Skip to content

fix: bump form-data, protobufjs, and dompurify to remediate Vanta CVEs#435

Merged
yashkrishan merged 3 commits into
mainfrom
fix/Vanta-Vulnerabilities
Jul 7, 2026
Merged

fix: bump form-data, protobufjs, and dompurify to remediate Vanta CVEs#435
yashkrishan merged 3 commits into
mainfrom
fix/Vanta-Vulnerabilities

Conversation

@shmbhvi101

@shmbhvi101 shmbhvi101 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Remediates Vanta-flagged dependency vulnerabilities by bumping three packages to patched versions:

• form-data 4.0.5 → 4.0.6 — fixes CVE-2026-12143 (>=4.0.0, <4.0.6)
• protobufjs 7.5.8 → 7.6.4 — fixes CVE-2026-48712 (<=7.6.0) and CVE-2026-54269 (<=7.6.2)
• dompurify 3.4.2 → 3.4.11 — fixes CVE-2026-49458, CVE-2026-49459, CVE-2026-49978, GHSA-76mc-f452-cxcm,
GHSA-cmwh-pvxp-8882, GHSA-gvmj-g25r-r7wr, GHSA-vxr8-fq34-vvx9, and GHSA-x4vx-rjvf-j5p4

form-data and protobufjs are transitive dependencies (via axios, firebase, etc.) and are pinned via pnpm
overrides. dompurify is updated as both a direct dependency and an override so all consumers (including mermaid)
resolve to the patched version.

Summary by CodeRabbit

  • Chores
    • Updated several third-party packages to newer versions, including security-related and data-handling libraries.
    • These updates may improve stability and compatibility without changing user-facing behavior.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 342a655d-267f-4f76-9471-ce6e6bb49126

📥 Commits

Reviewing files that changed from the base of the PR and between 9e412a3 and aff95a1.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • package.json

Walkthrough

Updates package.json to bump dompurify and adjust pnpm.overrides for protobufjs, form-data, and dompurify.

Changes

Dependency Updates

Layer / File(s) Summary
Version bumps
package.json
dompurify dependency updated from ^3.4.2 to ^3.4.11; pnpm.overrides updated for protobufjs (7.5.87.6.4), form-data (^4.0.4^4.0.6), and dompurify (^3.4.2^3.4.11).

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested reviewers: yashkrishan, ASCE-D

Poem

A bunny hops through version breeze,
dompurify gets a gentle squeeze,
protobufjs and form-data glow,
in package.json they softly grow,
hop, hop—fresh deps in tidy rows 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: bumping form-data, protobufjs, and dompurify to patched versions for vulnerability remediation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/Vanta-Vulnerabilities

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

shmbhvi101 and others added 2 commits July 6, 2026 17:38
Fixes invalid JSON that broke pnpm/action-setup in CI after merging main.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Cloud Run service deployed: https://pr-fix-vanta-vulnerabilities-cj6r7x3fpa-uc.a.run.app

@shmbhvi101 shmbhvi101 requested a review from ASCE-D July 7, 2026 06:53
@yashkrishan yashkrishan merged commit 08729ee into main Jul 7, 2026
5 checks passed
@yashkrishan yashkrishan deleted the fix/Vanta-Vulnerabilities branch July 7, 2026 07:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants