Skip to content

[Aikido] Fix security issue in devalue via minor version upgrade from 5.7.1 to 5.8.1#4

Closed
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-44094430-9fxr
Closed

[Aikido] Fix security issue in devalue via minor version upgrade from 5.7.1 to 5.8.1#4
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-44094430-9fxr

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 4, 2026

Copy link
Copy Markdown

Upgrade devalue to fix HIGH severity DoS vulnerability in sparse array deserialization causing excessive memory consumption.

✅ There are no breaking changes

✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-42570
HIGH
[devalue] devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.
🤖 Remediation details

Fix CVE-2026-42570: bump transitive devalue to 5.8.1 via astro parent spec update

Short summary

This PR fixes a high-severity vulnerability in the transitive dependency devalue (CVE-2026-42570). The vulnerable version (5.7.1) was resolved in package-lock.json as a transitive dependency of astro. The fix updates the declared version spec for astro in the root package.json and refreshes package-lock.json so that devalue resolves to the patched version 5.8.1.

devalue

devalue is pulled in transitively by astro, which declares it as ^5.6.2. Although astro@5.18.1 was already installed and its declared range permits devalue@5.8.1, the lockfile held a stale pin at 5.7.1 that npm update devalue --package-lock-only alone would not refresh. To force re-resolution, the astro spec in the root package.json was tightened from ^5.7.10 to ^5.18.1 (a minor floor bump within the same major), and npm install --package-lock-only was run to produce a fresh lockfile entry resolving devalue to 5.8.1.

Version changes

Package From To Why updated
astro ^5.7.10 (declared) ^5.18.1 (declared) Parent spec floor bump to force lockfile re-resolution of transitive devalue
devalue 5.7.1 (resolved) 5.8.1 (resolved) Transitive CVE fix after parent bump (astro)

@aikido-autofix

Copy link
Copy Markdown
Author

Closed by Aikido: a new AutoFix has been created → #5

@aikido-autofix aikido-autofix Bot closed this Jun 14, 2026
@aikido-autofix aikido-autofix Bot deleted the fix/aikido-security-update-packages-44094430-9fxr branch June 14, 2026 00:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants