From 9b83624285ee5dce68fa70cac40c93159a385f39 Mon Sep 17 00:00:00 2001
From: scttbnsn <80784472+scttbnsn@users.noreply.github.com>
Date: Mon, 15 Jun 2026 20:43:26 -0400
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=20security(web):=20override=20?=
 =?UTF-8?q?js-yaml=20to=204.2.0=20(GHSA-h67p-54hq-rp68)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fumadocs-mdx@14.2.11 pulled js-yaml 4.1.1 transitively into apps/web, which
Dependabot flags for GHSA-h67p-54hq-rp68 (fixed in 4.2.0). Added an npm override
pinning js-yaml to 4.2.0; the postinstall docs-sync/MDX frontmatter generation
(the js-yaml consumer) runs clean on the patched version. Website build-time
dependency only — not shipped in the drydock container image.
---
 CHANGELOG.md               |  4 ++++
 apps/web/package-lock.json | 16 +++++++++++++---
 apps/web/package.json      |  3 ++-
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2bfffb47..374906c4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,10 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every
 1.4.6+ / 1.5.x release's notes by `scripts/append-upgrade-notes.mjs` (wired into
 `release-cut.yml`). Update that file — not this comment — when the notes change. -->
 
+### Security
+
+- **Documentation site (`apps/web`) js-yaml pinned to 4.2.0 ([GHSA-h67p-54hq-rp68](https://github.com/advisories/GHSA-h67p-54hq-rp68)).** `fumadocs-mdx` pulled js-yaml 4.1.1 transitively; an override forces the patched 4.2.0. Build-time dependency of the website only — not part of the shipped drydock image.
+
 ## [1.5.0-rc.37] — 2026-06-15
 
 ### Security
diff --git a/apps/web/package-lock.json b/apps/web/package-lock.json
index 3b9a7db7..0cf36d86 100644
--- a/apps/web/package-lock.json
+++ b/apps/web/package-lock.json
@@ -3976,9 +3976,19 @@
       }
     },
     "node_modules/js-yaml": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/puzrin"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/nodeca"
+        }
+      ],
       "license": "MIT",
       "dependencies": {
         "argparse": "^2.0.1"
diff --git a/apps/web/package.json b/apps/web/package.json
index ad8a52ae..fa841407 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -50,6 +50,7 @@
   },
   "overrides": {
     "postcss": "8.5.10",
-    "esbuild": "0.28.1"
+    "esbuild": "0.28.1",
+    "js-yaml": "4.2.0"
   }
 }

From ad53db56924476675645bd815fc0b7f567078b70 Mon Sep 17 00:00:00 2001
From: scttbnsn <80784472+scttbnsn@users.noreply.github.com>
Date: Mon, 15 Jun 2026 20:47:39 -0400
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=92=20security(e2e):=20override=20?=
 =?UTF-8?q?@opentelemetry/core=20to=202.8.0=20(CVE-2026-54285)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

artillery pulled @opentelemetry/core 2.7.1 transitively into e2e, vulnerable to
unbounded memory allocation in W3C Baggage propagation (GHSA-8988-4f7v-96qf,
fixed in 2.8.0). Added an npm override pinning it to 2.8.0 — a drop-in minor
bump, no API break. Test-only load-test dependency; not shipped in the image.
---
 CHANGELOG.md          | 2 ++
 e2e/package-lock.json | 6 +++---
 e2e/package.json      | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 374906c4..740c0f9a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,8 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every
 
 - **Documentation site (`apps/web`) js-yaml pinned to 4.2.0 ([GHSA-h67p-54hq-rp68](https://github.com/advisories/GHSA-h67p-54hq-rp68)).** `fumadocs-mdx` pulled js-yaml 4.1.1 transitively; an override forces the patched 4.2.0. Build-time dependency of the website only — not part of the shipped drydock image.
 
+- **E2E load-test harness `@opentelemetry/core` pinned to 2.8.0 ([CVE-2026-54285](https://github.com/advisories/GHSA-8988-4f7v-96qf)).** artillery pulled `@opentelemetry/core` 2.7.1 transitively, vulnerable to unbounded memory allocation in W3C Baggage propagation; an override forces the patched 2.8.0. Test-only dependency — not part of the shipped drydock image.
+
 ## [1.5.0-rc.37] — 2026-06-15
 
 ### Security
diff --git a/e2e/package-lock.json b/e2e/package-lock.json
index 5439e4e1..2f9a1f12 100644
--- a/e2e/package-lock.json
+++ b/e2e/package-lock.json
@@ -2423,9 +2423,9 @@
       }
     },
     "node_modules/@opentelemetry/core": {
-      "version": "2.7.1",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.7.1.tgz",
-      "integrity": "sha512-QAqIj32AtK6+pEVNG7EOVxHdE06RP+FM5qpiEJ4RtDcFIqKUZHYhl7/7UY5efhwmwNAg7j8QbJVBLxMerc0+gw==",
+      "version": "2.8.0",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.8.0.tgz",
+      "integrity": "sha512-hd1Lfh8p545nNz+jq1Ejfz+Mn1hyLuxYn1YzTfFNrxr8urEWMNQLPf1Th8kjOH+HxwawCrtgBp8JpBUR4ZSgww==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
diff --git a/e2e/package.json b/e2e/package.json
index 583edfdd..18479456 100644
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -46,6 +46,7 @@
     "ws": "8.21.0",
     "yaml": "2.8.3",
     "form-data": "4.0.6",
-    "protobufjs": "7.6.3"
+    "protobufjs": "7.6.3",
+    "@opentelemetry/core": "2.8.0"
   }
 }