 +61,7 @@ procfs = "0.17.0" prost = "0.14.1" prost-types = "0.14.1" quote = "1.0.37" -rand = "0.9.0" +rand = "0.9.3" rayon = "1.10" regex = "1.11.1" reqwest = { version = "0.12.9", features = [ From 5175558949fe824c0ad19f11d82c383ac7414d2b Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:12:26 -0700 Subject: [PATCH 04/15] build(deps): bump transitive rand from 0.8.5 to 0.8.6 Resolves Dependabot alert #69 (GHSA-cq8v-f236-94qc): Rand is unsound with a custom logger using rand::rng() (affects 0.7.0 - 0.8.5). Patch update within the 0.8.x line, pulled in transitively via phf_generator. Cargo.lock-only change. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Cargo.lock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7b3171c09..b8a01febe 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1648,7 +1648,7 @@ dependencies = [ "hyper", "hyper-util", "log", - "rand 0.8.5", + "rand 0.8.6", "regex", "serde_json", "serde_urlencoded", @@ -2036,7 +2036,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "48e4cc64c2ad9ebe670cb8fd69dd50ae301650392e81c05f9bfcb2d5bdbc24b0" dependencies = [ "phf_shared", - "rand 0.8.5", + "rand 0.8.6", ] [[package]] @@ -2302,9 +2302,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha 0.3.1", @@ -3051,7 +3051,7 @@ dependencies = [ "percent-encoding", "pest", "pest_derive", - "rand 0.8.5", + "rand 0.8.6", "regex", "serde", "serde_json", From 99e632aa8ac97d907f1f45801d7a29617b879aa1 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:15:28 -0700 Subject: [PATCH 05/15] build(deps): override qs to 6.15.2 Resolves Dependabot alerts #22, #29, #92: - GHSA-6rw7-vpxm-498p: qs arrayLimit bypass in bracket notation allows DoS via memory exhaustion (#22) - GHSA-w7fw-mjwx-w883: qs arrayLimit bypass in comma parsing allows denial of service (#29) - GHSA-q8mj-m7cp-5q26: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays (#92) Pinned via npm overrides to dedupe the two pulled-in versions (6.13.0 and 6.14.1) to 6.15.2. Patch within the 6.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 23 ++++------------------- website/package.json | 3 ++- 2 files changed, 6 insertions(+), 20 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 62de8e555..8057472ef 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -9419,21 +9419,6 @@ "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==", "license": "MIT" }, - "node_modules/express/node_modules/qs": { - "version": "6.14.1", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz", - "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==", - "license": "BSD-3-Clause", - "dependencies": { - "side-channel": "^1.1.0" - }, - "engines": { - "node": ">=0.6" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, "node_modules/express/node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", @@ -16415,12 +16400,12 @@ } }, "node_modules/qs": { - "version": "6.13.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz", - "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", + "version": "6.15.2", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz", + "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==", "license": "BSD-3-Clause", "dependencies": { - "side-channel": "^1.0.6" + "side-channel": "^1.1.0" }, "engines": { "node": ">=0.6" diff --git a/website/package.json b/website/package.json index 94b302f1e..f38594b87 100644 --- a/website/package.json +++ b/website/package.json @@ -37,7 +37,8 @@ "overrides": { "serve-handler": { "path-to-regexp": "3.3.0" - } + }, + "qs": "6.15.2" }, "browserslist": { "production": [ From 6597e3e5f72f605f3a33b91fda33fee3714ac1da Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:15:40 -0700 Subject: [PATCH 06/15] build(deps): override postcss to 8.5.10 Resolves Dependabot alert #88 (GHSA-qx2v-qp2m-jg93): PostCSS has XSS via unescaped in its CSS stringify output. Pinned via npm overrides from 8.5.6 to 8.5.10. Patch within 8.5.x. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 6 +++--- website/package.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 8057472ef..03782e7f7 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -14808,9 +14808,9 @@ } }, "node_modules/postcss": { - "version": "8.5.6", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", - "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", + "version": "8.5.10", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.10.tgz", + "integrity": "sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==", "funding": [ { "type": "opencollective", diff --git a/website/package.json b/website/package.json index f38594b87..4d9b871c5 100644 --- a/website/package.json +++ b/website/package.json @@ -38,7 +38,8 @@ "serve-handler": { "path-to-regexp": "3.3.0" }, - "qs": "6.15.2" + "qs": "6.15.2", + "postcss": "8.5.10" }, "browserslist": { "production": [ From 6e21abd4427390e79b03d2261857945c8ef688f9 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:16:06 -0700 Subject: [PATCH 07/15] build(deps): override ws to 8.20.1 Resolves Dependabot alert #89 (GHSA-58qx-3vcg-4xpx): ws has an uninitialized memory disclosure (affects 8.0.0 - 8.20.0). Scoped override 'ws@^8.0.0' bumps the webpack-dev-server copy from 8.18.3 to 8.20.1. The unrelated ws@7.5.10 copy under webpack-bundle-analyzer is left intact (not in the vulnerable range). Patch within the 8.