Skip to content

build(deps): fix security vulnerabilities via dependency upgrades and overrides#2683

Open
ethan ozelius (ethan-ozelius-contentful) wants to merge 2 commits into
masterfrom
fix/dependabot-197-serialize-javascript
Open

build(deps): fix security vulnerabilities via dependency upgrades and overrides#2683
ethan ozelius (ethan-ozelius-contentful) wants to merge 2 commits into
masterfrom
fix/dependabot-197-serialize-javascript

Conversation

@ethan-ozelius-contentful

@ethan-ozelius-contentful ethan ozelius (ethan-ozelius-contentful) commented May 5, 2026

Copy link
Copy Markdown
Contributor
  ┌────────────┬──────────────────────┬─────────────────────────────────────┬──────────────────────────────────────────────┐
  │   Alert    │       Package        │                 CVE                 │                  Fix method                  │
  ├────────────┼──────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────┤
  │ #197       │ serialize-javascript │ CVE-2026-34043                      │ Upgraded @rollup/plugin-terser 0.4.4 → 1.0.0 │
  ├────────────┼──────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────┤
  │ #194       │ lodash               │ CVE-2026-4800 (code injection)      │ npm overrides: lodash >=4.18.0               │
  ├────────────┼──────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────┤
  │ #193       │ lodash               │ CVE-2026-2950 (prototype pollution) │ npm overrides: lodash >=4.18.0               │
  ├────────────┼──────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────┤
  │ #187, #188 │ picomatch            │ CVE-2026-33672 (method injection)   │ npm overrides: picomatch >=4.0.4             │
  ├────────────┼──────────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────┤
  │ #125       │ tmp                  │ CVE-2025-54798 (symlink bypass)     │ npm overrides: tmp >=0.2.4                   │
  └────────────┴──────────────────────┴─────────────────────────────────────┴──────────────────────────────────────────────┘

Summary

  • Upgrades @rollup/plugin-terser from 0.4.4 to 1.0.0, pulling in serialize-javascript@7.0.5 — fixes #197 (CVE-2026-34043: CPU exhaustion DoS)
  • Adds npm overrides to force patched versions of transitive dev deps that upstream parents pin to vulnerable ranges:
  • All affected packages are dev-only transitive deps — nothing is shipped to SDK consumers

Note: A picomatch@4.0.3 instance inside npm's own bundled modules (node_modules/npm/node_modules/tinyglobby) cannot be overridden from project config — that alert will persist in npm audit but is not exploitable from userland code.

Test plan

  • Build passes (npm run build)
  • Unit tests pass (113 tests, 0 failures)
  • Type tests pass (tsd)
  • Verified patched versions installed: lodash@4.18.1, picomatch@4.0.4, tmp@0.2.5, serialize-javascript@7.0.5

Generated with Claude Code

Resolves Dependabot alert #197 (CVE-2026-34043 / GHSA-qj8w-gfj5-8c6v).
Upgrades serialize-javascript transitive dep from 6.0.2 to 7.0.5 which
patches a CPU exhaustion DoS via crafted array-like objects.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bito-code-review

bito-code-review Bot commented May 5, 2026

Copy link
Copy Markdown

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at michael.pearce@contentful.com.

…ilities

Resolves Dependabot alerts #187, #188, #193, #194, #125:
- lodash >=4.18.0: fixes CVE-2026-4800 (code injection via _.template imports)
  and CVE-2026-2950 (prototype pollution via _.unset/_.omit array path bypass)
- picomatch >=4.0.4: fixes CVE-2026-33672 (method injection in POSIX character classes)
- tmp >=0.2.4: fixes CVE-2025-54798 (symlink bypass for arbitrary temp file write)

All are transitive dev-only deps addressed via npm overrides since the
direct parents (contentful-sdk-core, inquirer, external-editor) pin older
ranges.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ethan-ozelius-contentful ethan ozelius (ethan-ozelius-contentful) changed the title build(deps-dev): bump @rollup/plugin-terser from 0.4.4 to 1.0.0 build(deps): fix security vulnerabilities via dependency upgrades and overrides May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants