From 46223f2c6df1852abb31d9da74947ade09807cb9 Mon Sep 17 00:00:00 2001 From: Riccardo Cipolleschi Date: Mon, 2 Mar 2026 14:36:01 +0100 Subject: [PATCH 1/2] Bump serialize-javascript and minimatch to fix security vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add resolutions to fix high-severity Dependabot alerts: - serialize-javascript 6.0.2 → 7.0.3 (RCE via RegExp.flags and Date.prototype.toISOString) - serve-handler/minimatch 3.1.2 → 3.1.3 (ReDoS via GLOBSTAR segments) --- package.json | 6 +++++- yarn.lock | 38 ++++++++++++++++++-------------------- 2 files changed, 23 insertions(+), 21 deletions(-) diff --git a/package.json b/package.json index debb3e30387..9aee6b0b094 100644 --- a/package.json +++ b/package.json @@ -45,5 +45,9 @@ "typescript": "^5.9.3", "typescript-eslint": "^8.56.0" }, - "packageManager": "yarn@4.12.0" + "packageManager": "yarn@4.12.0", + "resolutions": { + "serialize-javascript": "^7.0.3", + "serve-handler/minimatch": "3.1.3" + } } diff --git a/yarn.lock b/yarn.lock index 83b56dacc6e..5858f872ebd 100644 --- a/yarn.lock +++ b/yarn.lock @@ -15442,12 +15442,12 @@ __metadata: languageName: node linkType: hard -"minimatch@npm:3.1.2, minimatch@npm:^3.0.4, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2": - version: 3.1.2 - resolution: "minimatch@npm:3.1.2" +"minimatch@npm:3.1.3": + version: 3.1.3 + resolution: "minimatch@npm:3.1.3" dependencies: brace-expansion: "npm:^1.1.7" - checksum: 10c0/0262810a8fc2e72cca45d6fd86bd349eee435eb95ac6aa45c9ea2180e7ee875ef44c32b55b5973ceabe95ea12682f6e3725cbb63d7a2d1da3ae1163c8b210311 + checksum: 10c0/c1ffce4be47e88df013f66f55176c25a93fdd8ad15735309cf1782f0433a02f363cee298f8763ceaaaf85e70ff7f30dc84a1a8d00a6fb6ca72032e5b51f9b89c languageName: node linkType: hard @@ -15460,6 +15460,15 @@ __metadata: languageName: node linkType: hard +"minimatch@npm:^3.0.4, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2": + version: 3.1.2 + resolution: "minimatch@npm:3.1.2" + dependencies: + brace-expansion: "npm:^1.1.7" + checksum: 10c0/0262810a8fc2e72cca45d6fd86bd349eee435eb95ac6aa45c9ea2180e7ee875ef44c32b55b5973ceabe95ea12682f6e3725cbb63d7a2d1da3ae1163c8b210311 + languageName: node + linkType: hard + "minimatch@npm:^5.0.1": version: 5.1.6 resolution: "minimatch@npm:5.1.6" @@ -17834,15 +17843,6 @@ __metadata: languageName: node linkType: hard -"randombytes@npm:^2.1.0": - version: 2.1.0 - resolution: "randombytes@npm:2.1.0" - dependencies: - safe-buffer: "npm:^5.1.0" - checksum: 10c0/50395efda7a8c94f5dffab564f9ff89736064d32addf0cc7e8bf5e4166f09f8ded7a0849ca6c2d2a59478f7d90f78f20d8048bca3cdf8be09d8e8a10790388f3 - languageName: node - linkType: hard - "range-parser@npm:1.2.0": version: 1.2.0 resolution: "range-parser@npm:1.2.0" @@ -19018,7 +19018,7 @@ __metadata: languageName: node linkType: hard -"safe-buffer@npm:5.2.1, safe-buffer@npm:>=5.1.0, safe-buffer@npm:^5.1.0, safe-buffer@npm:~5.2.0": +"safe-buffer@npm:5.2.1, safe-buffer@npm:>=5.1.0, safe-buffer@npm:~5.2.0": version: 5.2.1 resolution: "safe-buffer@npm:5.2.1" checksum: 10c0/6501914237c0a86e9675d4e51d89ca3c21ffd6a31642efeba25ad65720bce6921c9e7e974e5be91a786b25aa058b5303285d3c15dbabf983a919f5f630d349f3 @@ -19259,12 +19259,10 @@ __metadata: languageName: node linkType: hard -"serialize-javascript@npm:^6.0.0, serialize-javascript@npm:^6.0.1, serialize-javascript@npm:^6.0.2": - version: 6.0.2 - resolution: "serialize-javascript@npm:6.0.2" - dependencies: - randombytes: "npm:^2.1.0" - checksum: 10c0/2dd09ef4b65a1289ba24a788b1423a035581bef60817bea1f01eda8e3bda623f86357665fe7ac1b50f6d4f583f97db9615b3f07b2a2e8cbcb75033965f771dd2 +"serialize-javascript@npm:^7.0.3": + version: 7.0.3 + resolution: "serialize-javascript@npm:7.0.3" + checksum: 10c0/2c8883b360767dd96c720f2ec8938b2623dbdd4e46d68c540260125e2fa040fef538303411de245d62a1391b8b913c4f566f0bae74b23a58e467553ff1402b76 languageName: node linkType: hard From 783b1dca26669064fc84709fe3bc00d2c95e38d7 Mon Sep 17 00:00:00 2001 From: Riccardo Cipolleschi Date: Mon, 2 Mar 2026 15:21:01 +0100 Subject: [PATCH 2/2] Dedupe minimatch in yarn.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove duplicate minimatch@3.1.2 entry — all ^3.x ranges now resolve to 3.1.3 to fix yarn dedupe --check in CI. --- yarn.lock | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/yarn.lock b/yarn.lock index 5858f872ebd..8fec070e3e8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -15442,7 +15442,7 @@ __metadata: languageName: node linkType: hard -"minimatch@npm:3.1.3": +"minimatch@npm:3.1.3, minimatch@npm:^3.0.4, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2": version: 3.1.3 resolution: "minimatch@npm:3.1.3" dependencies: @@ -15460,15 +15460,6 @@ __metadata: languageName: node linkType: hard -"minimatch@npm:^3.0.4, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2": - version: 3.1.2 - resolution: "minimatch@npm:3.1.2" - dependencies: - brace-expansion: "npm:^1.1.7" - checksum: 10c0/0262810a8fc2e72cca45d6fd86bd349eee435eb95ac6aa45c9ea2180e7ee875ef44c32b55b5973ceabe95ea12682f6e3725cbb63d7a2d1da3ae1163c8b210311 - languageName: node - linkType: hard - "minimatch@npm:^5.0.1": version: 5.1.6 resolution: "minimatch@npm:5.1.6"