From 4abd3dbd6b16b585ea6d7c84a0857382a8248a22 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 6 Mar 2026 19:21:32 +0000 Subject: [PATCH] fix: upgrade svgo to 3.3.3 to patch DoS vulnerability (CVE-2026-29074) Add pnpm override to force svgo>=3.0.0,<3.3.3 to resolve to 3.3.3, patching GHSA-xpqw-6gx7-v673 (Billion Laughs entity expansion DoS). https://claude.ai/code/session_016832ktirXfL5q5vC5P8Fmj --- pnpm-lock.yaml | 19 +++++++------------ pnpm-workspace.yaml | 3 +++ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a954950f0..528ff8033 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -14,7 +14,7 @@ catalogs: version: 11.49.0 '@carbon/react': specifier: ^1.101.0 - version: 1.101.0 + version: 1.102.0 '@carbon/styles': specifier: ^1.100.0 version: 1.101.0 @@ -78,6 +78,7 @@ catalogs: overrides: path-to-regexp@<0.1.10: 0.1.10 + svgo@>=3.0.0 <3.3.3: 3.3.3 importers: @@ -3708,10 +3709,6 @@ packages: '@tootallnate/quickjs-emscripten@0.23.0': resolution: {integrity: sha512-C5Mc6rdnsaJDjO3UpGW/CQTHtCKaYlScZTly4JIu97Jxo/odCiH0ITnDXSJPTOrEKk/ycSZ0AOgTmkDtkOsvIA==} - '@trysound/sax@0.2.0': - resolution: {integrity: sha512-L7z9BgrNEcYyUYtF+HaEfiS5ebkh9jXqbszz7pC0hRBPaatV0XjSD3+eHrpqFemQfgwiFF0QPIarnIihIDn7OA==} - engines: {node: '>=10.13.0'} - '@tybys/wasm-util@0.10.1': resolution: {integrity: sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==} @@ -8508,8 +8505,8 @@ packages: svg-tags@1.0.0: resolution: {integrity: sha512-ovssysQTa+luh7A5Weu3Rta6FJlFBBbInjOh722LIt6klpU2/HtdUbszju/G4devcvk8PGt7FCLv5wftu3THUA==} - svgo@3.3.2: - resolution: {integrity: sha512-OoohrmuUlBs8B8o6MB2Aevn+pRIH9zDALSR+6hhqVfa6fRwG/Qw9VUMSMW9VNg2CFc/MTIfabtdOVl9ODIJjpw==} + svgo@3.3.3: + resolution: {integrity: sha512-+wn7I4p7YgJhHs38k2TNjy1vCfPIfLIJWR5MnCStsN8WuuTcBnRKcMHQLMM2ijxGZmDoZwNv8ipl5aTTen62ng==} engines: {node: '>=14.0.0'} hasBin: true @@ -13197,7 +13194,7 @@ snapshots: '@svgr/core': 8.1.0(typescript@5.9.3) cosmiconfig: 8.3.6(typescript@5.9.3) deepmerge: 4.3.1 - svgo: 3.3.2 + svgo: 3.3.3 transitivePeerDependencies: - typescript @@ -13260,8 +13257,6 @@ snapshots: '@tootallnate/quickjs-emscripten@0.23.0': {} - '@trysound/sax@0.2.0': {} - '@tybys/wasm-util@0.10.1': dependencies: tslib: 2.8.1 @@ -19252,15 +19247,15 @@ snapshots: svg-tags@1.0.0: {} - svgo@3.3.2: + svgo@3.3.3: dependencies: - '@trysound/sax': 0.2.0 commander: 7.2.0 css-select: 5.2.2 css-tree: 2.3.1 css-what: 6.2.2 csso: 5.0.5 picocolors: 1.1.1 + sax: 1.5.0 sync-child-process@1.0.2: dependencies: diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 1beea98ce..6d9db0966 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -2,6 +2,9 @@ overrides: # Fix CVE-2024-45296 / GHSA-9wv6-86v2-598j: path-to-regexp ReDoS vulnerability # Transitive via mintlify -> @mintlify/previewing -> express@4.18.2 "path-to-regexp@<0.1.10": "0.1.10" + # Fix CVE-2026-29074 / GHSA-xpqw-6gx7-v673: SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) + # Transitive via @svgr/webpack -> @svgr/plugin-svgo -> svgo + "svgo@>=3.0.0 <3.3.3": "3.3.3" packages: - apps/agentstack-ui