From 00e7e4fbf5a6fc41b88631fd34e98e48eeb9fc6a Mon Sep 17 00:00:00 2001
From: Pawel Zelawski <pawel.zelawski@outlook.com>
Date: Sun, 1 Mar 2026 13:41:23 +0100
Subject: Fix multiple security vulnerabilities (March 2026)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security Updates:
- digiid-ts: 2.0.1-beta.2 → 2.0.2 (fixes internal dependency vulnerability)
- rollup: 4.58.0 → 4.59.0 (fixes arbitrary file write via path traversal - GHSA-mw96-cpmx-2vgc)
- qs: 6.14.1 → 6.14.2 (fixes arrayLimit bypass in comma parsing DoS - GHSA-w7fw-mjwx-w883)
- express: 4.21.2 → 4.22.1 (updated with qs dependency)
- minimatch: multiple updates (fixes ReDoS vulnerabilities)
- ajv: updated to 6.14.0+ (fixes ReDoS with $data option)

Impact:
- Rollup: Prevented arbitrary file write through path traversal sequences
- qs: Fixed denial-of-service via comma-separated array limit bypass
- digiid-ts: Resolved vulnerability in @noble/curves dependency

Result: 0 vulnerabilities (npm audit clean)
---
 package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'package.json')

diff --git a/package.json b/package.json
index 643ee41..d3b1213 100644
--- a/package.json
+++ b/package.json
@@ -48,11 +48,11 @@
     "vite": "^6.2.6"
   },
   "dependencies": {
-    "digiid-ts": "^2.0.1-beta.2",
+    "digiid-ts": "^2.0.2",
     "dotenv": "^16.4.5",
     "express": "^4.19.2",
     "qrcode": "^1.5.3",
     "react": "^18.3.1",
     "react-dom": "^18.3.1"
   }
-}
+}
\ No newline at end of file
-- 
cgit v1.2.3