From e6cdbb9c579e095fc2c7276c0917d3e3b971f32e Mon Sep 17 00:00:00 2001
From: phantom-autopilot <273411261+phantom-autopilot@users.noreply.github.com>
Date: Wed, 6 May 2026 20:05:26 +0000
Subject: [PATCH] chore(SEC-10670): upgrade basic-ftp to 5.3.1

Pin basic-ftp to 5.3.1 via resolutions (yarn) and overrides (pnpm) to
mitigate GHSA-rpmf-866q-6p89 (CVE-2026-44240). The package is pulled in
transitively through get-uri@^6.0.1 with range ^5.0.2; 5.3.1 satisfies
that range and contains the fix for the unbounded multiline control
response buffering DoS.
---
 package.json | 6 ++++--
 yarn.lock    | 8 ++++----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/package.json b/package.json
index ae8e3a3c..b3b06834 100644
--- a/package.json
+++ b/package.json
@@ -109,10 +109,12 @@
     "gh-pages": "5.0.0",
     "http-cache-semantics": "4.1.1",
     "ansi-regex": "5.0.1",
-    "@testing-library/dom": "8.20.0"
+    "@testing-library/dom": "8.20.0",
+    "basic-ftp": "5.3.1"
   },
   "overrides": {
-    "lodash@<4.17.20": "4.17.20"
+    "lodash@<4.17.20": "4.17.20",
+    "basic-ftp": "5.3.1"
   },
   "engines": {
     "node": ">=14"
diff --git a/yarn.lock b/yarn.lock
index 4a17feae..7d7d2108 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2616,10 +2616,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"basic-ftp@npm:^5.0.2":
-  version: 5.0.5
-  resolution: "basic-ftp@npm:5.0.5"
-  checksum: 10c0/be983a3997749856da87b839ffce6b8ed6c7dbf91ea991d5c980d8add275f9f2926c19f80217ac3e7f353815be879371d636407ca72b038cea8cab30e53928a6
+"basic-ftp@npm:5.3.1":
+  version: 5.3.1
+  resolution: "basic-ftp@npm:5.3.1"
+  checksum: 10c0/03511b488cd292abfa82a8c0ea3b9573b40d12d2f1518d6f41a9461b012b3376d3e6d50679b38d9b2b4f48fd6e8e0418ac196312ee7e2da13cb801169940d1c3
   languageName: node
   linkType: hard