github-starred/gitea-mirror
2
0
Fork 0
mirror of https://github.com/RayLabsHQ/gitea-mirror.git synced 2026-05-23 16:11:17 -05:00
Code Issues 140 Packages Projects Releases 100 Wiki Activity

[PR #289] [MERGED] chore: bump npm overrides to patch HIGH CVEs (xmldom, devalue, kysely, fast-uri, fast-xml-builder) #2921

New Issue
Closed
opened 2026-05-17 19:23:36 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-17 19:23:36 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/289
Author: @arunavo4
Created: 5/16/2026
Status: Merged
Merged: 5/16/2026
Merged by: @arunavo4

Base: mainHead: chore/bump-npm-cve-overrides

📝 Commits (1)

  • b8a52f3 chore: bump npm overrides to patch HIGH-severity CVEs

📊 Changes

2 files changed (+19 additions, -11 deletions)

View changed files

📝 bun.lock (+14 -8)
📝 package.json (+5 -3)

📄 Description

Summary

Patches 9 Docker Scout HIGH-severity alerts surfaced by the weekly image scan. All are transitive npm deps with fixed versions published upstream; pinning via overrides in package.json is the standard fix.

Package Before After CVEs
@xmldom/xmldom ^0.8.12 (override) ^0.8.13 CVE-2026-41672, 41673, 41674, 41675
devalue ^5.6.4 (override) ^5.8.1 CVE-2026-42570
kysely ^0.28.16 (override) ^0.28.17 CVE-2026-44635
fast-uri 3.1.0 (no override) ^3.1.2 (added) CVE-2026-6321, 6322
fast-xml-builder 1.1.4 (no override) ^1.1.7 (added) CVE-2026-44665

After bun install, all five resolve to fixed versions:

@xmldom/xmldom@0.8.13
devalue@5.8.1
fast-uri@3.1.2
fast-xml-builder@1.2.0
kysely@0.28.17

Out of scope

The remaining open Docker Scout alerts are not addressable via npm:

  • git-lfs Go stdlib (5 CVEs) — needs the git-lfs binary in the Dockerfile bumped to a release built with Go ≥1.25.10.
  • gnutls28 (4 CVEs) — Debian shows "not fixed" upstream; nothing to do here yet.
  • nghttp2 (1 CVE) — fix is in Debian; base image rebuild will pick it up on the next bun:debian bump.

Test plan

  • bun install — lockfile updated
  • bun pm ls --all — verified resolved versions match the table above
  • bun test — 243 pass, 4 skip, 0 fail
  • bunx --bun astro build — completes cleanly
  • CI re-runs the same checks

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/289 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 5/16/2026 **Status:** ✅ Merged **Merged:** 5/16/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `chore/bump-npm-cve-overrides` --- ### 📝 Commits (1) - [`b8a52f3`](https://github.com/RayLabsHQ/gitea-mirror/commit/b8a52f342a7b5a1a26f7de09ee2b75f1c6e2f452) chore: bump npm overrides to patch HIGH-severity CVEs ### 📊 Changes **2 files changed** (+19 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `bun.lock` (+14 -8) 📝 `package.json` (+5 -3) </details> ### 📄 Description ## Summary Patches **9 Docker Scout HIGH-severity alerts** surfaced by the weekly image scan. All are transitive npm deps with fixed versions published upstream; pinning via `overrides` in `package.json` is the standard fix. | Package | Before | After | CVEs | |---|---|---|---| | `@xmldom/xmldom` | `^0.8.12` (override) | `^0.8.13` | CVE-2026-41672, 41673, 41674, 41675 | | `devalue` | `^5.6.4` (override) | `^5.8.1` | CVE-2026-42570 | | `kysely` | `^0.28.16` (override) | `^0.28.17` | CVE-2026-44635 | | `fast-uri` | 3.1.0 (no override) | `^3.1.2` (added) | CVE-2026-6321, 6322 | | `fast-xml-builder` | 1.1.4 (no override) | `^1.1.7` (added) | CVE-2026-44665 | After `bun install`, all five resolve to fixed versions: ``` @xmldom/xmldom@0.8.13 devalue@5.8.1 fast-uri@3.1.2 fast-xml-builder@1.2.0 kysely@0.28.17 ``` ## Out of scope The remaining open Docker Scout alerts are **not** addressable via npm: - **git-lfs Go stdlib** (5 CVEs) — needs the `git-lfs` binary in the Dockerfile bumped to a release built with Go ≥1.25.10. - **`gnutls28`** (4 CVEs) — Debian shows "not fixed" upstream; nothing to do here yet. - **`nghttp2`** (1 CVE) — fix is in Debian; base image rebuild will pick it up on the next `bun:debian` bump. ## Test plan - [x] `bun install` — lockfile updated - [x] `bun pm ls --all` — verified resolved versions match the table above - [x] `bun test` — 243 pass, 4 skip, 0 fail - [x] `bunx --bun astro build` — completes cleanly - [ ] CI re-runs the same checks --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-17 19:23:36 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
documentation
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea-mirror#2921
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?