fix(deps): patch security advisories for devalue, simple-git, postcss, nitropack #57
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
simple-git 3.36.0 security advisory RCE vulnerability CVE💡 Result:
simple-git 3.36.0 addresses an RCE vulnerability tracked as CVE-2026-6951. The issue affects versions of simple-git before 3.36.0 and is described as an incomplete fix for CVE-2022-25912: the protection blocks the -c option but not the equivalent --config form, allowing untrusted input to reach simple-git options and enable Git config protocol.ext.allow=always. With that enabled, an attacker can use an ext:: clone source to achieve remote code execution [1][2]. Evidence/details grounded in the sources: - NVD describes CVE-2026-6951 for “simple-git before 3.36.0” and explains the incomplete fix around blocking -c but not --config, with exploitation via protocol.ext.allow=always and ext:: clone [1]. - Snyk’s advisory for CVE-2026-6951 states the same root cause and recommends upgrading to simple-git 3.36.0 (or higher) [2]. Practical mitigation: - Upgrade simple-git to version 3.36.0 or later everywhere untrusted user input can influence the arguments/options passed to simple-git [2].
Citations:
🌐 Web query:
devalue 5.8.1 security advisory DoS sparse array CVE💡 Result:
The devalue library has been subject to several security advisories related to Denial of Service (DoS) vulnerabilities, including issues involving sparse arrays and resource exhaustion. There is no single "5.8.1 security advisory" that encompasses all these issues; rather, multiple vulnerabilities were addressed in various versions leading up to and including 5.6.4 [1][2][3][4]. Key vulnerabilities identified in devalue include: 1. Sparse Array DoS (GHSA-33hq-fvwr-56pm): This vulnerability, affecting versions <= 5.6.2, involved CPU and memory amplification when serializing sparse arrays using uneval or stringify [1][5]. It was patched in version 5.6.3 [1][5]. This issue does not have an assigned CVE ID [1]. 2. Memory Exhaustion in devalue.parse (CVE-2026-22774): Affecting versions 5.3.0 through 5.6.1, this vulnerability allowed for asymmetric resource consumption due to improper ArrayBuffer type validation during hydration [2][6]. It was patched in version 5.6.2 [2][6]. 3. ArrayBuffer Hydration DoS (CVE-2026-22775): Affecting versions 5.1.0 through 5.6.1, this issue involved improper validation of base64 encoded strings during ArrayBuffer hydration, leading to potential DoS [3]. It was also patched in version 5.6.2 [3]. 4. Prototype Pollution (CVE-2026-30226): Affecting versions 5.6.3 and earlier, this vulnerability in devalue.parse and devalue.unflatten allowed for prototype pollution via maliciously crafted payloads, which could lead to DoS or type confusion [4]. This was patched in version 5.6.4 [4]. Users are advised to ensure they are using version 5.6.4 or later to mitigate these known vulnerabilities [7][4].
Citations:
🌐 Web query:
postcss 8.5.10 security advisory XSS unescaped style tags CVE💡 Result:
PostCSS versions prior to 8.5.10 are vulnerable to a Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-41305 [1][2]. The vulnerability exists because PostCSS does not properly escape </style> sequences when stringifying CSS Abstract Syntax Trees (ASTs) [3][1]. If an application parses user-submitted CSS and re-stringifies it for embedding directly within an HTML <style> tag, an attacker can inject a crafted CSS string containing </style> to break out of the style context and execute arbitrary JavaScript [3][4]. This issue was addressed in PostCSS version 8.5.10, which introduced the necessary escaping for </style> sequences [3][1]. Users are advised to upgrade to version 8.5.10 or higher to mitigate this risk [4][5]. The vulnerability has a CVSS v3 base score of 6.1 (Medium) [6][2].
Citations:
🌐 Web query:
nitropack 2.13.4 security advisory path traversal open redirect CVE💡 Result:
The Nitro framework (often referred to as nitropack on npm) released version 2.13.4 to address two medium-severity security vulnerabilities related to route rule processing [1][2]. It is important to distinguish this framework from the NitroPack WordPress plugin, which is a separate product [3][4][5]. The vulnerabilities addressed in Nitro 2.13.4 are: 1. Open Redirect (CVE-2026-44372): This vulnerability allowed an attacker to bypass intended same-host rewrites in redirect route rules [6][7][8]. By crafting a URL with an extra slash (e.g., /legacy//evil.com), an attacker could force the application to respond with a protocol-relative URL (Location: //evil.com), causing the browser to redirect the user to an external, attacker-controlled site [7][8]. 2. Path Traversal (CVE-2026-44373): This vulnerability allowed an attacker to bypass proxy route rule scopes using percent-encoded path traversal sequences (e.g.,..%2f) [9][10]. This could cause the Nitro runtime to forward requests to upstream services that were intended to be protected or out-of-scope, potentially exposing internal endpoints or sensitive data [9]. These issues affect deployments where route rules are executed by the Nitro runtime [6][9]. Deployments that offload these rules to edge platforms (such as Vercel, Netlify, Cloudflare Pages, or EdgeOne) are generally not affected because the rules are handled natively at the CDN layer [6][8]. Users relying on proxy or redirect route rules are strongly encouraged to upgrade to version 2.13.4 or later [1][2].
Citations:
Correct devalue version override—specified version does not patch stated vulnerabilities.
The PR specifies
devalue >= 5.8.1to address DoS via sparse array deserialization, but security advisories confirm the patched versions are 5.6.3 (sparse array DoS, GHSA-33hq-fvwr-56pm) and 5.6.4 (prototype pollution, CVE-2026-30226). Version 5.8.1 does not appear in any devalue security advisory. Update todevalue >= 5.6.4.The other three overrides are correctly specified:
simple-git >= 3.36.0patches CVE-2026-6951 (RCE) ✓postcss >= 8.5.10patches CVE-2026-41305 (XSS) ✓nitropack >= 2.13.4patches CVE-2026-44372 (open redirect) and CVE-2026-44373 (path traversal) ✓🤖 Prompt for AI Agents