Skip to content

chore(deps): fix security vulnerabilities (2026-01-13) #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
miguelcalderon merged 4 commits into from
Jan 22, 2026
Merged

chore(deps): fix security vulnerabilities (2026-01-13) #180

miguelcalderon merged 4 commits into from
Jan 22, 2026

Conversation

@miguelcalderon
Copy link
Contributor

@miguelcalderon miguelcalderon commented Jan 13, 2026

Summary

This PR addresses security vulnerabilities identified by Dependabot.

Branch: miguel/vuln-deps-2026-01-13

Changes

  • Updated vite to patched versions across 8 web examples to fix server.fs.deny bypass vulnerabilities
  • Updated next from 14.1.4 to ^14.2.25 in signing-demo-complete to fix DoS and authorization bypass vulnerabilities

Packages Updated

Package From To Examples Affected
vite ^5.0.x - ^6.3.5 ^5.0.13 - ^6.4.1 dws, multiple web examples
next 14.1.4 ^14.2.25 signing-demo-complete

Remaining Vulnerabilities

Some vulnerabilities remain unfixed due to breaking changes required:

  • qs (high) - arrayLimit bypass
  • glob (high) - CLI command injection
  • multer (high) - DoS via memory leaks
  • Various medium/low severity issues in transitive dependencies

These require manual review to determine if the breaking changes are acceptable.

Notes

  • Overrides/resolutions added to pin transitive dependencies
  • No functionality changes, only dependency version updates

@miguelcalderon
chore(deps): fix security vulnerabilities
b14b135 
Addresses 10 high/critical vulnerabilities identified by Dependabot.
@miguelcalderon miguelcalderon self-assigned this Jan 13, 2026
@miguelcalderon miguelcalderon requested a review from a team January 13, 2026 09:23
@miguelcalderon @claude
chore(deps): update vite to 7.3.1 and @vitejs/plugin-react to 5.1.2
306b4dd 
Update all Vite-based examples to latest versions:
- vite: ^7.3.1 (from various 5.x/6.x/7.1.x versions)
- @vitejs/plugin-react: ^5.1.2 (from various 4.x/5.0.x versions)
- Remove all vite override sections

Tested examples - 10/13 build successfully:
- watermark-annotations ✅
- multi-tab ✅
- mixpanel-web-analytics ✅
- clientside-digital-sigature ✅
- customise-annotation-sidebar ✅
- snipping-annotation ✅
- speech-2-text ✅
- create-annotation-from-clipboard ✅
- get-all-annotations-boundingBox ✅
- save-selected-page-from-document-editor ✅

Pre-existing issues (not caused by this update):
- dws: missing tsconfig.json
- text-2-speech: missing component file
- redact-one-by-one: TypeScript errors

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
veroo-m
veroo-m approved these changes Jan 22, 2026
View reviewed changes
Copy link
Collaborator

@veroo-m veroo-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

miguelcalderon and others added 2 commits January 22, 2026 18:42
@miguelcalderon @claude
chore: add missing package-lock.json files
53cf779 
- Generate package-lock.json for signing-demo-complete
- Generate package-lock.json for ui-customization-doc-editor-sidebar
- Update eslint-config-next to match Next.js 16.1.4

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@miguelcalderon
Remove unnecessary lockfile.
42b8437
@miguelcalderon miguelcalderon force-pushed the miguel/vuln-deps-2026-01-13 branch from 7e4a260 to 42b8437 Compare January 22, 2026 17:48
@miguelcalderon miguelcalderon merged commit 35c3386 into master Jan 22, 2026
2 checks passed
@miguelcalderon miguelcalderon deleted the miguel/vuln-deps-2026-01-13 branch January 22, 2026 17:49
@PSPDFKit PSPDFKit deleted a comment from miguelcalderon Jan 23, 2026
@PSPDFKit PSPDFKit deleted a comment from miguelcalderon Jan 23, 2026
@PSPDFKit PSPDFKit deleted a comment from miguelcalderon Jan 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@veroo-m veroo-m veroo-m approved these changes

Assignees

@miguelcalderon miguelcalderon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@miguelcalderon @veroo-m