Skip to content

fix(root): resolve high minimatch, serialize-javascript, and svgo advisories (DOC-316, DOC-317, DOC-318)#1092

Merged
scopsy merged 3 commits into
mainfrom
cursor/dependency-security-vulnerabilities-1253
May 12, 2026
Merged

fix(root): resolve high minimatch, serialize-javascript, and svgo advisories (DOC-316, DOC-317, DOC-318)#1092
scopsy merged 3 commits into
mainfrom
cursor/dependency-security-vulnerabilities-1253

Conversation

@cursor
Copy link
Copy Markdown
Contributor

@cursor cursor Bot commented May 12, 2026

Summary

This pull request clears three high severity items from pnpm audit by adding targeted pnpm.overrides in the root package.json and refreshing pnpm-lock.yaml.

Linear

Changes (Strategy B: overrides)

Package Advisory (example) Notes
minimatch GHSA-3ppc-4f35-3m26 Forces patched 3.x and 9.x (eslint, glob, @fumadocs/cli / ts-morph chains).
serialize-javascript GHSA-5c6j-r48x-rmvq Forces ^7.0.5 for the webpack / terser-webpack-plugin chain; also clears related moderate advisory.
svgo GHSA-xpqw-6gx7-v673 Forces ^3.3.3 for the @svgr/webpack pipeline.

Verification

  • pnpm install --no-frozen-lockfile
  • pnpm audit --json — confirmed the above advisory IDs / modules are no longer reported for these packages
  • pnpm build — completed successfully
Open in Web View Automation 

cursoragent and others added 3 commits May 12, 2026 06:06
@cursoragent @scopsy
fix(root): resolve high minimatch vulnerability fixes DOC-316
b9d5475 
Advisory: GHSA-3ppc-4f35-3m26 (and related minimatch GHSA entries).

minimatch had ReDoS / excessive resource consumption issues in the 3.x and 9.x ranges pulled in via eslint, glob, and @fumadocs/cli/ts-morph.

Strategy B: pnpm overrides to force minimatch ^3.1.4 and ^9.0.7.

Co-authored-by: Dima Grossman <dima@grossman.io>
@cursoragent @scopsy
fix(root): resolve high serialize-javascript vulnerability fixes DOC-318
17ba267 
Advisory: GHSA-5c6j-r48x-rmvq

Cross-site scripting risk in serialize-javascript <=7.0.2 via the webpack / terser-webpack-plugin chain (file-loader).

Strategy B: pnpm override to force ^7.0.5 (also clears moderate GHSA-qj8w-gfj5-8c6v).

Co-authored-by: Dima Grossman <dima@grossman.io>
@cursoragent @scopsy
fix(root): resolve high svgo vulnerability fixes DOC-317
34cb97e 
Advisory: GHSA-xpqw-6gx7-v673

Improper input validation leading to prototype pollution in svgo <3.3.3, pulled in via @svgr/webpack / @svgr/plugin-svgo.

Strategy B: pnpm override to force svgo ^3.3.3.

Co-authored-by: Dima Grossman <dima@grossman.io>
@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 12, 2026

DOC-316

DOC-317

DOC-318

@netlify
Copy link
Copy Markdown

netlify Bot commented May 12, 2026
edited
Loading

Deploy Preview for docs-novu ready!

Name Link
🔨 Latest commit 34cb97e
🔍 Latest deploy log https://app.netlify.com/projects/docs-novu/deploys/6a02c431a199d1000814f5ba
😎 Deploy Preview https://deploy-preview-1092--docs-novu.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@scopsy scopsy marked this pull request as ready for review May 12, 2026 06:19
@scopsy scopsy merged commit c7cb8bd into main May 12, 2026
7 checks passed
@scopsy scopsy deleted the cursor/dependency-security-vulnerabilities-1253 branch May 12, 2026 06:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scopsy scopsy scopsy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scopsy @cursoragent