Merged
Conversation
tony
force-pushed
the
lob-1522-ckeditor5-math-patch-vulnerabilities
branch
from
f276599 to
b42c7c2
Compare
tony
changed the title
See also: - https://www.npmjs.com/package/webpack - https://github.com/webpack/webpack - https://github.com/webpack/webpack/releases Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/52 - CVE-2025-68458 - GHSA-8fgc-7cc6-rx7x - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/51 - CVE-2025-68157 - GHSA-38r7-794h-5758 Release History: - 5.105.0 (February 3, 2026): - https://github.com/webpack/webpack/releases/tag/v5.105.0 - 5.104.1 (January 30, 2026) — SSRF bypass fix: - GHSA-8fgc-7cc6-rx7x - 5.104.0 (January 30, 2026) — Redirect bypass fix: - GHSA-38r7-794h-5758 - 5.95.0 (September 25, 2024): - https://github.com/webpack/webpack/releases/tag/v5.95.0 Verification (`yarn why webpack`): Before: => Found "webpack@5.95.0" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools" depends on it - Hoisted from "@ckeditor#ckeditor5-package-tools#webpack" info Disk size without dependencies: "6.85MB" After: => Found "webpack@5.105.0" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools" depends on it - Hoisted from "@ckeditor#ckeditor5-package-tools#webpack" info Disk size without dependencies: "15.88MB"
…3 (security bump) See also: - https://www.npmjs.com/package/lodash - https://www.npmjs.com/package/lodash-es - https://github.com/lodash/lodash - https://github.com/lodash/lodash/wiki/Changelog Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/42 - CVE-2025-13465 - GHSA-xxjr-mmjv-4gpg - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/41 - CVE-2025-13465 - GHSA-xxjr-mmjv-4gpg Release History: - 4.17.23 (January 21, 2026) — Prototype pollution fix: - https://github.com/lodash/lodash/wiki/Changelog - 4.17.21 (February 20, 2021): - https://github.com/lodash/lodash/wiki/Changelog Verification (`yarn why lodash`): Before: => Found "lodash@4.17.21" info Reasons this module exists - "stylelint" depends on it - Hoisted from "stylelint#lodash" - Hoisted from "@ckeditor#ckeditor5-package-tools#karma#lodash" info Disk size without dependencies: "4.88MB" After: => Found "lodash@4.17.23" info Reasons this module exists - "stylelint" depends on it - Hoisted from "stylelint#lodash" - Hoisted from "@ckeditor#ckeditor5-package-tools#karma#lodash" info Disk size without dependencies: "4.87MB" Verification (`yarn why lodash-es`): Before: => Found "lodash-es@4.17.21" info Reasons this module exists - "@ckeditor#ckeditor5-dev-build-tools" depends on it - Hoisted from "@ckeditor#ckeditor5-dev-build-tools#lodash-es" info Disk size without dependencies: "2.59MB" After: => Found "lodash-es@4.17.23" info Reasons this module exists - "@ckeditor#ckeditor5-dev-build-tools" depends on it - Hoisted from "@ckeditor#ckeditor5-dev-build-tools#lodash-es" info Disk size without dependencies: "2.58MB"
See also: - https://www.npmjs.com/package/qs - https://github.com/ljharb/qs - https://github.com/ljharb/qs/blob/main/CHANGELOG.md Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/36 - CVE-2025-15284 - GHSA-6rw7-vpxm-498p Release History: - 6.14.1 (December 29, 2025) — arrayLimit bypass fix: - GHSA-6rw7-vpxm-498p - 6.13.0 (August 1, 2024): - https://github.com/ljharb/qs/blob/main/CHANGELOG.md Verification (`yarn why qs`): Before: => Found "qs@6.13.0" info Reasons this module exists - "http-server#union" depends on it - Hoisted from "http-server#union#qs" - Hoisted from "@ckeditor#ckeditor5-package-tools#karma#body-parser#qs" - Hoisted from "@ckeditor#ckeditor5-package-tools#webpack-dev-server#express#qs" info Disk size without dependencies: "300KB" After: => Found "qs@6.14.1" info Reasons this module exists - "http-server#union" depends on it - Hoisted from "http-server#union#qs" - Hoisted from "@ckeditor#ckeditor5-package-tools#karma#body-parser#qs" - Hoisted from "@ckeditor#ckeditor5-package-tools#webpack-dev-server#express#qs" info Disk size without dependencies: "352KB"
1.3.2 contains the security fixes; 1.3.3 fixes a non-security PKCS#12 regression introduced in 1.3.2. See also: - https://www.npmjs.com/package/node-forge - https://github.com/digitalbazaar/forge - https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/35 - CVE-2025-66030 - GHSA-65ch-62r8-g69g - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/33 - CVE-2025-12816 - GHSA-5gfm-wpxj-wjgq - Also fixed in 1.3.2 (not a separate Dependabot alert): - CVE-2025-66031 - GHSA-554w-wpv2-vw27 Release History: - 1.3.3 (December 2, 2025) — PKCS#12 regression fix: - https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md - 1.3.2 (November 25, 2025) — Security fixes: - https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md - 1.3.1 (March 29, 2022): - https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md Verification (`yarn why node-forge`): Before: => Found "node-forge@1.3.1" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools#webpack-dev-server#selfsigned" depends on it - Hoisted from "@ckeditor#...#selfsigned#node-forge" info Disk size without dependencies: "1.74MB" After: Package no longer appears in dependency tree. The upgraded webpack-dev-server@5.2.3 no longer depends on selfsigned/node-forge. Resolution remains as a defensive measure.
