diff options
Diffstat (limited to 'CHANGELOG.md')
| -rw-r--r-- | CHANGELOG.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index c9d6fa3..ed0c495 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.0.3] - 2026-04-18 +### Security +- Upgraded `vite` dev dependency to `^6.4.2` to address two CVEs: + - Arbitrary file read via Vite dev server WebSocket (`fetchModule` bypass of `server.fs` checks). + - Path traversal in optimized deps `.map` handling. +- Added/updated `overrides` for transitive dependencies to address additional CVEs: + - `lodash` pinned to `^4.18.0`: code injection via `_.template` imports key names and prototype pollution via array path bypass in `_.unset`/`_.omit`. + - `brace-expansion` pinned to `^2.0.3`: zero-step sequence causes process hang and memory exhaustion. + - `flatted` pinned to `^3.4.2`: unbounded recursion DoS and prototype pollution in `parse()`. + - `picomatch` pinned to `^4.0.4`: method injection via POSIX character classes and ReDoS via extglob quantifiers. + ## [1.1.0] - YYYY-MM-DD ### Fixed - Corrected signature verification for DigiByte Bech32 addresses (starting with `dgb1...`). Signatures from these addresses were previously unverifiable due to issues in the underlying `digibyte-message` dependency. |