chore(deps): fix security vulnerabilities in edge dependencies#13054
chore(deps): fix security vulnerabilities in edge dependencies#13054
Conversation
Pleasurecruise
commented
Feb 25, 2026
Pleasurecruise
commented
- fast-xml-parser: ^5.2.0 → ^5.3.5 (critical, entity encoding bypass)
- tar: ^7.4.3 → ^7.5.9 (high, path traversal via hardlink)
- diff: ^8.0.2 → ^8.0.3 (low, ReDoS in parsePatch/applyPatch)
- markdown-it: ^14.1.0 → ^14.1.1 (moderate, ReDoS)
- add pnpm overrides for [email protected] and [email protected] to patch transitive deps
- fast-xml-parser: ^5.2.0 → ^5.3.5 (critical, entity encoding bypass) - tar: ^7.4.3 → ^7.5.9 (high, path traversal via hardlink) - diff: ^8.0.2 → ^8.0.3 (low, ReDoS in parsePatch/applyPatch) - markdown-it: ^14.1.0 → ^14.1.1 (moderate, ReDoS) - add pnpm overrides for [email protected] and [email protected] to patch transitive deps Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR updates several dependencies to address security vulnerabilities in the edge build, including critical, high, moderate, and low severity issues. The changes upgrade fast-xml-parser, tar, diff, and markdown-it to their latest secure versions, and add pnpm overrides to ensure transitive dependencies are also patched.
Changes:
- Updated fast-xml-parser to address a critical entity encoding bypass vulnerability
- Updated tar to fix a high-severity path traversal vulnerability via hardlink
- Updated diff and markdown-it to resolve ReDoS vulnerabilities
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updated dependency version specifiers for fast-xml-parser, tar, diff, and markdown-it; added pnpm overrides for tar and fast-xml-parser |
| pnpm-lock.yaml | Updated lock file with new dependency versions, removed deprecated/vulnerable versions, and updated transitive dependencies |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
This CI failure is not caused by this PR. The prepare script runs prek install, which attempts to download a binary from GitHub Releases at install time. This has always been a latent issue in the CI setup — it only surfaced here because updating the dependency versions changed pnpm-lock.yaml, which invalidated the pnpm cache and forced a full pnpm install (including the prepare lifecycle script) instead of restoring from cache. Previous CI runs were unaffected simply because the lockfile hadn't changed and the cached node_modules was reused. The root fix would be to make the prepare script skip prek install when CI=true. |
EurFelux
left a comment
EurFelux
left a comment
There was a problem hiding this comment.
I was also looking at these security issues. However, the solution is not as simple as upgrading specific dependencies. Using overrides carries risks. For example, the currently depended webdav 5.8.0 indirectly relies on fast-xml-parser 4.5.3, where there is a major version gap. Directly overriding may lead to runtime errors; further investigation is needed to determine if it is safe to override.
It is recommended to use pnpm why to recheck. Additionally, please follow the PR template.
|
I rechecked the dependency graph with
These follow-up updates are included in commit |
|
conflict |
|
I have removed the overrides for The patch for |
|
The issue with fast-xml-parser still persists… Either we need to add overrides, or modify @ here |
