diff options
| author | Pawel Zelawski <pawel@pzelawski.com> | 2026-05-15 18:55:55 +0200 |
|---|---|---|
| committer | Pawel Zelawski <pawel@pzelawski.com> | 2026-05-15 18:55:55 +0200 |
| commit | 3f3521cf5dad43dc537e6a56e469ccf73ae41927 (patch) | |
| tree | d877f8cb6927e221f32fb21634c32a9dc0cf131e | |
| parent | c333c7daecb0bb6a026d26844dbf57c2665051d7 (diff) | |
| -rw-r--r-- | CHANGELOG.md | 13 | ||||
| -rw-r--r-- | package-lock.json | 10 | ||||
| -rw-r--r-- | package.json | 7 |
3 files changed, 20 insertions, 10 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ed0c495..6b65e67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.0.4] - 2026-05-15 +### Security +- Pinned transitive `fast-uri` to `^3.1.2` via `overrides` to address: + - Path traversal via percent-encoded dot segments (`GHSA-q3j6-qgpj-74h6`, `CVE-2026-6321`). + - Host confusion via percent-encoded authority delimiters (`GHSA-v39h-62p7-jpjc`, `CVE-2026-6322`). + ## [2.0.3] - 2026-04-18 ### Security - Upgraded `vite` dev dependency to `^6.4.2` to address two CVEs: @@ -35,6 +41,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Unit tests. - Usage examples. -[Unreleased]: https://github.com/pawelzelawski/digiid-ts/compare/v1.0.1...HEAD +[Unreleased]: https://github.com/pawelzelawski/digiid-ts/compare/v2.0.4...HEAD +[2.0.4]: https://github.com/pawelzelawski/digiid-ts/compare/v2.0.3...v2.0.4 +[2.0.3]: https://github.com/pawelzelawski/digiid-ts/compare/v1.1.0...v2.0.3 +[1.1.0]: https://github.com/pawelzelawski/digiid-ts/compare/v1.0.1...v1.1.0 [1.0.1]: https://github.com/pawelzelawski/digiid-ts/compare/v1.0.0...v1.0.1 -[1.0.0]: https://github.com/pawelzelawski/digiid-ts/releases/tag/v1.0.0
\ No newline at end of file +[1.0.0]: https://github.com/pawelzelawski/digiid-ts/releases/tag/v1.0.0 diff --git a/package-lock.json b/package-lock.json index 3e5adac..d50c1b0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "digiid-ts", - "version": "2.0.3", + "version": "2.0.4", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "digiid-ts", - "version": "2.0.3", + "version": "2.0.4", "license": "MIT", "dependencies": { "@noble/curves": "^2.0.1", @@ -2839,9 +2839,9 @@ "license": "MIT" }, "node_modules/fast-uri": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz", - "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz", + "integrity": "sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==", "dev": true, "funding": [ { diff --git a/package.json b/package.json index dfa72af..8a1d1f5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "digiid-ts", - "version": "2.0.3", + "version": "2.0.4", "description": "A modern TypeScript implementation of the DigiID authentication protocol.", "main": "dist/digiid-ts.umd.js", "module": "dist/digiid-ts.es.js", @@ -81,6 +81,7 @@ "minimatch": "^10.2.3", "lodash": "^4.18.0", "flatted": "^3.4.2", - "picomatch": "^4.0.4" + "picomatch": "^4.0.4", + "fast-uri": "^3.1.2" } -}
\ No newline at end of file +} |