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 6 +++--- website/package.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 03782e7f7..3cadd636b 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -19312,9 +19312,9 @@ } }, "node_modules/webpack-dev-server/node_modules/ws": { - "version": "8.18.3", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz", - "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==", + "version": "8.20.1", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz", + "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==", "license": "MIT", "engines": { "node": ">=10.0.0" diff --git a/website/package.json b/website/package.json index 4d9b871c5..97bfad26e 100644 --- a/website/package.json +++ b/website/package.json @@ -39,7 +39,8 @@ "path-to-regexp": "3.3.0" }, "qs": "6.15.2", - "postcss": "8.5.10" + "postcss": "8.5.10", + "ws@^8.0.0": "8.20.1" }, "browserslist": { "production": [ From c4f9fd8c8d912554ebd1eb778370a8997c02dbed Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:17:23 -0700 Subject: [PATCH 08/15] build(deps): override uuid to 11.1.1 Resolves Dependabot alert #91 (GHSA-w5hq-g745-h8pq): uuid has a missing buffer bounds check in v3/v5/v6 when buf is provided. Pinned via npm overrides. Two installed copies were affected: - sockjs's uuid@8.3.2 (pulled in via webpack-dev-server) - mermaid's uuid@11.1.0 Both consumers call uuid.v4() exclusively, an API stable across the major-version range. Verified the docusaurus build still succeeds after the override. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 25 ++++++++----------------- website/package.json | 3 ++- 2 files changed, 10 insertions(+), 18 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 3cadd636b..a84619e42 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -12119,19 +12119,6 @@ "uuid": "^11.1.0 || ^12 || ^13 || ^14.0.0" } }, - "node_modules/mermaid/node_modules/uuid": { - "version": "11.1.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz", - "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==", - "funding": [ - "https://github.com/sponsors/broofa", - "https://github.com/sponsors/ctavan" - ], - "license": "MIT", - "bin": { - "uuid": "dist/esm/bin/uuid" - } - }, "node_modules/methods": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz", @@ -18985,12 +18972,16 @@ } }, "node_modules/uuid": { - "version": "8.3.2", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", - "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "version": "11.1.1", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz", + "integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==", + "funding": [ + "https://github.com/sponsors/broofa", + "https://github.com/sponsors/ctavan" + ], "license": "MIT", "bin": { - "uuid": "dist/bin/uuid" + "uuid": "dist/esm/bin/uuid" } }, "node_modules/value-equal": { diff --git a/website/package.json b/website/package.json index 97bfad26e..d0cfe179e 100644 --- a/website/package.json +++ b/website/package.json @@ -40,7 +40,8 @@ }, "qs": "6.15.2", "postcss": "8.5.10", - "ws@^8.0.0": "8.20.1" + "ws@^8.0.0": "8.20.1", + "uuid": "11.1.1" }, "browserslist": { "production": [ From decdb0c04de517865b962278af70e4b1224f9613 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:18:43 -0700 Subject: [PATCH 09/15] build(deps): override serialize-javascript to 7.0.5 Resolves Dependabot alerts #37 and #90: - GHSA-5c6j-r48x-rmvq: serialize-javascript is vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() (#37) - GHSA-qj8w-gfj5-8c6v: serialize-javascript has CPU exhaustion DoS via crafted array-like objects (#90) Pinned via npm overrides from 6.0.2 to 7.0.5. The 6.x line receives no patches; the only breaking change between 6 and 7 is removal of the default isJSON option, which the consumers (copy-webpack-plugin and css-minimizer-webpack-plugin) do not rely on. Verified the docusaurus build still succeeds after the override. