diff options
| author | Pawel Zelawski <pawel@pzelawski.com> | 2026-04-18 17:03:41 +0200 |
|---|---|---|
| committer | Pawel Zelawski <pawel@pzelawski.com> | 2026-04-18 17:03:41 +0200 |
| commit | c333c7daecb0bb6a026d26844dbf57c2665051d7 (patch) | |
| tree | 9f0270fa23b0fb541340cc0d8481568d9a959db9 | |
| parent | 49f83b48196fbc260979f4a808328a34992b12c5 (diff) | |
| -rw-r--r-- | CHANGELOG.md | 11 | ||||
| -rw-r--r-- | package-lock.json | 36 | ||||
| -rw-r--r-- | package.json | 11 |
3 files changed, 36 insertions, 22 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c9d6fa3..ed0c495 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.0.3] - 2026-04-18 +### Security +- Upgraded `vite` dev dependency to `^6.4.2` to address two CVEs: + - Arbitrary file read via Vite dev server WebSocket (`fetchModule` bypass of `server.fs` checks). + - Path traversal in optimized deps `.map` handling. +- Added/updated `overrides` for transitive dependencies to address additional CVEs: + - `lodash` pinned to `^4.18.0`: code injection via `_.template` imports key names and prototype pollution via array path bypass in `_.unset`/`_.omit`. + - `brace-expansion` pinned to `^2.0.3`: zero-step sequence causes process hang and memory exhaustion. + - `flatted` pinned to `^3.4.2`: unbounded recursion DoS and prototype pollution in `parse()`. + - `picomatch` pinned to `^4.0.4`: method injection via POSIX character classes and ReDoS via extglob quantifiers. + ## [1.1.0] - YYYY-MM-DD ### Fixed - Corrected signature verification for DigiByte Bech32 addresses (starting with `dgb1...`). Signatures from these addresses were previously unverifiable due to issues in the underlying `digibyte-message` dependency. diff --git a/package-lock.json b/package-lock.json index b3b65de..3e5adac 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "digiid-ts", - "version": "2.0.1", + "version": "2.0.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "digiid-ts", - "version": "2.0.1", + "version": "2.0.3", "license": "MIT", "dependencies": { "@noble/curves": "^2.0.1", @@ -22,7 +22,7 @@ "prettier": "^3.8.1", "ts-node": "^10.9.2", "typescript": "^5.9.3", - "vite": "^6.4.1", + "vite": "^6.4.2", "vite-plugin-dts": "^4.5.4", "vitest": "^3.2.4" }, @@ -2328,9 +2328,9 @@ "license": "MIT" }, "node_modules/brace-expansion": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz", - "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz", + "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==", "dev": true, "license": "MIT", "dependencies": { @@ -2900,9 +2900,9 @@ } }, "node_modules/flatted": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz", - "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==", + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", "dev": true, "license": "ISC" }, @@ -3357,9 +3357,9 @@ } }, "node_modules/lodash": { - "version": "4.17.23", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", - "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz", + "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==", "dev": true, "license": "MIT" }, @@ -3673,9 +3673,9 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "4.0.3", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", - "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", + "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "dev": true, "license": "MIT", "engines": { @@ -4348,9 +4348,9 @@ "license": "MIT" }, "node_modules/vite": { - "version": "6.4.1", - "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz", - "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==", + "version": "6.4.2", + "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz", + "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index 83f3f5a..dfa72af 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "digiid-ts", - "version": "2.0.2", + "version": "2.0.3", "description": "A modern TypeScript implementation of the DigiID authentication protocol.", "main": "dist/digiid-ts.umd.js", "module": "dist/digiid-ts.es.js", @@ -66,7 +66,7 @@ "prettier": "^3.8.1", "ts-node": "^10.9.2", "typescript": "^5.9.3", - "vite": "^6.4.1", + "vite": "^6.4.2", "vite-plugin-dts": "^4.5.4", "vitest": "^3.2.4" }, @@ -76,8 +76,11 @@ }, "overrides": { "glob": "^10.5.0", - "brace-expansion": "^2.0.2", + "brace-expansion": "^2.0.3", "rollup": "^4.59.0", - "minimatch": "^10.2.3" + "minimatch": "^10.2.3", + "lodash": "^4.18.0", + "flatted": "^3.4.2", + "picomatch": "^4.0.4" } }
\ No newline at end of file |