Major version jump (3.x -> 4.x). 3.14.2 backports the fix to v3, but since js-yaml is only consumed by dev tooling (eslint, mocha, cosmiconfig) and all resolve cleanly to 4.1.1, this is safe. See also: - https://www.npmjs.com/package/js-yaml - https://github.com/nodeca/js-yaml - https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/31 - CVE-2025-64718 - GHSA-mh29-5h37-fv8m - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/30 - CVE-2025-64718 - GHSA-mh29-5h37-fv8m Release History: - 4.1.1 (November 12, 2025) — Prototype pollution fix: - https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md - 4.1.0 (April 15, 2021): - https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md - 3.14.2 (November 15, 2025) — Backport of same fix: - https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md - 3.14.1 (December 7, 2020): - https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md - 3.13.1 (April 5, 2019): - https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md Verification (`yarn why js-yaml`): Before: => Found "js-yaml@3.14.1" info Reasons this module exists - Hoisted from "eslint#js-yaml" - Hoisted from "eslint#@eslint#eslintrc#js-yaml" info Disk size without dependencies: "420KB" => Found "mocha#js-yaml@3.13.1" - "@ckeditor#ckeditor5-package-tools#mocha" depends on it info Disk size without dependencies: "416KB" After: => Found "js-yaml@4.1.1" info Reasons this module exists - "eslint" depends on it - Hoisted from "eslint#js-yaml" - Hoisted from "@ckeditor#ckeditor5-package-tools#mocha#js-yaml" - Hoisted from "eslint#@eslint#eslintrc#js-yaml" info Disk size without dependencies: "476KB"
CHANGELOG.md is incomplete (stops at 0.2.2). No GitHub Releases. See also: - https://www.npmjs.com/package/tmp - https://github.com/raszi/node-tmp Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/27 - CVE-2025-54798 - GHSA-52f5-9888-hmc6 Release History: - 0.2.5 (August 8, 2025): - No release notes available - 0.2.4 (August 6, 2025) — Symlink path traversal fix: - GHSA-52f5-9888-hmc6 - 0.2.3 (~2024): - No release notes available Verification (`yarn why tmp`): Before: => Found "tmp@0.2.3" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools#karma" depends on it - Hoisted from "@ckeditor#ckeditor5-package-tools#karma#tmp" info Disk size without dependencies: "72KB" After: => Found "tmp@0.2.5" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools#karma" depends on it - Hoisted from "@ckeditor#ckeditor5-package-tools#karma#tmp" info Disk size without dependencies: "52KB"
See also: - https://www.npmjs.com/package/on-headers - https://github.com/jshttp/on-headers - https://github.com/jshttp/on-headers/blob/master/HISTORY.md Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/26 - CVE-2025-7339 - GHSA-76c9-3jph-rj3q Release History: - 1.1.0 (July 17, 2025) — Header manipulation fix: - https://github.com/jshttp/on-headers/blob/master/HISTORY.md - 1.0.2 (February 21, 2019): - https://github.com/jshttp/on-headers/blob/master/HISTORY.md Verification (`yarn why on-headers`): Before: => Found "on-headers@1.0.2" info Reasons this module exists - "@ckeditor#...#webpack-dev-server#compression" depends on it - Hoisted from "@ckeditor#...#webpack-dev-server#compression#on-headers" info Disk size without dependencies: "20KB" After: => Found "on-headers@1.1.0" info Reasons this module exists - "@ckeditor#...#webpack-dev-server#compression" depends on it - Hoisted from "@ckeditor#...#webpack-dev-server#compression#on-headers" info Disk size without dependencies: "20KB"
Both CVEs were patched in 5.2.1 (March 26, 2025). 5.2.3 includes additional non-security bug fixes. See also: - https://www.npmjs.com/package/webpack-dev-server - https://github.com/webpack/webpack-dev-server - https://github.com/webpack/webpack-dev-server/releases Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/24 - CVE-2025-30360 - GHSA-9jgg-88mc-972h - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/23 - CVE-2025-30359 - GHSA-4v9v-hfq4-rm2v Release History: - 5.2.3 (January 12, 2026): - https://github.com/webpack/webpack-dev-server/releases/tag/v5.2.3 - 5.2.1 (March 26, 2025) — Security fixes for both CVEs: - https://github.com/webpack/webpack-dev-server/releases/tag/v5.2.1 - 5.1.0 (September 3, 2024): - https://github.com/webpack/webpack-dev-server/releases/tag/v5.1.0 Verification (`yarn why webpack-dev-server`): Before: => Found "webpack-dev-server@5.1.0" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools" depends on it - Hoisted from "@ckeditor#ckeditor5-package-tools#webpack-dev-server" info Disk size without dependencies: "4.32MB" After: => Found "webpack-dev-server@5.2.3" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools" depends on it - Hoisted from "@ckeditor#ckeditor5-package-tools#webpack-dev-server" info Disk size without dependencies: "1.05MB"