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 19 +++++-------------- website/package.json | 3 ++- 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index a84619e42..affd87897 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -16449,15 +16449,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/randombytes": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", - "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", - "license": "MIT", - "dependencies": { - "safe-buffer": "^5.1.0" - } - }, "node_modules/range-parser": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz", @@ -17490,12 +17481,12 @@ } }, "node_modules/serialize-javascript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", - "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz", + "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==", "license": "BSD-3-Clause", - "dependencies": { - "randombytes": "^2.1.0" + "engines": { + "node": ">=20.0.0" } }, "node_modules/serve-handler": { diff --git a/website/package.json b/website/package.json index d0cfe179e..705687354 100644 --- a/website/package.json +++ b/website/package.json @@ -41,7 +41,8 @@ "qs": "6.15.2", "postcss": "8.5.10", "ws@^8.0.0": "8.20.1", - "uuid": "11.1.1" + "uuid": "11.1.1", + "serialize-javascript": "7.0.5" }, "browserslist": { "production": [ From 3d9b71cf385a150b2c12912e2133d66b154cb916 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:18:58 -0700 Subject: [PATCH 10/15] build(deps): override webpack-dev-server to 5.2.4 Resolves Dependabot alert #86 (GHSA-79cf-xcqc-c78w): webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins. Pinned via npm overrides from 5.2.2 to 5.2.4. Patch within the 5.2.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 303 +++++++++++++++++++++++++++++++++----- website/package.json | 3 +- 2 files changed, 270 insertions(+), 36 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index affd87897..b588d14d3 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -4524,6 +4524,18 @@ "@tybys/wasm-util": "^0.10.0" } }, + "node_modules/@noble/hashes": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.4.0.tgz", + "integrity": "sha512-V1JJ1WTRUqHHrOSh597hURcMqVKVGL/ea3kv0gSnEdsEZ0/+VyPghM1lMNGc00z7CIQorSvbKpuJkxvuHbvdbg==", + "license": "MIT", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://paulmillr.com/funding/" + } + }, "node_modules/@node-rs/jieba": { "version": "1.10.4", "resolved": "https://registry.npmjs.org/@node-rs/jieba/-/jieba-1.10.4.tgz", @@ -4821,6 +4833,163 @@ "node": ">=8.0.0" } }, + "node_modules/@peculiar/asn1-cms": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.7.0.tgz", + "integrity": "sha512-hew63shtzzvBcSHbhm+cyAmKe6AIfinT9hzEqSPjDC6opTTMKmTkQ0gHuN2KsWlvqiKw1S/fS94fhag/FJkioQ==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/asn1-x509": "^2.7.0", + "@peculiar/asn1-x509-attr": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-csr": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.7.0.tgz", + "integrity": "sha512-VVsAyGqErT9D1SY4aEqozThXMVI+ssVRiv2DDeYuvpBKLIgZ3hYs3Ay3u/VSoKq6ESFi9cf6rf3IOOzfwh7oMA==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/asn1-x509": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-ecc": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.7.0.tgz", + "integrity": "sha512-n7KEs/Q/wrB415cxy4fHOBhegp4NdJ15fkJPwcB/3/8iNBQC2L/N7SChJPKDJPZGYH0jD4Tg4/0vnHmwghnbKw==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/asn1-x509": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-pfx": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.7.0.tgz", + "integrity": "sha512-V/nrlQVmhg7lYAsM7E13UDL5erAwFv6kCIVFqNaMIHSVi7dngcT839JkRTkQBqznMG98l2XjxYk74ZztAohZzA==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-cms": "^2.7.0", + "@peculiar/asn1-pkcs8": "^2.7.0", + "@peculiar/asn1-rsa": "^2.7.0", + "@peculiar/asn1-schema": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-pkcs8": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.7.0.tgz", + "integrity": "sha512-9GTl1nE8Mx1kTZ+7QyYatDyKsm34QcWRBFkY1iPvWC3X4Dona5s/tlLiQsx5WzVdZqiMBZNYT0buyw4/vbhnjw==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/asn1-x509": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-pkcs9": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.7.0.tgz", + "integrity": "sha512-Bh7m+OuIaSEllPQcSd9OSp93F4ROWH7sbITWV8MI+8dwsjE5111/87VxiWVvYFKyww3vp39geLv9ENqhwWHcew==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-cms": "^2.7.0", + "@peculiar/asn1-pfx": "^2.7.0", + "@peculiar/asn1-pkcs8": "^2.7.0", + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/asn1-x509": "^2.7.0", + "@peculiar/asn1-x509-attr": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-rsa": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.7.0.tgz", + "integrity": "sha512-/qvENQrXyTZURjMqSeofHul0JJt2sNSzSwk36pl2olkHbaioMQgrASDZAlHXl0xUlnVbHj0uGgOrBMTb5x2aJQ==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/asn1-x509": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-schema": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-schema/-/asn1-schema-2.7.0.tgz", + "integrity": "sha512-W8ZfWzLmQnrcky+eh3tni4IozMdqBDiHWU0N+vve/UGjMaUs8c0L7A2oEdkBXS8rTpWDpK/aoI3DG/L/hxmxPg==", + "license": "MIT", + "dependencies": { + "@peculiar/utils": "^2.0.2", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-x509": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.7.0.tgz", + "integrity": "sha512-mUn9RRrkGDnG4ALfunDmzyRW5dg+sWCj/pfnCCqEHYbkGxEpvUt6iVJv8Yw1cyp6SWZ26ZE5oSmI5SqEaen15g==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/utils": "^2.0.2", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/asn1-x509-attr": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.7.0.tgz", + "integrity": "sha512-NS8e7SOgXipkzUPLF/sce7ukpMpWjhxYsH0n6Y+bHYo4TTxOb95Zv7hqwSuL212mj5YxovjdOKQOgH1As3E94w==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-schema": "^2.7.0", + "@peculiar/asn1-x509": "^2.7.0", + "asn1js": "^3.0.6", + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/utils": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/@peculiar/utils/-/utils-2.0.3.tgz", + "integrity": "sha512-+oL3HPFRIZ1St2K50lWCXiioIgSoxzz7R1J3uF6neO2yl1sgmpgY6XXJH4BdpoDkMWznQTeYF6oWNDZLCdQ4eQ==", + "license": "MIT", + "dependencies": { + "tslib": "^2.8.1" + } + }, + "node_modules/@peculiar/x509": { + "version": "1.14.3", + "resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.14.3.tgz", + "integrity": "sha512-C2Xj8FZ0uHWeCXXqX5B4/gVFQmtSkiuOolzAgutjTfseNOHT3pUjljDZsTSxXFGgio54bCzVFqmEOUrIVk8RDA==", + "license": "MIT", + "dependencies": { + "@peculiar/asn1-cms": "^2.6.0", + "@peculiar/asn1-csr": "^2.6.0", + "@peculiar/asn1-ecc": "^2.6.0", + "@peculiar/asn1-pkcs9": "^2.6.0", + "@peculiar/asn1-rsa": "^2.6.0", + "@peculiar/asn1-schema": "^2.6.0", + "@peculiar/asn1-x509": "^2.6.0", + "pvtsutils": "^1.3.6", + "reflect-metadata": "^0.2.2", + "tslib": "^2.8.1", + "tsyringe": "^4.10.0" + }, + "engines": { + "node": ">=20.0.0" + } + }, "node_modules/@pnpm/config.env-replace": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/@pnpm/config.env-replace/-/config.env-replace-1.1.0.tgz", @@ -5539,15 +5708,15 @@ } }, "node_modules/@types/express": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.23.tgz", - "integrity": "sha512-Crp6WY9aTYP3qPi2wGDo9iUe/rceX01UMhnF1jmwDcKCFM6cx7YhGP/Mpr3y9AASpfHixIG0E6azCcL5OcDHsQ==", + "version": "4.17.25", + "resolved": "https://registry.npmjs.org/@types/express/-/express-4.17.25.tgz", + "integrity": "sha512-dVd04UKsfpINUnK0yBoYHDF3xu7xVH4BuDotC/xGuycx4CgbP48X/KF/586bcObxT0HENHXEU8Nqtu6NR+eKhw==", "license": "MIT", "dependencies": { "@types/body-parser": "*", "@types/express-serve-static-core": "^4.17.33", "@types/qs": "*", - "@types/serve-static": "*" + "@types/serve-static": "^1" } }, "node_modules/@types/express-serve-static-core": { @@ -5682,15 +5851,6 @@ "undici-types": "~7.10.0" } }, - "node_modules/@types/node-forge": { - "version": "1.3.14", - "resolved": "https://registry.npmjs.org/@types/node-forge/-/node-forge-1.3.14.tgz", - "integrity": "sha512-mhVF2BnD4BO+jtOp7z1CdzaK4mbuK0LLQYAvdOLqHTavxFNq4zA1EmYkpnFjP8HOUzedfQkRnp0E2ulSAYSzAw==", - "license": "MIT", - "dependencies": { - "@types/node": "*" - } - }, "node_modules/@types/prismjs": { "version": "1.26.5", "resolved": "https://registry.npmjs.org/@types/prismjs/-/prismjs-1.26.5.tgz", @@ -6357,6 +6517,20 @@ "node": ">=8" } }, + "node_modules/asn1js": { + "version": "3.0.10", + "resolved": "https://registry.npmjs.org/asn1js/-/asn1js-3.0.10.tgz", + "integrity": "sha512-S2s3aOytiKdFRdulw2qPE51MzjzVOisppcVv7jVFR+Kw0kxwvFrDcYA0h7Ndqbmj0HkMIXYWaoj7fli8kgx1eg==", + "license": "BSD-3-Clause", + "dependencies": { + "pvtsutils": "^1.3.6", + "pvutils": "^1.1.5", + "tslib": "^2.8.1" + }, + "engines": { + "node": ">=12.0.0" + } + }, "node_modules/astring": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/astring/-/astring-1.9.0.tgz", @@ -6700,6 +6874,15 @@ "node": ">= 0.8" } }, + "node_modules/bytestreamjs": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/bytestreamjs/-/bytestreamjs-2.0.1.tgz", + "integrity": "sha512-U1Z/ob71V/bXfVABvNr/Kumf5VyeQRBEm6Txb0PQ6S7V5GpBM3w4Cbqz/xPDicR5tN0uvDifng8C+5qECeGwyQ==", + "license": "BSD-3-Clause", + "engines": { + "node": ">=6.0.0" + } + }, "node_modules/cacheable-lookup": { "version": "7.0.0", "resolved": "https://registry.npmjs.org/cacheable-lookup/-/cacheable-lookup-7.0.0.tgz", @@ -14141,15 +14324,6 @@ "node": ">=18" } }, - "node_modules/node-forge": { - "version": "1.3.2", - "resolved": "https://registry.npmjs.org/node-forge/-/node-forge-1.3.2.tgz", - "integrity": "sha512-6xKiQ+cph9KImrRh0VsjH2d8/GXA4FIMlgU4B757iI1ApvcyA9VlouP0yZJha01V+huImO+kKMU7ih+2+E14fw==", - "license": "(BSD-3-Clause OR GPL-2.0)", - "engines": { - "node": ">= 6.13.0" - } - }, "node_modules/node-releases": { "version": "2.0.27", "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz", @@ -14778,6 +14952,23 @@ "pathe": "^2.0.3" } }, + "node_modules/pkijs": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/pkijs/-/pkijs-3.4.0.tgz", + "integrity": "sha512-emEcLuomt2j03vxD54giVB4SxTjnsqkU692xZOZXHDVoYyypEm+b3jpiTcc+Cf+myooc+/Ly0z01jqeNHVgJGw==", + "license": "BSD-3-Clause", + "dependencies": { + "@noble/hashes": "1.4.0", + "asn1js": "^3.0.6", + "bytestreamjs": "^2.0.1", + "pvtsutils": "^1.3.6", + "pvutils": "^1.1.3", + "tslib": "^2.8.1" + }, + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/points-on-curve": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/points-on-curve/-/points-on-curve-0.2.0.tgz", @@ -16386,6 +16577,24 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/pvtsutils": { + "version": "1.3.6", + "resolved": "https://registry.npmjs.org/pvtsutils/-/pvtsutils-1.3.6.tgz", + "integrity": "sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==", + "license": "MIT", + "dependencies": { + "tslib": "^2.8.1" + } + }, + "node_modules/pvutils": { + "version": "1.1.5", + "resolved": "https://registry.npmjs.org/pvutils/-/pvutils-1.1.5.tgz", + "integrity": "sha512-KTqnxsgGiQ6ZAzZCVlJH5eOjSnvlyEgx1m8bkRJfOhmGRqfo5KLvmAlACQkrjEtOQ4B7wF9TdSLIs9O90MX9xA==", + "license": "MIT", + "engines": { + "node": ">=16.0.0" + } + }, "node_modules/qs": { "version": "6.15.2", "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz", @@ -16748,6 +16957,12 @@ "url": "https://opencollective.com/unified" } }, + "node_modules/reflect-metadata": { + "version": "0.2.2", + "resolved": "https://registry.npmjs.org/reflect-metadata/-/reflect-metadata-0.2.2.tgz", + "integrity": "sha512-urBwgfrvVP/eAyXx4hluJivBKzuEbSQs9rKWCrCkbSxNv8mxPcUZKeuoF3Uy4mJl3Lwprp6yy5/39VWigZ4K6Q==", + "license": "Apache-2.0" + }, "node_modules/regenerate": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.4.2.tgz", @@ -17384,16 +17599,16 @@ "license": "MIT" }, "node_modules/selfsigned": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/selfsigned/-/selfsigned-2.4.1.tgz", - "integrity": "sha512-th5B4L2U+eGLq1TVh7zNRGBapioSORUeymIydxgFpwww9d2qyKvtuPU2jJuHvYAwwqi2Y596QBL3eEqcPEYL8Q==", + "version": "5.5.0", + "resolved": "https://registry.npmjs.org/selfsigned/-/selfsigned-5.5.0.tgz", + "integrity": "sha512-ftnu3TW4+3eBfLRFnDEkzGxSF/10BJBkaLJuBHZX0kiPS7bRdlpZGu6YGt4KngMkdTwJE6MbjavFpqHvqVt+Ew==", "license": "MIT", "dependencies": { - "@types/node-forge": "^1.3.0", - "node-forge": "^1" + "@peculiar/x509": "^1.14.2", + "pkijs": "^3.3.3" }, "engines": { - "node": ">=10" + "node": ">=18" } }, "node_modules/semver": { @@ -18455,6 +18670,24 @@ "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==", "license": "0BSD" }, + "node_modules/tsyringe": { + "version": "4.10.0", + "resolved": "https://registry.npmjs.org/tsyringe/-/tsyringe-4.10.0.tgz", + "integrity": "sha512-axr3IdNuVIxnaK5XGEUFTu3YmAQ6lllgrvqfEoR16g/HGnYY/6We4oWENtAnzK6/LpJ2ur9PAb80RBt7/U4ugw==", + "license": "MIT", + "dependencies": { + "tslib": "^1.9.3" + }, + "engines": { + "node": ">= 6.0.0" + } + }, + "node_modules/tsyringe/node_modules/tslib": { + "version": "1.14.1", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz", + "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==", + "license": "0BSD" + }, "node_modules/type-fest": { "version": "2.19.0", "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-2.19.0.tgz", @@ -19207,14 +19440,14 @@ } }, "node_modules/webpack-dev-server": { - "version": "5.2.2", - "resolved": "https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-5.2.2.tgz", - "integrity": "sha512-QcQ72gh8a+7JO63TAx/6XZf/CWhgMzu5m0QirvPfGvptOusAxG12w2+aua1Jkjr7hzaWDnJ2n6JFeexMHI+Zjg==", + "version": "5.2.4", + "resolved": "https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-5.2.4.tgz", + "integrity": "sha512-GqDPGZN9bRqKBTkp4aWkobDDHMsrXKoGSdOH56smIri8qR0JG8gfL8/v/f/OZR3/OKXjG8uwJbFVhKm/FNU/UA==", "license": "MIT", "dependencies": { "@types/bonjour": "^3.5.13", "@types/connect-history-api-fallback": "^1.5.4", - "@types/express": "^4.17.21", + "@types/express": "^4.17.25", "@types/express-serve-static-core": "^4.17.21", "@types/serve-index": "^1.9.4", "@types/serve-static": "^1.15.5", @@ -19224,9 +19457,9 @@ "bonjour-service": "^1.2.1", "chokidar": "^3.6.0", "colorette": "^2.0.10", - "compression": "^1.7.4", + "compression": "^1.8.1", "connect-history-api-fallback": "^2.0.0", - "express": "^4.21.2", + "express": "^4.22.1", "graceful-fs": "^4.2.6", "http-proxy-middleware": "^2.0.9", "ipaddr.js": "^2.1.0", @@ -19234,7 +19467,7 @@ "open": "^10.0.3", "p-retry": "^6.2.0", "schema-utils": "^4.2.0", - "selfsigned": "^2.4.1", + "selfsigned": "^5.5.0", "serve-index": "^1.9.1", "sockjs": "^0.3.24", "spdy": "^4.0.2", diff --git a/website/package.json b/website/package.json index 705687354..e02b3f426 100644 --- a/website/package.json +++ b/website/package.json @@ -42,7 +42,8 @@ "postcss": "8.5.10", "ws@^8.0.0": "8.20.1", "uuid": "11.1.1", - "serialize-javascript": "7.0.5" + "serialize-javascript": "7.0.5", + "webpack-dev-server": "5.2.4" }, "browserslist": { "production": [ From 7a536b40fb0a2ba2106966f7bf33ca5d5d3e2f8e Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:19:14 -0700 Subject: [PATCH 11/15] build(deps): override @babel/plugin-transform-modules-systemjs to 7.29.4 Resolves Dependabot alert #81 (GHSA-fv7c-fp4j-7gwp): @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input (affects 7.12.0 - 7.29.3). Pinned via npm overrides from 7.27.1 to 7.29.4. Minor update within the 7.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 126 +++++++++++++++++++------------------- website/package.json | 3 +- 2 files changed, 65 insertions(+), 64 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index b588d14d3..2c884d7fa 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -370,12 +370,12 @@ } }, "node_modules/@babel/code-frame": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz", - "integrity": "sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.7.tgz", + "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==", "license": "MIT", "dependencies": { - "@babel/helper-validator-identifier": "^7.27.1", + "@babel/helper-validator-identifier": "^7.29.7", "js-tokens": "^4.0.0", "picocolors": "^1.1.1" }, @@ -432,13 +432,13 @@ } }, "node_modules/@babel/generator": { - "version": "7.28.3", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.28.3.tgz", - "integrity": "sha512-3lSpxGgvnmZznmBkCRnVREPUFJv2wrv9iAoFDvADJc0ypmdOxdUtcLeBgBJ6zE0PMeTKnxeQzyk0xTBq4Ep7zw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.7.tgz", + "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==", "license": "MIT", "dependencies": { - "@babel/parser": "^7.28.3", - "@babel/types": "^7.28.2", + "@babel/parser": "^7.29.7", + "@babel/types": "^7.29.7", "@jridgewell/gen-mapping": "^0.3.12", "@jridgewell/trace-mapping": "^0.3.28", "jsesc": "^3.0.2" @@ -557,9 +557,9 @@ } }, "node_modules/@babel/helper-globals": { - "version": "7.28.0", - "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz", - "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.29.7.tgz", + "integrity": "sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==", "license": "MIT", "engines": { "node": ">=6.9.0" @@ -579,27 +579,27 @@ } }, "node_modules/@babel/helper-module-imports": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.27.1.tgz", - "integrity": "sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.29.7.tgz", + "integrity": "sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==", "license": "MIT", "dependencies": { - "@babel/traverse": "^7.27.1", - "@babel/types": "^7.27.1" + "@babel/traverse": "^7.29.7", + "@babel/types": "^7.29.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-module-transforms": { - "version": "7.28.3", - "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.3.tgz", - "integrity": "sha512-gytXUbs8k2sXS9PnQptz5o0QnpLL51SwASIORY6XaBKF88nsOT0Zw9szLqlSGQDP/4TljBAD5y98p2U1fqkdsw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.29.7.tgz", + "integrity": "sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==", "license": "MIT", "dependencies": { - "@babel/helper-module-imports": "^7.27.1", - "@babel/helper-validator-identifier": "^7.27.1", - "@babel/traverse": "^7.28.3" + "@babel/helper-module-imports": "^7.29.7", + "@babel/helper-validator-identifier": "^7.29.7", + "@babel/traverse": "^7.29.7" }, "engines": { "node": ">=6.9.0" @@ -621,9 +621,9 @@ } }, "node_modules/@babel/helper-plugin-utils": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.27.1.tgz", - "integrity": "sha512-1gn1Up5YXka3YYAHGKpbideQ5Yjf1tDa9qYcgysz+cNCXukyLl6DjPXhD3VRwSb8c0J9tA4b2+rHEZtc6R0tlw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.29.7.tgz", + "integrity": "sha512-G7sHYigPY17oO5SYWnfD/0MTBwVR781S/JI643e/JhUYgVgWE/61SoW3NH9KWUKyKq5LVh3npif99Wkt6j86Jw==", "license": "MIT", "engines": { "node": ">=6.9.0" @@ -677,18 +677,18 @@ } }, "node_modules/@babel/helper-string-parser": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz", - "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.29.7.tgz", + "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==", "license": "MIT", "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-validator-identifier": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.27.1.tgz", - "integrity": "sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.29.7.tgz", + "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==", "license": "MIT", "engines": { "node": ">=6.9.0" @@ -731,12 +731,12 @@ } }, "node_modules/@babel/parser": { - "version": "7.28.3", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.28.3.tgz", - "integrity": "sha512-7+Ey1mAgYqFAx2h0RuoxcQT5+MlG3GTV0TQrgr7/ZliKsm/MNDxVVutlWaziMq7wJNAz8MTqz55XLpWvva6StA==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.7.tgz", + "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==", "license": "MIT", "dependencies": { - "@babel/types": "^7.28.2" + "@babel/types": "^7.29.7" }, "bin": { "parser": "bin/babel-parser.js" @@ -1321,15 +1321,15 @@ } }, "node_modules/@babel/plugin-transform-modules-systemjs": { - "version": "7.27.1", - "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.27.1.tgz", - "integrity": "sha512-w5N1XzsRbc0PQStASMksmUeqECuzKuTJer7kFagK8AXgpCMkeDMO5S+aaFb7A51ZYDF7XI34qsTX+fkHiIm5yA==", + "version": "7.29.4", + "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-systemjs/-/plugin-transform-modules-systemjs-7.29.4.tgz", + "integrity": "sha512-N7QmZ0xRZfjHOfZeQLJjwgX2zS9pdGHSVl/cjSGlo4dXMqvurfxXDMKY4RqEKzPozV78VMcd0lxyG13mlbKc4w==", "license": "MIT", "dependencies": { - "@babel/helper-module-transforms": "^7.27.1", - "@babel/helper-plugin-utils": "^7.27.1", - "@babel/helper-validator-identifier": "^7.27.1", - "@babel/traverse": "^7.27.1" + "@babel/helper-module-transforms": "^7.28.6", + "@babel/helper-plugin-utils": "^7.28.6", + "@babel/helper-validator-identifier": "^7.28.5", + "@babel/traverse": "^7.29.0" }, "engines": { "node": ">=6.9.0" @@ -2025,31 +2025,31 @@ } }, "node_modules/@babel/template": { - "version": "7.27.2", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.2.tgz", - "integrity": "sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.29.7.tgz", + "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==", "license": "MIT", "dependencies": { - "@babel/code-frame": "^7.27.1", - "@babel/parser": "^7.27.2", - "@babel/types": "^7.27.1" + "@babel/code-frame": "^7.29.7", + "@babel/parser": "^7.29.7", + "@babel/types": "^7.29.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/traverse": { - "version": "7.28.3", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.3.tgz", - "integrity": "sha512-7w4kZYHneL3A6NP2nxzHvT3HCZ7puDZZjFMqDpBPECub79sTtSO5CGXDkKrTQq8ksAwfD/XI2MRFX23njdDaIQ==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.7.tgz", + "integrity": "sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==", "license": "MIT", "dependencies": { - "@babel/code-frame": "^7.27.1", - "@babel/generator": "^7.28.3", - "@babel/helper-globals": "^7.28.0", - "@babel/parser": "^7.28.3", - "@babel/template": "^7.27.2", - "@babel/types": "^7.28.2", + "@babel/code-frame": "^7.29.7", + "@babel/generator": "^7.29.7", + "@babel/helper-globals": "^7.29.7", + "@babel/parser": "^7.29.7", + "@babel/template": "^7.29.7", + "@babel/types": "^7.29.7", "debug": "^4.3.1" }, "engines": { @@ -2057,13 +2057,13 @@ } }, "node_modules/@babel/types": { - "version": "7.28.2", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.2.tgz", - "integrity": "sha512-ruv7Ae4J5dUYULmeXw1gmb7rYRz57OWCPM57pHojnLq/3Z1CK2lNSLTCVjxVk1F/TZHwOZZrOWi0ur95BbLxNQ==", + "version": "7.29.7", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.7.tgz", + "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==", "license": "MIT", "dependencies": { - "@babel/helper-string-parser": "^7.27.1", - "@babel/helper-validator-identifier": "^7.27.1" + "@babel/helper-string-parser": "^7.29.7", + "@babel/helper-validator-identifier": "^7.29.7" }, "engines": { "node": ">=6.9.0" diff --git a/website/package.json b/website/package.json index e02b3f426..ea282f7f8 100644 --- a/website/package.json +++ b/website/package.json @@ -43,7 +43,8 @@ "ws@^8.0.0": "8.20.1", "uuid": "11.1.1", "serialize-javascript": "7.0.5", - "webpack-dev-server": "5.2.4" + "webpack-dev-server": "5.2.4", + "@babel/plugin-transform-modules-systemjs": "7.29.4" }, "browserslist": { "production": [ From c26253cbe066770d6d22efb5f4830f9e12be1479 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:19:29 -0700 Subject: [PATCH 12/15] build(deps): override follow-redirects to 1.16.0 Resolves Dependabot alert #63 (GHSA-r4q5-vmmm-2653): follow-redirects leaks custom authentication headers to cross-domain redirect targets. Pinned via npm overrides from 1.15.11 to 1.16.0. Minor update within the 1.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 6 +++--- website/package.