From 0a39f7ee0cd4d5b7422b2f80569c1153c355a1d2 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Fri, 6 Mar 2026 12:13:00 +1100 Subject: [PATCH] UID2-6699: Fix immutable and svgo HIGH vulnerabilities Pin immutable to ^4.3.8 (fixes CVE-2026-29063, Prototype Pollution) and svgo to ^3.3.3 (fixes CVE-2026-29074, Billion Laughs DoS) via npm overrides in package.json. Co-Authored-By: Claude Sonnet 4.6 --- package-lock.json | 36 +++++++++++++++++------------------- package.json | 4 +++- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/package-lock.json b/package-lock.json index 06f16ec2f..ee95e14d3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4940,14 +4940,6 @@ "node": ">=14.16" } }, - "node_modules/@trysound/sax": { - "version": "0.2.0", - "resolved": "https://registry.npmjs.org/@trysound/sax/-/sax-0.2.0.tgz", - "integrity": "sha512-L7z9BgrNEcYyUYtF+HaEfiS5ebkh9jXqbszz7pC0hRBPaatV0XjSD3+eHrpqFemQfgwiFF0QPIarnIihIDn7OA==", - "engines": { - "node": ">=10.13.0" - } - }, "node_modules/@tsconfig/docusaurus": { "version": "2.0.7", "resolved": "https://registry.npmjs.org/@tsconfig/docusaurus/-/docusaurus-2.0.7.tgz", @@ -9938,9 +9930,10 @@ } }, "node_modules/immutable": { - "version": "4.3.7", - "resolved": "https://registry.npmjs.org/immutable/-/immutable-4.3.7.tgz", - "integrity": "sha512-1hqclzwYwjRDFLjcFxOM5AYkkG0rpFPpr1RLPMEuGczoS7YA8gLhy8SWXYRAA/XwfEHpfo3cw5JGioS32fnMRw==" + "version": "4.3.8", + "resolved": "https://registry.npmjs.org/immutable/-/immutable-4.3.8.tgz", + "integrity": "sha512-d/Ld9aLbKpNwyl0KiM2CT1WYvkitQ1TSvmRtkcV8FKStiDoA7Slzgjmb/1G2yhKM1p0XeNOieaTbFZmU1d3Xuw==", + "license": "MIT" }, "node_modules/import-fresh": { "version": "3.3.1", @@ -16412,9 +16405,13 @@ } }, "node_modules/sax": { - "version": "1.4.3", - "resolved": "https://registry.npmjs.org/sax/-/sax-1.4.3.tgz", - "integrity": "sha512-yqYn1JhPczigF94DMS+shiDMjDowYO6y9+wB/4WgO0Y19jWYk0lQ4tuG5KI7kj4FTp1wxPj5IFfcrz/s1c3jjQ==" + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/sax/-/sax-1.5.0.tgz", + "integrity": "sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==", + "license": "BlueOak-1.0.0", + "engines": { + "node": ">=11.0.0" + } }, "node_modules/scheduler": { "version": "0.23.2", @@ -17259,17 +17256,18 @@ "integrity": "sha512-e4hG1hRwoOdRb37cIMSgzNsxyzKfayW6VOflrwvR+/bzrkyxY/31WkbgnQpgtrNp1SdpJvpUAGTa/ZoiPNDuRQ==" }, "node_modules/svgo": { - "version": "3.3.2", - "resolved": "https://registry.npmjs.org/svgo/-/svgo-3.3.2.tgz", - "integrity": "sha512-OoohrmuUlBs8B8o6MB2Aevn+pRIH9zDALSR+6hhqVfa6fRwG/Qw9VUMSMW9VNg2CFc/MTIfabtdOVl9ODIJjpw==", + "version": "3.3.3", + "resolved": "https://registry.npmjs.org/svgo/-/svgo-3.3.3.tgz", + "integrity": "sha512-+wn7I4p7YgJhHs38k2TNjy1vCfPIfLIJWR5MnCStsN8WuuTcBnRKcMHQLMM2ijxGZmDoZwNv8ipl5aTTen62ng==", + "license": "MIT", "dependencies": { - "@trysound/sax": "0.2.0", "commander": "^7.2.0", "css-select": "^5.1.0", "css-tree": "^2.3.1", "css-what": "^6.1.0", "csso": "^5.0.5", - "picocolors": "^1.0.0" + "picocolors": "^1.0.0", + "sax": "^1.5.0" }, "bin": { "svgo": "bin/svgo" diff --git a/package.json b/package.json index f516bf118..a2f40ff6a 100644 --- a/package.json +++ b/package.json @@ -51,12 +51,14 @@ }, "overrides": { "body-parser@1": "1.20.3", + "immutable": "^4.3.8", "minimatch": "^10.2.3", "path-to-regexp@0": "0.1.12", "path-to-regexp@1": "1.9.0", "path-to-regexp@2": "8.0.0", "qs": "6.14.1", - "serialize-javascript": "^7.0.3" + "serialize-javascript": "^7.0.3", + "svgo": "^3.3.3" }, "browserslist": { "production": [