Major version jump (2.x -> 3.x). The v2 line has a patch (2.0.9), but yarn resolved to 3.0.5 via the >=2.0.8 resolution range. This is safe because http-proxy-middleware is only consumed by webpack-dev-server (dev tooling). See also: - https://www.npmjs.com/package/http-proxy-middleware - https://github.com/chimurai/http-proxy-middleware - https://github.com/chimurai/http-proxy-middleware/releases Security Alerts: - https://github.com/Multiverse-io/ckeditor5-math/security/dependabot/22 - CVE-2025-32996 - GHSA-4www-5p9h-95mh Release History: - 3.0.5 (April 10, 2025): - https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.5 - 3.0.4 (April 10, 2025) — writeBody fix: - https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.4 - 2.0.9 (April 10, 2025) — Same fix backported to v2: - https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.9 - 2.0.7 (October 6, 2024): - https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.7 Verification (`yarn why http-proxy-middleware`): Before: => Found "http-proxy-middleware@2.0.7" info Reasons this module exists - "@ckeditor#...#webpack-dev-server" depends on it - Hoisted from "@ckeditor#...#webpack-dev-server#http-proxy-middleware" info Disk size without dependencies: "184KB" After: => Found "http-proxy-middleware@3.0.5" info Reasons this module exists - "@ckeditor#ckeditor5-package-tools#webpack-dev-server" depends on it - Hoisted from "@ckeditor#...#webpack-dev-server#http-proxy-middleware" info Disk size without dependencies: "300KB"
…atch (security bump) Resolve 5 transitive dev dependency vulnerabilities via yarn resolutions. All are consumed only by dev tooling (eslint, mocha, ts-node, etc.). Major version jumps are safe in this context. See also: - https://github.com/moxystudio/node-cross-spawn (no changelog) - https://github.com/juliangruber/brace-expansion/releases - https://github.com/debug-js/debug/releases - https://github.com/kpdecker/jsdiff (release-notes.md) - https://github.com/isaacs/minimatch/blob/main/changelog.md Security Alerts: - cross-spawn 7.0.3 -> 7.0.6: - CVE-2024-21538 - GHSA-3xgq-45jj-v275 - brace-expansion 1.1.11 -> >=2.0.2 (defensive, v1 fix: 1.1.12): - CVE-2025-5889 - GHSA-v6h2-p8h4-qcjw - debug 3.2.6 -> 4.4.3 (v3 fix: 3.2.7): - CVE-2017-16137 - GHSA-gxpj-cx7g-858c - diff 4.0.2/3.5.0 -> 8.0.3 (v4 fix: 4.0.4): - CVE-2026-24001 - GHSA-73rr-hh4g-fpgx - minimatch 3.0.4/3.1.2 -> 10.1.2 (v3 fix: 3.0.5): - CVE-2022-3517 - GHSA-f8q6-p94x-37v3 Release History: - cross-spawn 7.0.6 (November 18, 2024): - ReDoS fix. 7.0.3 from May 25, 2020. - brace-expansion 2.0.2 (June 11, 2025): - ReDoS fix. Also patched in 1.1.12 for v1 line. - debug 4.4.3 (September 13, 2025): - ReDoS fix in %o formatter. Fix also in 3.2.7. - diff 8.0.3 (January 12, 2026): - Infinite loop in parsePatch. Fix also in 4.0.4. - minimatch 10.1.2 (February 3, 2026): - ReDoS in braceExpand. Fix also in 3.0.5. Verification (`yarn why cross-spawn`): Before: => Found "cross-spawn@7.0.3" info Reasons this module exists - "eslint" depends on it - Hoisted from "eslint#cross-spawn" info Disk size without dependencies: "100KB" After: => Found "cross-spawn@7.0.6" info Reasons this module exists - "eslint" depends on it - Hoisted from "eslint#cross-spawn" info Disk size without dependencies: "92KB" Verification (`yarn why debug`): Before: => Found "debug@4.3.7" (main) => Found "mocha#debug@3.2.6" (vulnerable copy) After: => Found "debug@4.4.3" info Reasons this module exists - "eslint" depends on it (+ 20 other consumers) Verification (`yarn why diff`): Before: => Found "diff@4.0.2" - Hoisted from "ts-node#diff" => Found "mocha#diff@3.5.0" After: => Found "diff@8.0.3" - "ts-node" depends on it Verification (`yarn why minimatch`): Before: => Found "minimatch@3.1.2" - Hoisted from "eslint#minimatch" => Found "mocha#minimatch@3.0.4" (vulnerable) After: => Found "minimatch@10.1.2" - "eslint" depends on it (+ 7 other consumers) Verification (`yarn why brace-expansion`): Before: => Found "brace-expansion@1.1.11" - Hoisted from "minimatch#brace-expansion" => Found "karma-webpack#brace-expansion@2.0.1" => Found "@ckeditor/ckeditor5-dev-build-tools#brace-expansion@2.0.1" After: Package no longer appears in dependency tree. The upgraded minimatch@10.1.2 bundles its own brace-expansion internally. Resolution remains as a defensive measure.
