Skip to content

[-]:fix/patch stack overflow vulnerability#1871

Merged
jaaaaavier merged 3 commits intomainfrom
dependencies-update
Apr 1, 2026
Merged

[-]:fix/patch stack overflow vulnerability#1871
jaaaaavier merged 3 commits intomainfrom
dependencies-update

Conversation

@jaaaaavier
Copy link
Copy Markdown
Contributor

@jaaaaavier jaaaaavier commented Apr 1, 2026

Adds Yarn resolutions to force yaml@1.10.3 for the four packages that transitively pull in the vulnerable yaml@1.x:

  • @emotion/react
  • @emotion/styled
  • @svgr/webpack
  • react-select

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
website Ready Ready Preview, Comment Apr 1, 2026 3:07pm

@jaaaaavier jaaaaavier self-assigned this Apr 1, 2026
@jaaaaavier jaaaaavier added the dependencies Pull requests that update a dependency file label Apr 1, 2026
@jaaaaavier jaaaaavier requested a review from xabg2 April 1, 2026 07:50
xabg2
xabg2 reviewed Apr 1, 2026
View reviewed changes
package.json
Copy link
Copy Markdown
Collaborator

@xabg2 xabg2 Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about upgrading the package versions instead of adding them to resolutions? Can we do that or there is no new version for these packages that can fix that?

Copy link
Copy Markdown
Contributor Author

@jaaaaavier jaaaaavier Apr 1, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have been checking and upgrading isn't viable here @emotion/react, @emotion/styled, and react-select are already on their latest versions, no newer release that drops the yaml@1.x dependency. @svgr/webpack could be bumped from v6 to v8, but that's a major version with breaking changes, i prefer not doing for now.

Copy link
Copy Markdown
Collaborator

@xabg2 xabg2 Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect then

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jaaaaavier jaaaaavier merged commit 40c23b7 into main Apr 1, 2026
10 checks passed
@jaaaaavier jaaaaavier deleted the dependencies-update branch April 1, 2026 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xabg2 xabg2 xabg2 approved these changes

Assignees

@jaaaaavier jaaaaavier

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jaaaaavier @xabg2