From 27e85008865074ac59d2f8e65e3290b6462f0805 Mon Sep 17 00:00:00 2001 From: Jasper Frumau Date: Mon, 6 Jul 2026 10:12:01 +0700 Subject: [PATCH 1/3] Bump version to 4.6.4 for js-yaml security fix js-yaml build dependency updated from 4.1.1 to 4.3.0 to address a denial-of-service vulnerability (GHSA-h67p-54hq-rp68). No runtime theme changes. --- CHANGELOG.md | 12 ++++++++++++ readme.txt | 6 +++++- style.css | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9c20b1..1df6c33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [4.6.4] - 2026-07-06 + +### Security +**js-yaml Dependency Update:** +- Bumped `js-yaml` from 4.1.1 to 4.3.0 to address a denial-of-service (DoS) vulnerability (GHSA-h67p-54hq-rp68) +- Update applied via `package-lock.json` build dependency; no runtime theme behavior changes + +### Technical +**Build Tooling:** +- Updated transitive build dependency `js-yaml` to the patched 4.3.0 release +- No changes to theme templates, patterns, or user-facing functionality + ## [4.6.3] - 2026-06-22 ### Changed diff --git a/readme.txt b/readme.txt index 55aa90c..1c538d5 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: block-patterns, block-styles, blog, custom-colors, custom-logo, custom-men Requires at least: 6.6 Tested up to: 7.0 Requires PHP: 8.0 -Stable tag: 4.6.3 +Stable tag: 4.6.4 License: GNU General Public License v3.0 (or later) License URI: https://www.gnu.org/licenses/gpl-3.0.html @@ -174,6 +174,10 @@ Elayne includes custom image sizes optimized for different layouts: == Changelog == += 4.6.4 - 07/06/26 = +* SECURITY: Bumped js-yaml build dependency from 4.1.1 to 4.3.0 to fix DoS vulnerability (GHSA-h67p-54hq-rp68). +* TECHNICAL: Updated transitive build dependency only - no user-facing or runtime theme changes. + = 4.6.3 - 06/22/26 = * CHANGED: Migrated Mistral Vibe development instructions from .vibe/prompts/vibe.md to AGENTS.md for standardized AI agent guidance. * CHANGED: Updated .vibe/config.toml to use default CLI system prompt instead of custom vibe prompt. diff --git a/style.css b/style.css index 87addb2..6054911 100644 --- a/style.css +++ b/style.css @@ -7,7 +7,7 @@ Description: Elayne is a premium full-site-editing block theme for professional Requires at least: 6.6 Tested up to: 7.0 Requires PHP: 8.0 -Version: 4.6.3 +Version: 4.6.4 License: GNU General Public License v3 or later License URI: https://www.gnu.org/licenses/gpl-3.0.html Text Domain: elayne From 2bcf87eb967cc9f024e0672ecadac4a8905a1446 Mon Sep 17 00:00:00 2001 From: Jasper Frumau Date: Mon, 6 Jul 2026 10:12:11 +0700 Subject: [PATCH 2/3] Remove machine-specific session_logging config from .vibe/config.toml The save_dir path pointed to a local user home directory that doesn't apply generally to the repo. --- .vibe/config.toml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.vibe/config.toml b/.vibe/config.toml index 9d9440d..2410450 100644 --- a/.vibe/config.toml +++ b/.vibe/config.toml @@ -77,11 +77,6 @@ max_files = 1000 max_dirs_per_level = 20 timeout_seconds = 2.0 -[session_logging] -save_dir = "/Users/jasperfrumau/.vibe/logs/session" -session_prefix = "session" -enabled = true - [tools.bash] permission = "ask" allowlist = [ From ff1cc476cc0729650efe452108a70295c71e4a73 Mon Sep 17 00:00:00 2001 From: Jasper Frumau Date: Mon, 6 Jul 2026 10:16:21 +0700 Subject: [PATCH 3/3] Re-add package-lock.json with js-yaml 4.3.0 security fix Tracks the patched js-yaml version (GHSA-h67p-54hq-rp68) in git for reproducible installs, consistent with other Imagewize themes. Still excluded from the WP.org distribution zip via .distignore. --- package-lock.json | 139 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 package-lock.json diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..1242457 --- /dev/null +++ b/package-lock.json @@ -0,0 +1,139 @@ +{ + "name": "elayne", + "version": "4.0.2", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "elayne", + "version": "4.0.2", + "license": "GPL-2.0-or-later", + "dependencies": { + "@imwz/wp-pattern-sentinel": "^1.0.2" + } + }, + "node_modules/@imwz/wp-pattern-sentinel": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/@imwz/wp-pattern-sentinel/-/wp-pattern-sentinel-1.0.2.tgz", + "integrity": "sha512-5VDnEVUOx2Rjbc6/Jv8OmJfgqh1bSX4gx29P0CcoZM5haPvIF01vEOXfkeQICVkizckF09P0eN4XedioM1ksrQ==", + "license": "MIT", + "dependencies": { + "js-yaml": "^4.1.0", + "p-queue": "^8.0.1", + "playwright": "^1.44.0" + }, + "bin": { + "sentinel": "bin/sentinel.js" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/argparse": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", + "license": "Python-2.0" + }, + "node_modules/eventemitter3": { + "version": "5.0.4", + "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-5.0.4.tgz", + "integrity": "sha512-mlsTRyGaPBjPedk6Bvw+aqbsXDtoAyAzm5MO7JgU+yVRyMQ5O8bD4Kcci7BS85f93veegeCPkL8R4GLClnjLFw==", + "license": "MIT" + }, + "node_modules/fsevents": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", + "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/js-yaml": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.3.0.tgz", + "integrity": "sha512-1td788aAnnZ5qs7V2QIRl1owjtYpbKt749Y3xauqQgwIIGF/xXWz1wMTEBx5O3LK3lXLVuqXPdPxj2BoFHaW9Q==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], + "license": "MIT", + "dependencies": { + "argparse": "^2.0.1" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/p-queue": { + "version": "8.1.1", + "resolved": "https://registry.npmjs.org/p-queue/-/p-queue-8.1.1.tgz", + "integrity": "sha512-aNZ+VfjobsWryoiPnEApGGmf5WmNsCo9xu8dfaYamG5qaLP7ClhLN6NgsFe6SwJ2UbLEBK5dv9x8Mn5+RVhMWQ==", + "license": "MIT", + "dependencies": { + "eventemitter3": "^5.0.1", + "p-timeout": "^6.1.2" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/p-timeout": { + "version": "6.1.4", + "resolved": "https://registry.npmjs.org/p-timeout/-/p-timeout-6.1.4.tgz", + "integrity": "sha512-MyIV3ZA/PmyBN/ud8vV9XzwTrNtR4jFrObymZYnZqMmW0zA8Z17vnT0rBgFE/TlohB+YCHqXMgZzb3Csp49vqg==", + "license": "MIT", + "engines": { + "node": ">=14.16" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/playwright": { + "version": "1.60.0", + "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.60.0.tgz", + "integrity": "sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==", + "license": "Apache-2.0", + "dependencies": { + "playwright-core": "1.60.0" + }, + "bin": { + "playwright": "cli.js" + }, + "engines": { + "node": ">=18" + }, + "optionalDependencies": { + "fsevents": "2.3.2" + } + }, + "node_modules/playwright-core": { + "version": "1.60.0", + "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.60.0.tgz", + "integrity": "sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==", + "license": "Apache-2.0", + "bin": { + "playwright-core": "cli.js" + }, + "engines": { + "node": ">=18" + } + } + } +}