[PR #260] [MERGED] fix: patch 6 security alerts (critical + high severity) #306

Closed
opened 2026-06-05 17:22:36 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/langchain-ai/deepagentsjs/pull/260
Author: @jkennedyvz
Created: 2/28/2026
Status: Merged
Merged: 2/28/2026
Merged by: @jkennedyvz

Base: mainHead: fix/security-alerts-2026-02-28


📝 Commits (1)

  • cb95cd5 fix: patch 6 security alerts (critical + high severity)

📊 Changes

2 files changed (+120 additions, -116 deletions)

View changed files

📝 package.json (+4 -2)
📝 pnpm-lock.yaml (+116 -114)

📄 Description

Security Alert Patch

Resolves 6 Dependabot security alerts in the critical + high severity tier.

Packages Updated

Package Old Version New Version Strategy CVEs Resolved
fast-xml-parser 5.3.4 5.3.6 C (pnpm.overrides) CVE-2026-25896 (critical), CVE-2026-26278 (high)
rollup 4.57.1 4.59.0 C (pnpm.overrides) CVE-2026-27606 (high)
minimatch (v3) 3.1.2 3.1.4 C (pnpm.overrides) CVE-2026-26996, CVE-2026-27903, CVE-2026-27904 (all high)

CVE Details

  • CVE-2026-25896 — fast-xml-parser: entity encoding bypass via regex injection in DOCTYPE entity names (critical)
  • CVE-2026-26278 — fast-xml-parser: DoS through entity expansion in DOCTYPE (high)
  • CVE-2026-27606 — rollup 4: arbitrary file write via path traversal (high)
  • CVE-2026-26996 — minimatch: ReDoS via repeated wildcards (high)
  • CVE-2026-27903 — minimatch: ReDoS in matchOne() (high)
  • CVE-2026-27904 — minimatch: ReDoS via nested extglobs (high)

Fix strategy

All three packages are transitive dependencies, so direct bumps aren't possible. Used pnpm.overrides to force vulnerable version ranges to patched versions. This also fixes a broken override from PR #257 that incorrectly pinned minimatch@<3.1.3 to 3.1.2 (the vulnerable version) instead of the patched version.

Skipped alerts

  • CVE-2026-27942 (fast-xml-parser < 5.3.8, low severity) — low tier, will address separately
  • CVE-2025-69873 (ajv < 6.14.0, medium severity) — medium tier, will address separately

Verification

  • All lockfiles regenerated
  • Linters pass
  • Formatters pass
  • Build passes
  • Type tests pass (493 passed, no type errors)

🤖 Submitted by langster-patch


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/langchain-ai/deepagentsjs/pull/260 **Author:** [@jkennedyvz](https://github.com/jkennedyvz) **Created:** 2/28/2026 **Status:** ✅ Merged **Merged:** 2/28/2026 **Merged by:** [@jkennedyvz](https://github.com/jkennedyvz) **Base:** `main` ← **Head:** `fix/security-alerts-2026-02-28` --- ### 📝 Commits (1) - [`cb95cd5`](https://github.com/langchain-ai/deepagentsjs/commit/cb95cd5cd191a2eac3126b40ccc0c8e06c00d578) fix: patch 6 security alerts (critical + high severity) ### 📊 Changes **2 files changed** (+120 additions, -116 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+4 -2) 📝 `pnpm-lock.yaml` (+116 -114) </details> ### 📄 Description ## Security Alert Patch Resolves 6 Dependabot security alerts in the critical + high severity tier. ### Packages Updated | Package | Old Version | New Version | Strategy | CVEs Resolved | |---------|------------|-------------|----------|---------------| | `fast-xml-parser` | 5.3.4 | 5.3.6 | C (pnpm.overrides) | CVE-2026-25896 (critical), CVE-2026-26278 (high) | | `rollup` | 4.57.1 | 4.59.0 | C (pnpm.overrides) | CVE-2026-27606 (high) | | `minimatch` (v3) | 3.1.2 | 3.1.4 | C (pnpm.overrides) | CVE-2026-26996, CVE-2026-27903, CVE-2026-27904 (all high) | ### CVE Details - [CVE-2026-25896](https://nvd.nist.gov/vuln/detail/CVE-2026-25896) — fast-xml-parser: entity encoding bypass via regex injection in DOCTYPE entity names (critical) - [CVE-2026-26278](https://nvd.nist.gov/vuln/detail/CVE-2026-26278) — fast-xml-parser: DoS through entity expansion in DOCTYPE (high) - [CVE-2026-27606](https://nvd.nist.gov/vuln/detail/CVE-2026-27606) — rollup 4: arbitrary file write via path traversal (high) - [CVE-2026-26996](https://nvd.nist.gov/vuln/detail/CVE-2026-26996) — minimatch: ReDoS via repeated wildcards (high) - [CVE-2026-27903](https://nvd.nist.gov/vuln/detail/CVE-2026-27903) — minimatch: ReDoS in matchOne() (high) - [CVE-2026-27904](https://nvd.nist.gov/vuln/detail/CVE-2026-27904) — minimatch: ReDoS via nested extglobs (high) ### Fix strategy All three packages are transitive dependencies, so direct bumps aren't possible. Used `pnpm.overrides` to force vulnerable version ranges to patched versions. This also fixes a broken override from PR #257 that incorrectly pinned `minimatch@<3.1.3` to `3.1.2` (the vulnerable version) instead of the patched version. ### Skipped alerts - CVE-2026-27942 (`fast-xml-parser` < 5.3.8, low severity) — low tier, will address separately - CVE-2025-69873 (`ajv` < 6.14.0, medium severity) — medium tier, will address separately ### Verification - [x] All lockfiles regenerated - [x] Linters pass - [x] Formatters pass - [x] Build passes - [x] Type tests pass (493 passed, no type errors) 🤖 Submitted by langster-patch --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 17:22:36 -04:00
yindo closed this issue 2026-06-05 17:22:36 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/deepagentsjs#306