diff --git a/ui/CHANGELOG.md b/ui/CHANGELOG.md index 3de8c46d56..2cb9f92fcb 100644 --- a/ui/CHANGELOG.md +++ b/ui/CHANGELOG.md @@ -17,6 +17,7 @@ All notable changes to the **Prowler UI** are documented in this file. ### 🔐 Security - Bump vulnerable `Next.js`, React, AI SDK, `postcss`, `hono`, `qs`, `esbuild`, and Alpine OpenSSL packages (`libcrypto3` and `libssl3`) [(#11581)](https://github.com/prowler-cloud/prowler/pull/11581) +- Bump transitive `dompurify` from 3.4.2 to 3.4.10, patching XSS sanitization bypass advisories [(#11636)](https://github.com/prowler-cloud/prowler/pull/11636) --- diff --git a/ui/pnpm-lock.yaml b/ui/pnpm-lock.yaml index 6a5e7bb464..6ca6ac4003 100644 --- a/ui/pnpm-lock.yaml +++ b/ui/pnpm-lock.yaml @@ -29,6 +29,7 @@ overrides: qs: 6.15.2 express-rate-limit: 8.5.1 uuid: 11.1.1 + dompurify: 3.4.10 importers: @@ -5593,8 +5594,8 @@ packages: dom-helpers@5.2.1: resolution: {integrity: sha512-nRCa7CK3VTrM2NmGkIy4cbK7IZlgBE/PYMn55rrXefr5xXDP0LdtfPnblFDoVdcAfslJ7or6iqAUnx0CCGIWQA==} - dompurify@3.4.2: - resolution: {integrity: sha512-lHeS9SA/IKeIFFyYciHBr2n0v1VMPlSj843HdLOwjb2OxNwdq9Xykxqhk+FE42MzAdHvInbAolSE4mhahPpjXA==} + dompurify@3.4.10: + resolution: {integrity: sha512-0xzNv0e7oYC6yyuOGZIABPM4qtg3QxLFniDNPP4ZP90wR8Yq3zgwpRbrNiT4N3IKqDbbYFEJLV+JWEs19aZ//w==} dotenv-expand@12.0.3: resolution: {integrity: sha512-uc47g4b+4k/M/SeaW1y4OApx+mtLWl92l5LMPP0GNXctZqELk+YGgOPIIC5elYmUH4OuoK3JLhuRUYegeySiFA==} @@ -15168,7 +15169,7 @@ snapshots: '@babel/runtime': 7.28.6 csstype: 3.2.3 - dompurify@3.4.2: + dompurify@3.4.10: optionalDependencies: '@types/trusted-types': 2.0.7 @@ -16682,7 +16683,7 @@ snapshots: d3-sankey: 0.12.3 dagre-d3-es: 7.0.14 dayjs: 1.11.19 - dompurify: 3.4.2 + dompurify: 3.4.10 es-toolkit: 1.46.1 katex: 0.16.27 khroma: 2.1.0 diff --git a/ui/pnpm-workspace.yaml b/ui/pnpm-workspace.yaml index f3e525fc03..3db3cc19e3 100644 --- a/ui/pnpm-workspace.yaml +++ b/ui/pnpm-workspace.yaml @@ -45,6 +45,10 @@ overrides: # use the random v4 generator only, so the bug isn't reachable in practice, # but the override unifies the tree on a patched version. "uuid": "11.1.1" + # GHSA-vxr8-fq34-vvx9 (+ several related XSS sanitization bypasses): DOMPurify < 3.4.9, + # pulled in transitively via streamdown > mermaid (which wants ^3.3.1). Pinned to 3.4.10 + # (fixes all open advisories; 3.4.11 is < 24h old and blocked by minimumReleaseAge). + "dompurify": "3.4.10" # --- Level 1: Minimum Release Age --- # Packages must be published for at least 1 day before they can be installed.