From b4427a1aae3db18aea8ab628b99e7e77c56d0664 Mon Sep 17 00:00:00 2001 From: Jefferson Ramos Date: Thu, 2 Jul 2026 16:06:38 -0300 Subject: [PATCH] OCPBUGS-94055: Fix CVE-2026-13676 fast-uri Unicode hostname canonicalization bypass Bump fast-uri from 3.1.2 to 3.1.3 via yarn resolutions to fix a security policy bypass where Unicode (IDN) hostnames are not properly canonicalized, allowing host-based policy enforcement to be bypassed. Version 3.1.3 adds proper IDN conversion for HTTP-family URLs. Co-Authored-By: Claude Opus 4.6 --- frontend/package.json | 2 +- frontend/yarn.lock | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index 97d4e5f9f7b..404a760f709 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -336,7 +336,7 @@ "minimatch@^10.1.2": "^10.2.1", "shell-quote": "1.8.4", "protobufjs": "7.5.8", - "fast-uri": "3.1.2" + "fast-uri": "3.1.3" }, "lint-staged": { "*.{js,jsx,ts,tsx,json,gql,graphql}": "eslint --color --fix" diff --git a/frontend/yarn.lock b/frontend/yarn.lock index b3b2f469739..3d427059656 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -12124,10 +12124,10 @@ __metadata: languageName: node linkType: hard -"fast-uri@npm:3.1.2": - version: 3.1.2 - resolution: "fast-uri@npm:3.1.2" - checksum: 10c0/5b35641895959f3f7ab7a7b1b5542bded159346f25ec9f256817b206d50b64eda5828e90d605a2e2fc645c90519a7259c2bab2c942ee728c88b88e5be21b090d +"fast-uri@npm:3.1.3": + version: 3.1.3 + resolution: "fast-uri@npm:3.1.3" + checksum: 10c0/0ce405815546770ad7e730b8f8fd58db80cefe4533ee99ee1a3263f11d2ccc3b8a0cf10d6cd9ba590e9746eb43b60f2ef2631d0c379a9ebba063ce0d4076b109 languageName: node linkType: hard