From d7e7025624ba66459515778c0724a58397a5f1b4 Mon Sep 17 00:00:00 2001 From: Laurin Date: Thu, 16 Apr 2026 11:04:18 +0200 Subject: [PATCH] fix: vulnerabilities 2026-04-16 (#7988) --- .changeset/breezy-signs-fly.md | 5 ++ .changeset/pretty-peaches-stick.md | 5 ++ package.json | 2 - .../external-composition/package.json | 2 +- packages/services/cdn-worker/package.json | 2 +- packages/services/commerce/package.json | 2 +- packages/services/policy/package.json | 2 +- packages/services/schema/package.json | 2 +- packages/services/server/package.json | 2 +- packages/services/service-common/package.json | 2 +- packages/services/tokens/package.json | 2 +- packages/web/app/package.json | 4 +- pnpm-lock.yaml | 60 +++++++++---------- 13 files changed, 49 insertions(+), 43 deletions(-) create mode 100644 .changeset/breezy-signs-fly.md create mode 100644 .changeset/pretty-peaches-stick.md diff --git a/.changeset/breezy-signs-fly.md b/.changeset/breezy-signs-fly.md new file mode 100644 index 000000000..82bbfe9d5 --- /dev/null +++ b/.changeset/breezy-signs-fly.md @@ -0,0 +1,5 @@ +--- +'hive': patch +--- + +Address vulnerability [GHSA-247c-9743-5963](https://github.com/advisories/GHSA-247c-9743-5963). diff --git a/.changeset/pretty-peaches-stick.md b/.changeset/pretty-peaches-stick.md new file mode 100644 index 000000000..497ad5bc3 --- /dev/null +++ b/.changeset/pretty-peaches-stick.md @@ -0,0 +1,5 @@ +--- +'hive': patch +--- + +Address vulnerability [GHSA-39q2-94rc-95cp](https://github.com/advisories/GHSA-39q2-94rc-95cp). diff --git a/package.json b/package.json index 776dffaa7..f7593d6a9 100644 --- a/package.json +++ b/package.json @@ -125,7 +125,6 @@ "overrides.fast-xml-parser@5.x.x": "address https://github.com/graphql-hive/console/security/dependabot/576", "overrides.minimatch@10.x.x": "address https://github.com/graphql-hive/console/security/dependabot/505", "overrides.qs@<6.14.2": "address https://github.com/graphql-hive/console/security/dependabot/499", - "overrides.dompurify@3.x.x": "address https://github.com/graphql-hive/console/security/dependabot/536", "overrides.ajv@8.x.x": "address https://github.com/graphql-hive/console/security/dependabot/507", "overrides.yauzl@2.x.x": "address https://github.com/graphql-hive/console/security/dependabot/542", "overrides.path-to-regexp@0.x.x": "address https://github.com/graphql-hive/console/security/dependabot/619", @@ -161,7 +160,6 @@ "minimatch@3.x.x": "^3.1.3", "minimatch@4.x.x": "^4.2.4", "qs@<6.14.2": "^6.14.2", - "dompurify@3.x.x": "^3.3.2", "ajv@8.x.x": "^8.18.0", "yauzl@2.x.x": "^3.2.1", "glob@10.x.x": "^10.5.0", diff --git a/packages/libraries/external-composition/package.json b/packages/libraries/external-composition/package.json index 1036a951a..7459f08c0 100644 --- a/packages/libraries/external-composition/package.json +++ b/packages/libraries/external-composition/package.json @@ -63,7 +63,7 @@ "@apollo/composition": "2.13.2", "@types/node": "24.12.2", "esbuild": "0.25.9", - "fastify": "5.8.3", + "fastify": "5.8.5", "graphql": "16.9.0" }, "publishConfig": { diff --git a/packages/services/cdn-worker/package.json b/packages/services/cdn-worker/package.json index 23429f8e4..b6bb8a09b 100644 --- a/packages/services/cdn-worker/package.json +++ b/packages/services/cdn-worker/package.json @@ -23,7 +23,7 @@ "bcryptjs": "2.4.3", "dotenv": "16.4.7", "esbuild": "0.25.9", - "fastify": "5.8.3", + "fastify": "5.8.5", "graphql": "16.9.0", "itty-router": "4.2.2", "itty-router-extras": "0.4.6", diff --git a/packages/services/commerce/package.json b/packages/services/commerce/package.json index 0a2a5f7da..a39bcddef 100644 --- a/packages/services/commerce/package.json +++ b/packages/services/commerce/package.json @@ -19,7 +19,7 @@ "@trpc/server": "10.45.3", "date-fns": "4.1.0", "dotenv": "16.4.7", - "fastify": "5.8.3", + "fastify": "5.8.5", "pino-pretty": "11.3.0", "reflect-metadata": "0.2.2", "stripe": "17.5.0", diff --git a/packages/services/policy/package.json b/packages/services/policy/package.json index 9a3077b51..8fe8e7f9a 100644 --- a/packages/services/policy/package.json +++ b/packages/services/policy/package.json @@ -18,7 +18,7 @@ "ajv": "8.18.0", "dotenv": "16.4.7", "eslint": "8.57.1", - "fastify": "5.8.3", + "fastify": "5.8.5", "graphql": "16.9.0", "pino-pretty": "11.3.0", "zod": "3.25.76", diff --git a/packages/services/schema/package.json b/packages/services/schema/package.json index 21268f3e8..54d87f7bd 100644 --- a/packages/services/schema/package.json +++ b/packages/services/schema/package.json @@ -21,7 +21,7 @@ "@types/ioredis-mock": "8.2.5", "dotenv": "16.4.7", "fast-json-stable-stringify": "2.1.0", - "fastify": "5.8.3", + "fastify": "5.8.5", "fastq": "1.19.1", "got": "14.4.7", "graphql": "16.9.0", diff --git a/packages/services/server/package.json b/packages/services/server/package.json index 94b307c11..a0fc2cb50 100644 --- a/packages/services/server/package.json +++ b/packages/services/server/package.json @@ -44,7 +44,7 @@ "@trpc/server": "10.45.3", "@whatwg-node/server": "0.10.17", "dotenv": "16.4.7", - "fastify": "5.8.3", + "fastify": "5.8.5", "got": "14.4.7", "graphql": "16.9.0", "graphql-yoga": "5.13.3", diff --git a/packages/services/service-common/package.json b/packages/services/service-common/package.json index 4245000b7..734decab3 100644 --- a/packages/services/service-common/package.json +++ b/packages/services/service-common/package.json @@ -29,7 +29,7 @@ "@sentry/node": "7.120.2", "@sentry/types": "7.120.2", "@sentry/utils": "7.120.2", - "fastify": "5.8.3", + "fastify": "5.8.5", "fastify-plugin": "5.1.0", "opentelemetry-instrumentation-fetch-node": "1.2.3", "p-retry": "6.2.1", diff --git a/packages/services/tokens/package.json b/packages/services/tokens/package.json index 8e1c65882..45d6da7cd 100644 --- a/packages/services/tokens/package.json +++ b/packages/services/tokens/package.json @@ -19,7 +19,7 @@ "@trpc/server": "10.45.3", "@types/ms": "0.7.34", "dotenv": "16.4.7", - "fastify": "5.8.3", + "fastify": "5.8.5", "ioredis": "5.8.2", "lru-cache": "11.0.2", "ms": "2.1.3", diff --git a/packages/web/app/package.json b/packages/web/app/package.json index be99eb2d3..7090cd09e 100644 --- a/packages/web/app/package.json +++ b/packages/web/app/package.json @@ -96,11 +96,11 @@ "crypto-js": "^4.2.0", "date-fns": "4.1.0", "date-fns-tz": "3.2.0", - "dompurify": "3.3.2", + "dompurify": "3.4.0", "dotenv": "16.4.7", "echarts": "5.6.0", "echarts-for-react": "3.0.2", - "fastify": "5.8.3", + "fastify": "5.8.5", "formik": "2.4.6", "framer-motion": "11.18.2", "graphiql": "4.0.0-alpha.5", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 1e4d4692c..7b3912942 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -36,7 +36,6 @@ overrides: minimatch@3.x.x: ^3.1.3 minimatch@4.x.x: ^4.2.4 qs@<6.14.2: ^6.14.2 - dompurify@3.x.x: ^3.3.2 ajv@8.x.x: ^8.18.0 yauzl@2.x.x: ^3.2.1 glob@10.x.x: ^10.5.0 @@ -664,8 +663,8 @@ importers: specifier: 0.25.9 version: 0.25.9 fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 graphql: specifier: 16.9.0 version: 16.9.0 @@ -1331,8 +1330,8 @@ importers: specifier: 0.25.9 version: 0.25.9 fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 graphql: specifier: 16.9.0 version: 16.9.0 @@ -1385,8 +1384,8 @@ importers: specifier: 16.4.7 version: 16.4.7 fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 pino-pretty: specifier: 11.3.0 version: 11.3.0 @@ -1476,8 +1475,8 @@ importers: specifier: 8.57.1 version: 8.57.1(patch_hash=08d9d41d21638cb74d0f9f34877a8839601a4e5a8263066ff23e7032addbcba0) fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 graphql: specifier: 16.9.0 version: 16.9.0 @@ -1530,8 +1529,8 @@ importers: specifier: 2.1.0 version: 2.1.0 fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 fastq: specifier: 1.19.1 version: 1.19.1 @@ -1659,8 +1658,8 @@ importers: specifier: 16.4.7 version: 16.4.7 fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 got: specifier: 14.4.7 version: 14.4.7(patch_hash=f7660444905ddadee251ff98241119fb54f5fec1e673a428192da361d5636299) @@ -1753,8 +1752,8 @@ importers: specifier: 7.120.2 version: 7.120.2 fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 fastify-plugin: specifier: 5.1.0 version: 5.1.0 @@ -1846,8 +1845,8 @@ importers: specifier: 16.4.7 version: 16.4.7 fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 ioredis: specifier: 5.8.2 version: 5.8.2 @@ -2093,7 +2092,7 @@ importers: version: 9.0.0 '@fastify/vite': specifier: 8.4.1 - version: 8.4.1(patch_hash=e8a5462aec0a3469c38194575103f133a08f9b9e5031545d44661a12b80e4b0a)(fastify@5.8.3)(vite@7.3.2(@types/node@25.5.0)(jiti@2.6.1)(less@4.2.0)(lightningcss@1.31.1)(terser@5.37.0)(tsx@4.19.2)(yaml@2.8.3)) + version: 8.4.1(patch_hash=e8a5462aec0a3469c38194575103f133a08f9b9e5031545d44661a12b80e4b0a)(fastify@5.8.5)(vite@7.3.2(@types/node@25.5.0)(jiti@2.6.1)(less@4.2.0)(lightningcss@1.31.1)(terser@5.37.0)(tsx@4.19.2)(yaml@2.8.3)) '@graphiql/plugin-explorer': specifier: 4.0.0-alpha.2 version: 4.0.0-alpha.2(@graphiql/react@1.0.0-alpha.4(patch_hash=1018befc9149cbc43bc2bf8982d52090a580e68df34b46674234f4e58eb6d0a0)(@codemirror/language@6.10.2)(@types/node@25.5.0)(@types/react-dom@18.3.5(@types/react@18.3.18))(@types/react@18.3.18)(graphql-ws@5.16.1(graphql@16.9.0))(graphql@16.9.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(graphql@16.9.0)(react-dom@18.3.1(react@18.3.1))(react@18.3.1) @@ -2323,8 +2322,8 @@ importers: specifier: 3.2.0 version: 3.2.0(date-fns@4.1.0) dompurify: - specifier: ^3.3.2 - version: 3.3.2 + specifier: 3.4.0 + version: 3.4.0 dotenv: specifier: 16.4.7 version: 16.4.7 @@ -2335,8 +2334,8 @@ importers: specifier: 3.0.2 version: 3.0.2(echarts@5.6.0)(react@18.3.1) fastify: - specifier: 5.8.3 - version: 5.8.3 + specifier: 5.8.5 + version: 5.8.5 formik: specifier: 2.4.6 version: 2.4.6(react@18.3.1) @@ -12289,9 +12288,8 @@ packages: resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==} engines: {node: '>= 4'} - dompurify@3.3.2: - resolution: {integrity: sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==} - engines: {node: '>=20'} + dompurify@3.4.0: + resolution: {integrity: sha512-nolgK9JcaUXMSmW+j1yaSvaEaoXYHwWyGJlkoCTghc97KgGDDSnpoU/PlEnw63Ah+TGKFOyY+X5LnxaWbCSfXg==} domutils@2.8.0: resolution: {integrity: sha512-w96Cjofp72M5IIhpjgobBimYEfoPjx1Vx0BSX9P30WBdZW2WIKU0T1Bd0kz2eNZ9ikjKgHbEyKx8BB6H1L3h3A==} @@ -12940,8 +12938,8 @@ packages: fastify-plugin@5.1.0: resolution: {integrity: sha512-FAIDA8eovSt5qcDgcBvDuX/v0Cjz0ohGhENZ/wpc3y+oZCY2afZ9Baqql3g/lC+OHRnciQol4ww7tuthOb9idw==} - fastify@5.8.3: - resolution: {integrity: sha512-XJXpRQ41+rsJ/GLeP9vyDC+fBXilcTlEXokMSexkdEkla4uf7ZQNaI5xl3el+kW5TZQulqYxLr659ey/KX7XmQ==} + fastify@5.8.5: + resolution: {integrity: sha512-Yqptv59pQzPgQUSIm87hMqHJmdkb1+GPxdE6vW6FRyVE9G86mt7rOghitiU4JHRaTyDUk9pfeKmDeu70lAwM4Q==} fastq@1.19.1: resolution: {integrity: sha512-GwLTyxkCXjXbxqIhTsMI2Nui8huMPtnxg7krajPJAjnEG/iiOS7i+zCtWGZR9G0NBKbXKh6X9m9UIsYX/N6vvQ==} @@ -22058,12 +22056,12 @@ snapshots: fastq: 1.19.1 glob: 13.0.0 - '@fastify/vite@8.4.1(patch_hash=e8a5462aec0a3469c38194575103f133a08f9b9e5031545d44661a12b80e4b0a)(fastify@5.8.3)(vite@7.3.2(@types/node@25.5.0)(jiti@2.6.1)(less@4.2.0)(lightningcss@1.31.1)(terser@5.37.0)(tsx@4.19.2)(yaml@2.8.3))': + '@fastify/vite@8.4.1(patch_hash=e8a5462aec0a3469c38194575103f133a08f9b9e5031545d44661a12b80e4b0a)(fastify@5.8.5)(vite@7.3.2(@types/node@25.5.0)(jiti@2.6.1)(less@4.2.0)(lightningcss@1.31.1)(terser@5.37.0)(tsx@4.19.2)(yaml@2.8.3))': dependencies: '@fastify/deepmerge': 3.2.0 '@fastify/middie': 9.3.1 '@fastify/static': 9.0.0 - fastify: 5.8.3 + fastify: 5.8.5 fastify-plugin: 5.1.0 fs-extra: 11.3.3 html-rewriter-wasm: 0.4.1 @@ -33565,7 +33563,7 @@ snapshots: dependencies: domelementtype: 2.3.0 - dompurify@3.3.2: + dompurify@3.4.0: optionalDependencies: '@types/trusted-types': 2.0.7 @@ -34522,7 +34520,7 @@ snapshots: fastify-plugin@5.1.0: {} - fastify@5.8.3: + fastify@5.8.5: dependencies: '@fastify/ajv-compiler': 4.0.5 '@fastify/error': 4.2.0