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 2c884d7fa..0eb21bcc1 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -9905,9 +9905,9 @@ } }, "node_modules/follow-redirects": { - "version": "1.15.11", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", - "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz", + "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==", "funding": [ { "type": "individual", diff --git a/website/package.json b/website/package.json index ea282f7f8..b649e08bf 100644 --- a/website/package.json +++ b/website/package.json @@ -44,7 +44,8 @@ "uuid": "11.1.1", "serialize-javascript": "7.0.5", "webpack-dev-server": "5.2.4", - "@babel/plugin-transform-modules-systemjs": "7.29.4" + "@babel/plugin-transform-modules-systemjs": "7.29.4", + "follow-redirects": "1.16.0" }, "browserslist": { "production": [ From 37c06855190f60d50b0cf6e85b10911b6b9b130d Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:21:02 -0700 Subject: [PATCH 13/15] build(deps): override lodash to 4.18.1 Resolves Dependabot alerts #60 and #61: - GHSA-r5fr-rjxr-66jc: lodash vulnerable to code injection via _.template imports key names (#60) - GHSA-f23m-r3pf-42rh: lodash vulnerable to prototype pollution via array path bypass in _.unset and _.omit (#61) Pinned via npm overrides from 4.17.23 to 4.18.1. The advisory lists 4.18.0 as the first patched version, but the npm registry marks 4.18.0 as a bad release and recommends 4.18.1, so the minimum usable patched version is 4.18.1. Minor update within the 4.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 6 +++--- website/package.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 0eb21bcc1..b307c842f 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -11672,9 +11672,9 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "license": "MIT" }, "node_modules/lodash-es": { diff --git a/website/package.json b/website/package.json index b649e08bf..96424726d 100644 --- a/website/package.json +++ b/website/package.json @@ -45,7 +45,8 @@ "serialize-javascript": "7.0.5", "webpack-dev-server": "5.2.4", "@babel/plugin-transform-modules-systemjs": "7.29.4", - "follow-redirects": "1.16.0" + "follow-redirects": "1.16.0", + "lodash": "4.18.1" }, "browserslist": { "production": [ From 6a5f70db0a92c3e0737ec633a33fdf15683f2393 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 12:22:46 -0700 Subject: [PATCH 14/15] build(deps): override minimatch ^3 to 3.1.4 Resolves Dependabot alerts #34, #35, #36: - GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards with non-matching literal in pattern (#34) - GHSA-7r86-cg39-jmmj: minimatch ReDoS - matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (#35) - GHSA-23c5-xmqv-rm74: minimatch ReDoS - nested *() extglobs generate catastrophically backtracking regular expressions (#36) Scoped override 'minimatch@^3.0.0' bumps the serve-handler copy from 3.1.2 to 3.1.4 while leaving any future 4.x+ copies unaffected. Patch within the 3.x line. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 6 +++--- website/package.json | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index b307c842f..02ac8d83d 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -14189,9 +14189,9 @@ "license": "ISC" }, "node_modules/minimatch": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", - "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "version": "3.1.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.4.tgz", + "integrity": "sha512-twmL+S8+7yIsE9wsqgzU3E8/LumN3M3QELrBZ20OdmQ9jB2JvW5oZtBEmft84k/Gs5CG9mqtWc6Y9vW+JEzGxw==", "license": "ISC", "dependencies": { "brace-expansion": "^1.1.7" diff --git a/website/package.json b/website/package.json index 96424726d..f2c1bc419 100644 --- a/website/package.json +++ b/website/package.json @@ -46,7 +46,8 @@ "webpack-dev-server": "5.2.4", "@babel/plugin-transform-modules-systemjs": "7.29.4", "follow-redirects": "1.16.0", - "lodash": "4.18.1" + "lodash": "4.18.1", + "minimatch@^3.0.0": "3.1.4" }, "browserslist": { "production": [ From 23b4ffd691966da02ed8004294848314c9104212 Mon Sep 17 00:00:00 2001 From: Paco Huelsz Prince Date: Tue, 2 Jun 2026 14:27:57 -0700 Subject: [PATCH 15/15] chore(website): bump engines.node to >=20 to match deps and CI The installed dependency tree has long required Node 20+ (the entire Docusaurus 3.9 stack declares 'engines.node: >=20.0', and the CI workflow .github/workflows/deploy-website.yaml already pins node-version: 20.x), but the website package itself still advertised 'engines.node: >=18.0'. The recent serialize-javascript 6 -> 7 bump (commit decdb0c0, resolving Dependabot alerts #37 and #90) makes the strictness explicit: serialize-javascript@7 declares 'engines.node: >=20.0.0'. Align the website's engines field with what the deps and CI already require so npm install gives a consistent signal to contributors and to lockfile metadata. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- website/package-lock.json | 2 +- website/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 02ac8d83d..62893fc52 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -29,7 +29,7 @@ "@docusaurus/types": "^3.9.1" }, "engines": { - "node": ">=18.0" + "node": ">=20.0" } }, "node_modules/@ai-sdk/gateway": { diff --git a/website/package.json b/website/package.json index f2c1bc419..389646cc1 100644 --- a/website/package.json +++ b/website/package.json @@ -62,6 +62,6 @@ ] }, "engines": { - "node": ">=18.0" + "node": ">=20.0" } }