See also: - https://www.npmjs.com/package/@babel/helpers - https://github.com/babel/babel - https://github.com/babel/babel/blob/main/CHANGELOG.md Security Alerts: - CVE-2025-27789 - GHSA-968p-4wvh-cqc8 Release History: - 7.28.6 (January 12, 2026): - https://github.com/babel/babel/releases - 7.26.10 (March 11, 2025) — Regex complexity fix: - https://github.com/babel/babel/releases - 7.25.7 (October 2, 2024): - https://github.com/babel/babel/releases Verification (`yarn why @babel/helpers`): Before: => Found "@babel/helpers@7.25.7" info Reasons this module exists - "stylelint#@stylelint#postcss-css-in-js#@babel#core" depends on it - Hoisted from "stylelint#...#@babel#core#@babel#helpers" info Disk size without dependencies: "1.6MB" After: => Found "@babel/helpers@7.28.6" info Reasons this module exists - "stylelint#@stylelint#postcss-css-in-js#@babel#core" depends on it - Hoisted from "stylelint#...#@babel#core#@babel#helpers" info Disk size without dependencies: "7.03MB"
tony
force-pushed
the
lob-1522-ckeditor5-math-patch-vulnerabilities
branch
from
b42c7c2 to
3fc4dbc
Compare
tony
changed the title
tony
changed the title
tony
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
why: Bugbot review flagged unbounded >= ranges that cross major versions and risk future drift on yarn install without --frozen-lockfile. what: - Replace all >= resolution ranges with ^ caret ranges - Pin cross-major resolutions to their actual resolved major: js-yaml ^4.1.1, http-proxy-middleware ^3.0.5, debug ^4.4.3, diff ^8.0.3, minimatch ^10.1.2, brace-expansion ^4.0.1 - Same-major resolutions stay at minimum patched version: webpack ^5.104.1, lodash ^4.17.23, qs ^6.14.1, etc. - No lockfile changes: all resolved versions satisfy new ranges Verification: yarn install --frozen-lockfile passes, yarn lint passes
Collaborator
Author
|
@cursor review |
tony
changed the title
buritos
approved these changes
Feb 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves LOB-1522.
Summary
yarn auditfindings from 65 to 7not_used— CLI-only vuln, library API consumers unaffected)Vulnerabilities Addressed
High Severity (3 patched)
Medium Severity (7 patched)
Low Severity (6 patched)
Remaining
yarn auditFindings (7, all previously dismissed in Dependabot)not_used— Istanbul test coverage tooling, code we trusttolerable_risk— Theoretical proto pollution via crafted JSON schema in local toolchainnot_used— Dev server not exposed to public internettolerable_risk— Stylelint/ckeditor dev tooling, no external untrusted CSSnot_used— CLI-only vuln, all consumers use library APIChanges
package.json(resolutions) andyarn.lockTest Plan
yarn install --frozen-lockfilesucceedsyarn lintpassesRelated
Note
Medium Risk
Changes are dependency/lockfile-only but touch core build tooling (
webpack/dev server) and widely used libs, which can cause build/runtime regressions despite being security-motivated.Overview
Security-focused dependency updates only. Adds/expands
package.jsonresolutionsto force patched versions of vulnerable transitive packages (notablywebpack,webpack-dev-server,http-proxy-middleware,qs,lodash/lodash-es,node-forge,js-yaml,tmp,cross-spawn,brace-expansion,minimatch,diff,debug,@babel/helpers).Regenerates
yarn.lockaccordingly, pulling in updated dependency trees (including updates toexpress/middleware packages via dev-server) with no source-code changes.Written by Cursor Bugbot for commit 208322b. Configure here.