From 1cf1ac4c32261241111c34fcadb6199d7d2c34be Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Fri, 15 May 2026 06:07:03 +0000 Subject: [PATCH] fix(root): resolve moderate @babel/runtime, postcss, and mdast-util-to-hast vulnerabilities fixes DOC-323 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Advisories addressed (pnpm audit): - GHSA-968p-4wvh-cqc8 (@babel/runtime <7.26.10): Strategy B — pnpm override to ^7.26.10 (transitive via @inkeep/cxkit-react). - GHSA-qx2v-qp2m-jg93 (postcss <8.5.10): Strategy A + B — devDependency ^8.5.10 and override postcss@<8.5.10 so Next’s nested copy resolves to a patched release. - GHSA-4fh9-h7wg-q85m (mdast-util-to-hast): Strategy B — pnpm override to ^13.2.1 (transitive via remark-validate-links). Skipped: sanitize-html (critical, GHSA-rpr9-rxv7-x643) has no patched npm version per audit (patched_versions <0.0.0). Linear: https://linear.app/novu/issue/DOC-323/docs-resolve-transitive-and-postcss-audit-findings-babel-runtime Co-authored-by: Dima Grossman --- package.json | 5 ++- pnpm-lock.yaml | 84 +++++++++++++++++++++----------------------------- 2 files changed, 39 insertions(+), 50 deletions(-) diff --git a/package.json b/package.json index f86b3f2ca..e71c4124e 100644 --- a/package.json +++ b/package.json @@ -90,7 +90,7 @@ "eslint-plugin-prettier": "^5.2.3", "file-loader": "^6.2.0", "glob": "^11.1.0", - "postcss": "^8.5.3", + "postcss": "^8.5.10", "prettier": "^3.5.3", "remark-lint-no-dead-urls": "^2.0.1", "remark-lint-no-undefined-references": "^5.0.1", @@ -109,6 +109,7 @@ "pnpm": { "overrides": { "@babel/plugin-transform-modules-systemjs@>=7.12.0 <=7.29.3": "^7.29.4", + "@babel/runtime@<7.26.10": "^7.26.10", "defu@<=6.1.4": "^6.1.5", "estree-util-value-to-estree@<3.3.3": "^3.3.3", "fast-uri@<=3.1.1": "^3.1.2", @@ -119,7 +120,9 @@ "liquidjs@<10.25.7": "^10.25.7", "minimatch@<3.1.4": "^3.1.4", "minimatch@>=9.0.0 <9.0.7": "^9.0.7", + "mdast-util-to-hast@>=13.0.0 <13.2.1": "^13.2.1", "picomatch@<2.3.2": "^2.3.2", + "postcss@<8.5.10": "^8.5.10", "serialize-javascript@<7.0.5": "^7.0.5", "seroval@<1.4.1": "^1.4.1", "socket.io-parser@>=4.0.0 <4.2.6": "^4.2.6", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 36d24eea4..603f7bc28 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,6 +6,7 @@ settings: overrides: '@babel/plugin-transform-modules-systemjs@>=7.12.0 <=7.29.3': ^7.29.4 + '@babel/runtime@<7.26.10': ^7.26.10 defu@<=6.1.4: ^6.1.5 estree-util-value-to-estree@<3.3.3: ^3.3.3 fast-uri@<=3.1.1: ^3.1.2 @@ -16,7 +17,9 @@ overrides: liquidjs@<10.25.7: ^10.25.7 minimatch@<3.1.4: ^3.1.4 minimatch@>=9.0.0 <9.0.7: ^9.0.7 + mdast-util-to-hast@>=13.0.0 <13.2.1: ^13.2.1 picomatch@<2.3.2: ^2.3.2 + postcss@<8.5.10: ^8.5.10 serialize-javascript@<7.0.5: ^7.0.5 seroval@<1.4.1: ^1.4.1 socket.io-parser@>=4.0.0 <4.2.6: ^4.2.6 @@ -236,8 +239,8 @@ importers: specifier: ^11.1.0 version: 11.1.0 postcss: - specifier: ^8.5.3 - version: 8.5.3 + specifier: ^8.5.10 + version: 8.5.14 prettier: specifier: ^3.5.3 version: 3.5.3 @@ -873,8 +876,8 @@ packages: peerDependencies: '@babel/core': ^7.0.0-0 - '@babel/runtime@7.26.7': - resolution: {integrity: sha512-AOPI3D+a8dXnja+iwsUqGRjr1BbZIe771sXdapOtYI531gSqpi92vXivKcq2asu/DFpdl1ceFAKZyRzK2PCVcQ==} + '@babel/runtime@7.29.2': + resolution: {integrity: sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==} engines: {node: '>=6.9.0'} '@babel/template@7.27.2': @@ -5313,8 +5316,8 @@ packages: mdast-util-phrasing@4.1.0: resolution: {integrity: sha512-TqICwyvJJpBwvGAMZjj4J2n0X8QWp21b9l0o7eXyVJ25YNWYbJDVIyD1bZXE6WtV6RmKJVYmQAKWa0zWOABz2w==} - mdast-util-to-hast@13.2.0: - resolution: {integrity: sha512-QGYKEuUsYT9ykKBCMOEDLsU5JRObWQusAolFMeko/tYPufNkRffBAQjIE+99jbA87xv6FgmjLtwjh9wBWajwAA==} + mdast-util-to-hast@13.2.1: + resolution: {integrity: sha512-cctsq2wp5vTsLIcaymblUriiTcZd0CwWtCbLvrOzYCDZoWyMNV8sZ7krj09FSnsiJi3WVsHLM4k6Dq/yaPyCXA==} mdast-util-to-markdown@2.1.2: resolution: {integrity: sha512-xj68wMTvGXVOKonmog6LwyJKrYXZPvlwabaryTjLh9LuvovB/KAH+kvi8Gjj+7rJjsFi23nkUxRQv1KqSroMqA==} @@ -5528,8 +5531,8 @@ packages: ms@2.1.3: resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==} - nanoid@3.3.8: - resolution: {integrity: sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==} + nanoid@3.3.12: + resolution: {integrity: sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==} engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1} hasBin: true @@ -5850,12 +5853,8 @@ packages: resolution: {integrity: sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==} engines: {node: '>=4'} - postcss@8.4.31: - resolution: {integrity: sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==} - engines: {node: ^10 || ^12 || >=14} - - postcss@8.5.3: - resolution: {integrity: sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==} + postcss@8.5.14: + resolution: {integrity: sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==} engines: {node: ^10 || ^12 || >=14} prelude-ls@1.2.1: @@ -6063,9 +6062,6 @@ packages: regenerate@1.4.2: resolution: {integrity: sha512-zrceR/XhGYU/d/opr2EKO7aRHUeiBI8qjtfHqADTwZd6Szfy16la6kqD0MIUs5z5hx6AaKa+PixpPrR289+I0A==} - regenerator-runtime@0.14.1: - resolution: {integrity: sha512-dYnhHh0nJoMfnkZs6GmmhFknAGRrLznOu5nc9ML+EJxGvrx6H7teuevqVqCuPcPK//3eDrrjQhehXVx9cnkGdw==} - regex-recursion@6.0.2: resolution: {integrity: sha512-0YCaSCq2VRIebiaUviZNs0cBz1kg5kVS2UKUfNIx8YVs1cN3AV7NTctO5FOKBA+UT2BPJIWZauYHPqJODG50cg==} @@ -7801,9 +7797,7 @@ snapshots: transitivePeerDependencies: - supports-color - '@babel/runtime@7.26.7': - dependencies: - regenerator-runtime: 0.14.1 + '@babel/runtime@7.29.2': {} '@babel/template@7.27.2': dependencies: @@ -10317,12 +10311,12 @@ snapshots: '@tailwindcss/node': 4.0.15 '@tailwindcss/oxide': 4.0.15 lightningcss: 1.29.2 - postcss: 8.5.3 + postcss: 8.5.14 tailwindcss: 4.0.15 '@tanem/svg-injector@10.1.68': dependencies: - '@babel/runtime': 7.26.7 + '@babel/runtime': 7.29.2 content-type: 1.0.5 tslib: 2.8.1 @@ -10552,7 +10546,7 @@ snapshots: '@vue/shared': 3.5.13 estree-walker: 2.0.2 magic-string: 0.30.17 - postcss: 8.5.3 + postcss: 8.5.14 source-map-js: 1.2.1 '@vue/compiler-ssr@3.5.13': @@ -12072,7 +12066,7 @@ snapshots: fumadocs-ui: 15.2.11(@types/react-dom@19.0.4(@types/react@19.0.12))(@types/react@19.0.12)(next@15.5.18(@babel/core@7.27.4)(react-dom@19.0.0(react@19.0.0))(react@19.0.0))(react-dom@19.0.0(react@19.0.0))(react@19.0.0)(tailwindcss@4.0.15) mdast-util-from-markdown: 2.0.2 mdast-util-gfm: 3.1.0 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 react: 19.0.0 shiki: 2.5.0 tailwind-merge: 3.0.2 @@ -12378,7 +12372,7 @@ snapshots: hast-util-from-parse5: 8.0.2 hast-util-to-parse5: 8.0.0 html-void-elements: 3.0.0 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 parse5: 