fix: bump form-data, protobufjs, and dompurify to remediate Vanta CVEs#435
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughUpdates ChangesDependency Updates
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related PRs
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Fixes invalid JSON that broke pnpm/action-setup in CI after merging main. Co-authored-by: Cursor <cursoragent@cursor.com>
|
Cloud Run service deployed: https://pr-fix-vanta-vulnerabilities-cj6r7x3fpa-uc.a.run.app |
Summary
Remediates Vanta-flagged dependency vulnerabilities by bumping three packages to patched versions:
• form-data 4.0.5 → 4.0.6 — fixes CVE-2026-12143 (>=4.0.0, <4.0.6)
• protobufjs 7.5.8 → 7.6.4 — fixes CVE-2026-48712 (<=7.6.0) and CVE-2026-54269 (<=7.6.2)
• dompurify 3.4.2 → 3.4.11 — fixes CVE-2026-49458, CVE-2026-49459, CVE-2026-49978, GHSA-76mc-f452-cxcm,
GHSA-cmwh-pvxp-8882, GHSA-gvmj-g25r-r7wr, GHSA-vxr8-fq34-vvx9, and GHSA-x4vx-rjvf-j5p4
form-data and protobufjs are transitive dependencies (via axios, firebase, etc.) and are pinned via pnpm
overrides. dompurify is updated as both a direct dependency and an override so all consumers (including mermaid)
resolve to the patched version.
Summary by CodeRabbit