fix(deps): update dependency liquidjs to v10.25.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
liquidjs	10.18.0 → 10.25.0

GitHub Vulnerability Alerts

CVE-2026-30952

Impact

The layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables when dynamicPartials: true is enabled). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable.

Patches

The issue is fixed via #​855 and published version 10.25.0 on npm.

Workarounds

Change the files in build time

In build time, through Shell script or Webpack string-replace-loader, change the file content of correxponding file (depending on your package type, for CommonJS it's dist/liquid.node.js) under dist/,

  if (fs.fallback !== undefined) {
    const filepath = fs.fallback(file)
-   if (filepath !== undefined) yield filepath
+   if (filepath !== undefined) {
+     for (const dir of dirs) {
+       if (!enforceRoot || this.contains(dir, filepath)) {
+         yield filepath
+         break
+       }
+     }
    }
  }

Overriding by fs LiquidJS option

Adding a fs option to override the default fs implementation:

const { statSync, readFileSync, promises: { stat, readFile } } = require('fs')
const { resolve, extname, dirname, sep } = require('path')

const fs = {
    exists: async (fp) => { try { await stat(fp); return true; } catch { return false } },
    existsSync: (fp) => { try { statSync(fp); return true } catch { return false } },
    resolve: (root, file, ext) => resolve(root, file + (extname(file) ? '' : ext)),
    contains: (root, file) => {
        const r = resolve(root)
        return file.startsWith(r.endsWith(sep) ? r : r + sep)
    },
    readFile: (fp) => readFile(fp, 'utf8'),
    readFileSync: (fp) => readFileSync(fp, 'utf8'),
    fallback: () => undefined,
    dirname,
    sep
};

const engine = new Liquid({ fs })

References

Discussions: https://github.com/harttle/liquidjs/pull/851
Code fix: https://github.com/harttle/liquidjs/pull/855

---

Release Notes

harttle/liquidjs (liquidjs)

v10.25.0

Compare Source

Bug Fixes

• path traversal vulnerability, #​851 (#​855) (3cd024d)

Features

• export error types, resolving #​837 (#​840) (71aa1b1)

v10.24.0

Compare Source

Features

• filters: Add base64_encode and base64_decode filters for Shopify compatibility (#​828) (86fc135)

v10.23.0

Compare Source

Features

• Export specific tokens as types (#​824) (4f7d2fd)

v10.22.0

Compare Source

Bug Fixes

• math filters coerce invalid string to 0, #​813 (#​819) (e8e502c)

Features

• allow context access in liquidMethodMissing, #​808 (#​820) (e551288)

10.21.1 (2025-05-14)

Bug Fixes

• block.super with strictVariables, #​806 (#​807) (025c40f)

v10.21.1

Compare Source

Bug Fixes

• math filters coerce invalid string to 0, #​813 (#​819) (e8e502c)

Features

• allow context access in liquidMethodMissing, #​808 (#​820) (e551288)

10.21.1 (2025-05-14)

Bug Fixes

• block.super with strictVariables, #​806 (#​807) (025c40f)

v10.21.0

Compare Source

Bug Fixes

• math filters coerce invalid string to 0, #​813 (#​819) (e8e502c)

Features

• allow context access in liquidMethodMissing, #​808 (#​820) (e551288)

10.21.1 (2025-05-14)

Bug Fixes

• block.super with strictVariables, #​806 (#​807) (025c40f)

v10.20.3

Compare Source

Features

• add find_index, has, and reject filters (#​799) (0deb93e)

10.20.3 (2025-02-09)

Bug Fixes

• empty tagToken.args since 10.20.0, fixes #​796 (38a0f51)

10.20.2 (2025-01-19)

Bug Fixes

• consistent range syntax parsing, #​791 (a490a70)
• context for group_by_exp/where_exp/find_exp, #​790 (a5070af)

10.20.1 (2025-01-04)

Bug Fixes

• break/continue stops whole template, #​783 (5f1a4cf)
• enumerate plain objects in where/where_exp, #​785 (#​788) (25ef104)
• preserveTimezones support for RFC2822 date, #​784 (59cf3c0)

v10.20.2

Compare Source

Features

• add find_index, has, and reject filters (#​799) (0deb93e)

10.20.3 (2025-02-09)

Bug Fixes

• empty tagToken.args since 10.20.0, fixes #​796 (38a0f51)

10.20.2 (2025-01-19)

Bug Fixes

• consistent range syntax parsing, #​791 (a490a70)
• context for group_by_exp/where_exp/find_exp, #​790 (a5070af)

10.20.1 (2025-01-04)

Bug Fixes

• break/continue stops whole template, #​783 (5f1a4cf)
• enumerate plain objects in where/where_exp, #​785 (#​788) (25ef104)
• preserveTimezones support for RFC2822 date, #​784 (59cf3c0)

v10.20.1

Compare Source

Features

• add find_index, has, and reject filters (#​799) (0deb93e)

10.20.3 (2025-02-09)

Bug Fixes

• empty tagToken.args since 10.20.0, fixes #​796 (38a0f51)

10.20.2 (2025-01-19)

Bug Fixes

• consistent range syntax parsing, #​791 (a490a70)
• context for group_by_exp/where_exp/find_exp, #​790 (a5070af)

10.20.1 (2025-01-04)

Bug Fixes

• break/continue stops whole template, #​783 (5f1a4cf)
• enumerate plain objects in where/where_exp, #​785 (#​788) (25ef104)
• preserveTimezones support for RFC2822 date, #​784 (59cf3c0)

v10.20.0

Compare Source

Features

• add find_index, has, and reject filters (#​799) (0deb93e)

10.20.3 (2025-02-09)

Bug Fixes

• empty tagToken.args since 10.20.0, fixes #​796 (38a0f51)

10.20.2 (2025-01-19)

Bug Fixes

• consistent range syntax parsing, #​791 (a490a70)
• context for group_by_exp/where_exp/find_exp, #​790 (a5070af)

10.20.1 (2025-01-04)

Bug Fixes

• break/continue stops whole template, #​783 (5f1a4cf)
• enumerate plain objects in where/where_exp, #​785 (#​788) (25ef104)
• preserveTimezones support for RFC2822 date, #​784 (59cf3c0)

v10.19.1

Compare Source

Features

• size, first, last support arraylike objects, #​781 (35a8442)
• static variable analysis (#​770) (3492ff6)

10.19.1 (2024-12-22)

Bug Fixes

• add sideEffects=false to package.json (734eb52)
• inconsistent continue behaviour, fixes #​779 (e3ef574)
• memoryLimit doesn't work in for tag, #​776 (2af297f)

v10.19.0

Compare Source

Features

• size, first, last support arraylike objects, #​781 (35a8442)
• static variable analysis (#​770) (3492ff6)

10.19.1 (2024-12-22)

Bug Fixes

• add sideEffects=false to package.json (734eb52)
• inconsistent continue behaviour, fixes #​779 (e3ef574)
• memoryLimit doesn't work in for tag, #​776 (2af297f)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.