From 25c484b17ad0ab4ed0ded7ae91f32625d99f9ccc Mon Sep 17 00:00:00 2001 From: Charly Gomez Date: Thu, 5 Mar 2026 12:50:19 +0100 Subject: [PATCH 1/3] fix(deps): bump svgo to 4.0.1 to fix DoS via entity expansion Fixes Dependabot alert #1132 (CVE-2026-29074). Co-Authored-By: Claude Opus 4.6 --- yarn.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yarn.lock b/yarn.lock index 8775d581946c..ef6d7d770374 100644 --- a/yarn.lock +++ b/yarn.lock @@ -28192,9 +28192,9 @@ svelte@^4.2.8: periscopic "^3.1.0" svgo@^4.0.0: - version "4.0.0" - resolved "https://registry.yarnpkg.com/svgo/-/svgo-4.0.0.tgz#17e0fa2eaccf429e0ec0d2179169abde9ba8ad3d" - integrity sha512-VvrHQ+9uniE+Mvx3+C9IEe/lWasXCU0nXMY2kZeLrHNICuRiC8uMPyM14UEaMOFA5mhyQqEkB02VoQ16n3DLaw== + version "4.0.1" + resolved "https://registry.yarnpkg.com/svgo/-/svgo-4.0.1.tgz" + integrity sha512-XDpWUOPC6FEibaLzjfe0ucaV0YrOjYotGJO1WpF0Zd+n6ZGEQUsSugaoLq9QkEZtAfQIxT42UChcssDVPP3+/w== dependencies: commander "^11.1.0" css-select "^5.1.0" @@ -28202,7 +28202,7 @@ svgo@^4.0.0: css-what "^6.1.0" csso "^5.0.5" picocolors "^1.1.1" - sax "^1.4.1" + sax "^1.5.0" swr@^2.2.5: version "2.2.5" From d131f1a10428f894a9a5fd621c4210ea7a02f24a Mon Sep 17 00:00:00 2001 From: Charly Gomez Date: Thu, 5 Mar 2026 14:49:12 +0100 Subject: [PATCH 2/3] . --- yarn.lock | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/yarn.lock b/yarn.lock index ef6d7d770374..5fbef7897ef0 100644 --- a/yarn.lock +++ b/yarn.lock @@ -26629,11 +26629,16 @@ sass@^1.49.9: immutable "^4.0.0" source-map-js ">=0.6.2 <2.0.0" -sax@^1.2.4, sax@^1.4.1: +sax@^1.2.4: version "1.4.4" resolved "https://registry.yarnpkg.com/sax/-/sax-1.4.4.tgz#f29c2bba80ce5b86f4343b4c2be9f2b96627cf8b" integrity sha512-1n3r/tGXO6b6VXMdFT54SHzT9ytu9yr7TaELowdYpMqY/Ao7EnlQGmAQ1+RatX7Tkkdm6hONI2owqNx2aZj5Sw== +sax@^1.5.0: + version "1.5.0" + resolved "https://registry.yarnpkg.com/sax/-/sax-1.5.0.tgz#b5549b671069b7aa392df55ec7574cf411179eb8" + integrity sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA== + sax@~1.2.4: version "1.2.4" resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.4.tgz#2816234e2378bddc4e5354fab5caa895df7100d9" @@ -28096,7 +28101,6 @@ stylus@0.59.0, stylus@^0.59.0: sucrase@^3.27.0, sucrase@^3.35.0, sucrase@getsentry/sucrase#es2020-polyfills: version "3.36.0" - uid fd682f6129e507c00bb4e6319cc5d6b767e36061 resolved "https://codeload.github.com/getsentry/sucrase/tar.gz/fd682f6129e507c00bb4e6319cc5d6b767e36061" dependencies: "@jridgewell/gen-mapping" "^0.3.2" From c75df1a2f338ad8439924834bc12034fcabbb769 Mon Sep 17 00:00:00 2001 From: Charly Gomez Date: Thu, 5 Mar 2026 15:02:01 +0100 Subject: [PATCH 3/3] fix(deps): deduplicate sax in lockfile after svgo bump Co-Authored-By: Claude Opus 4.6 --- yarn.lock | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/yarn.lock b/yarn.lock index 5fbef7897ef0..b58035d4c568 100644 --- a/yarn.lock +++ b/yarn.lock @@ -26629,12 +26629,7 @@ sass@^1.49.9: immutable "^4.0.0" source-map-js ">=0.6.2 <2.0.0" -sax@^1.2.4: - version "1.4.4" - resolved "https://registry.yarnpkg.com/sax/-/sax-1.4.4.tgz#f29c2bba80ce5b86f4343b4c2be9f2b96627cf8b" - integrity sha512-1n3r/tGXO6b6VXMdFT54SHzT9ytu9yr7TaELowdYpMqY/Ao7EnlQGmAQ1+RatX7Tkkdm6hONI2owqNx2aZj5Sw== - -sax@^1.5.0: +sax@^1.2.4, sax@^1.5.0: version "1.5.0" resolved "https://registry.yarnpkg.com/sax/-/sax-1.5.0.tgz#b5549b671069b7aa392df55ec7574cf411179eb8" integrity sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==