7.2.1 unist-util-position: 5.0.0 unist-util-visit: 5.0.0 @@ -12439,7 +12433,7 @@ snapshots: comma-separated-tokens: 2.0.3 hast-util-whitespace: 3.0.0 html-void-elements: 3.0.0 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 property-information: 7.0.0 space-separated-tokens: 2.0.2 stringify-entities: 4.0.4 @@ -12809,7 +12803,7 @@ snapshots: json-schema-to-ts@3.1.1: dependencies: - '@babel/runtime': 7.26.7 + '@babel/runtime': 7.29.2 ts-algebra: 2.0.0 json-schema-traverse@0.4.1: {} @@ -13149,7 +13143,7 @@ snapshots: '@types/mdast': 4.0.4 unist-util-is: 6.0.0 - mdast-util-to-hast@13.2.0: + mdast-util-to-hast@13.2.1: dependencies: '@types/hast': 3.0.4 '@types/mdast': 4.0.4 @@ -13529,7 +13523,7 @@ snapshots: ms@2.1.3: {} - nanoid@3.3.8: {} + nanoid@3.3.12: {} nanoid@5.0.9: {} @@ -13558,7 +13552,7 @@ snapshots: '@next/env': 15.5.18 '@swc/helpers': 0.5.15 caniuse-lite: 1.0.30001722 - postcss: 8.4.31 + postcss: 8.5.14 react: 19.0.0 react-dom: 19.0.0(react@19.0.0) styled-jsx: 5.1.6(@babel/core@7.27.4)(react@19.0.0) @@ -13872,15 +13866,9 @@ snapshots: cssesc: 3.0.0 util-deprecate: 1.0.2 - postcss@8.4.31: + postcss@8.5.14: dependencies: - nanoid: 3.3.8 - picocolors: 1.1.1 - source-map-js: 1.2.1 - - postcss@8.5.3: - dependencies: - nanoid: 3.3.8 + nanoid: 3.3.12 picocolors: 1.1.1 source-map-js: 1.2.1 @@ -13969,7 +13957,7 @@ snapshots: react-error-boundary@6.0.0(react@19.0.0): dependencies: - '@babel/runtime': 7.26.7 + '@babel/runtime': 7.29.2 react: 19.0.0 react-hook-form@7.54.2(react@19.0.0): @@ -13990,7 +13978,7 @@ snapshots: devlop: 1.1.0 hast-util-to-jsx-runtime: 2.3.6 html-url-attributes: 3.0.1 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 react: 19.0.0 remark-parse: 11.0.0 remark-rehype: 11.1.2 @@ -14007,7 +13995,7 @@ snapshots: devlop: 1.1.0 hast-util-to-jsx-runtime: 2.3.6 html-url-attributes: 3.0.1 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 react: 19.0.0 remark-parse: 11.0.0 remark-rehype: 11.1.2 @@ -14051,7 +14039,7 @@ snapshots: react-svg@16.3.0(react-dom@19.0.0(react@19.0.0))(react@19.0.0): dependencies: - '@babel/runtime': 7.26.7 + '@babel/runtime': 7.29.2 '@tanem/svg-injector': 10.1.68 '@types/prop-types': 15.7.14 prop-types: 15.8.1 @@ -14060,7 +14048,7 @@ snapshots: react-textarea-autosize@8.5.7(@types/react@19.0.12)(react@19.0.0): dependencies: - '@babel/runtime': 7.26.7 + '@babel/runtime': 7.29.2 react: 19.0.0 use-composed-ref: 1.4.0(@types/react@19.0.12)(react@19.0.0) use-latest: 1.3.0(@types/react@19.0.12)(react@19.0.0) @@ -14129,8 +14117,6 @@ snapshots: regenerate@1.4.2: {} - regenerator-runtime@0.14.1: {} - regex-recursion@6.0.2: dependencies: regex-utilities: 2.3.0 @@ -14274,7 +14260,7 @@ snapshots: dependencies: '@types/hast': 3.0.4 '@types/mdast': 4.0.4 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 unified: 11.0.5 vfile: 6.0.3 @@ -14282,7 +14268,7 @@ snapshots: dependencies: '@types/hast': 3.0.4 '@types/mdast': 4.0.4 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 unified: 11.0.5 vfile: 6.0.3 @@ -14298,7 +14284,7 @@ snapshots: '@types/mdast': 4.0.4 github-slugger: 2.0.0 hosted-git-info: 7.0.2 - mdast-util-to-hast: 13.2.0 + mdast-util-to-hast: 13.2.1 mdast-util-to-string: 4.0.0 propose: 0.0.5 trough: 2.2.0 @@ -14391,7 +14377,7 @@ snapshots: htmlparser2: 8.0.2 is-plain-object: 5.0.0 parse-srcset: 1.0.2 - postcss: 8.5.3 + postcss: 8.5.14 sax@1.4.1: {}