fix(deps): bump undici and dompurify overrides for security advisories (#4684)

Raise the pnpm-workspace transitive overrides to the patched versions:

- undici >=7.24.0 -> >=7.28.0 <8 (resolves to 7.28.0). Fixes 7 advisories:
  WebSocket DoS, SOCKS5 cross-origin routing, SOCKS5 TLS bypass,
  Set-Cookie header injection, shared-cache info disclosure, response
  queue poisoning, and SameSite downgrade (GHSA undici < 7.28.0).
  Bounded below 8 to stay on the patched 7.x line and avoid an
  unvetted major bump (an open-ended range pulled undici 8.5.0).
- dompurify >=3.4.9 -> >=3.4.11 (resolves to 3.4.11). Fixes permanent
  ALLOWED_ATTR pollution via setConfig() (<= 3.4.10).

Verified: pnpm test, pnpm lint, pnpm build-web all pass; lockfile sweep
confirms no vulnerable undici/dompurify versions remain.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Huang Xin
2026-06-20 14:30:20 +08:00
committed by GitHub
parent 54d54791b0
commit 353d381427
2 changed files with 21 additions and 21 deletions
+19 -19
View File
@@ -11,10 +11,10 @@ overrides:
esbuild: '>=0.28.1 <0.29'
srvx: '>=0.11.13'
rollup: '>=4.59.0'
undici: '>=7.24.0'
undici: '>=7.28.0 <8'
flatted: '>=3.4.2'
body-parser: '>=2.2.1'
dompurify: '>=3.4.9'
dompurify: '>=3.4.11'
i18next-http-backend: '>=3.0.5'
picomatch: '>=4.0.4'
path-to-regexp: '>=8.4.0'
@@ -265,8 +265,8 @@ importers:
specifier: ^1.11.13
version: 1.11.20
dompurify:
specifier: '>=3.4.9'
version: 3.4.10
specifier: '>=3.4.11'
version: 3.4.11
fflate:
specifier: ^0.8.2
version: 0.8.2
@@ -596,8 +596,8 @@ importers:
specifier: ^2.8.16
version: 2.8.26
dompurify:
specifier: '>=3.4.9'
version: 3.4.10
specifier: '>=3.4.11'
version: 3.4.11
devDependencies:
'@types/chrome':
specifier: ^0.0.270
@@ -4997,8 +4997,8 @@ packages:
resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
engines: {node: '>= 4'}
dompurify@3.4.10:
resolution: {integrity: sha512-0xzNv0e7oYC6yyuOGZIABPM4qtg3QxLFniDNPP4ZP90wR8Yq3zgwpRbrNiT4N3IKqDbbYFEJLV+JWEs19aZ//w==}
dompurify@3.4.11:
resolution: {integrity: sha512-zhlUV12GsaRzMsf9q5M254YhA4+VuF0fG+QFqu6aYpoGlKtz+w8//jBcGVYBgQkR5GHjUomejY84AV+/uPbWdw==}
domutils@3.2.2:
resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==}
@@ -8050,8 +8050,8 @@ packages:
undici-types@6.21.0:
resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
undici@7.25.0:
resolution: {integrity: sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==}
undici@7.28.0:
resolution: {integrity: sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==}
engines: {node: '>=20.18.1'}
unenv@2.0.0-rc.24:
@@ -11939,7 +11939,7 @@ snapshots:
'@types/dompurify@3.2.0':
dependencies:
dompurify: 3.4.10
dompurify: 3.4.11
'@types/eslint-scope@3.7.7':
dependencies:
@@ -12992,7 +12992,7 @@ snapshots:
parse5: 7.3.0
parse5-htmlparser2-tree-adapter: 7.1.0
parse5-parser-stream: 7.1.2
undici: 7.25.0
undici: 7.28.0
whatwg-mimetype: 4.0.0
chokidar@3.6.0:
@@ -13577,7 +13577,7 @@ snapshots:
dependencies:
domelementtype: 2.3.0
dompurify@3.4.10:
dompurify@3.4.11:
optionalDependencies:
'@types/trusted-types': 2.0.7
@@ -14757,7 +14757,7 @@ snapshots:
saxes: 6.0.0
symbol-tree: 3.2.4
tough-cookie: 6.0.1
undici: 7.25.0
undici: 7.28.0
w3c-xmlserializer: 5.0.0
webidl-conversions: 8.0.1
whatwg-mimetype: 5.0.0
@@ -15193,7 +15193,7 @@ snapshots:
d3-sankey: 0.12.3
dagre-d3-es: 7.0.14
dayjs: 1.11.20
dompurify: 3.4.10
dompurify: 3.4.11
es-toolkit: 1.46.1
katex: 0.16.45
khroma: 2.1.0
@@ -15461,7 +15461,7 @@ snapshots:
dependencies:
'@cspotcode/source-map-support': 0.8.1
sharp: 0.34.5
undici: 7.25.0
undici: 7.28.0
workerd: 1.20260507.1
ws: 8.21.0
youch: 4.1.0-beta.10
@@ -15959,7 +15959,7 @@ snapshots:
'@posthog/core': 1.28.7
'@posthog/types': 1.373.2
core-js: 3.49.0
dompurify: 3.4.10
dompurify: 3.4.11
fflate: 0.4.8
preact: 10.29.1
query-selector-shadow-dom: 1.0.1
@@ -17178,7 +17178,7 @@ snapshots:
undici-types@6.21.0: {}
undici@7.25.0: {}
undici@7.28.0: {}
unenv@2.0.0-rc.24:
dependencies:
@@ -17527,7 +17527,7 @@ snapshots:
'@wdio/utils': 9.27.1
deepmerge-ts: 7.1.5
https-proxy-agent: 7.0.6
undici: 7.25.0
undici: 7.28.0
ws: 8.21.0
transitivePeerDependencies:
- bare-abort-controller
+2 -2
View File
@@ -28,10 +28,10 @@ overrides:
esbuild: '>=0.28.1 <0.29'
srvx: '>=0.11.13'
rollup: '>=4.59.0'
undici: '>=7.24.0'
undici: '>=7.28.0 <8'
flatted: '>=3.4.2'
body-parser: '>=2.2.1'
dompurify: '>=3.4.9'
dompurify: '>=3.4.11'
i18next-http-backend: '>=3.0.5'
picomatch: '>=4.0.4'
path-to-regexp: '>=8.4.0'