Skip to content

chore(deps): fix security vulnerabilities (2026-01-13)#180

Merged
miguelcalderon merged 4 commits intomasterfrom
miguel/vuln-deps-2026-01-13
Jan 22, 2026
Merged

chore(deps): fix security vulnerabilities (2026-01-13)#180
miguelcalderon merged 4 commits intomasterfrom
miguel/vuln-deps-2026-01-13

Conversation

@miguelcalderon
Copy link
Contributor

@miguelcalderon miguelcalderon commented Jan 13, 2026

Summary

This PR addresses security vulnerabilities identified by Dependabot.

Branch: miguel/vuln-deps-2026-01-13

Changes

  • Updated vite to patched versions across 8 web examples to fix server.fs.deny bypass vulnerabilities
  • Updated next from 14.1.4 to ^14.2.25 in signing-demo-complete to fix DoS and authorization bypass vulnerabilities

Packages Updated

Package From To Examples Affected
vite ^5.0.x - ^6.3.5 ^5.0.13 - ^6.4.1 dws, multiple web examples
next 14.1.4 ^14.2.25 signing-demo-complete

Remaining Vulnerabilities

Some vulnerabilities remain unfixed due to breaking changes required:

  • qs (high) - arrayLimit bypass
  • glob (high) - CLI command injection
  • multer (high) - DoS via memory leaks
  • Various medium/low severity issues in transitive dependencies

These require manual review to determine if the breaking changes are acceptable.

Notes

  • Overrides/resolutions added to pin transitive dependencies
  • No functionality changes, only dependency version updates

@miguelcalderon
chore(deps): fix security vulnerabilities
b14b135 
Addresses 10 high/critical vulnerabilities identified by Dependabot.
@miguelcalderon miguelcalderon self-assigned this Jan 13, 2026
@miguelcalderon miguelcalderon requested a review from a team January 13, 2026 09:23
@miguelcalderon @claude
chore(deps): update vite to 7.3.1 and @vitejs/plugin-react to 5.1.2
306b4dd 
Update all Vite-based examples to latest versions:
- vite: ^7.3.1 (from various 5.x/6.x/7.1.x versions)
- @vitejs/plugin-react: ^5.1.2 (from various 4.x/5.0.x versions)
- Remove all vite override sections

Tested examples - 10/13 build successfully:
- watermark-annotations ✅
- multi-tab ✅
- mixpanel-web-analytics ✅
- clientside-digital-sigature ✅
- customise-annotation-sidebar ✅
- snipping-annotation ✅
- speech-2-text ✅
- create-annotation-from-clipboard ✅
- get-all-annotations-boundingBox ✅
- save-selected-page-from-document-editor ✅

Pre-existing issues (not caused by this update):
- dws: missing tsconfig.json
- text-2-speech: missing component file
- redact-one-by-one: TypeScript errors

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
veroo-m
veroo-m approved these changes Jan 22, 2026
View reviewed changes
Copy link
Collaborator

@veroo-m veroo-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

miguelcalderon and others added 2 commits January 22, 2026 18:42
@miguelcalderon @claude
chore: add missing package-lock.json files
53cf779 
- Generate package-lock.json for signing-demo-complete
- Generate package-lock.json for ui-customization-doc-editor-sidebar
- Update eslint-config-next to match Next.js 16.1.4

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@miguelcalderon
Remove unnecessary lockfile.
42b8437
@miguelcalderon miguelcalderon force-pushed the miguel/vuln-deps-2026-01-13 branch from 7e4a260 to 42b8437 Compare January 22, 2026 17:48
@miguelcalderon miguelcalderon merged commit 35c3386 into master Jan 22, 2026
2 checks passed
@miguelcalderon miguelcalderon deleted the miguel/vuln-deps-2026-01-13 branch January 22, 2026 17:49
@PSPDFKit PSPDFKit deleted a comment from miguelcalderon Jan 23, 2026
@PSPDFKit PSPDFKit deleted a comment from miguelcalderon Jan 23, 2026
@PSPDFKit PSPDFKit deleted a comment from miguelcalderon Jan 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@veroo-m veroo-m veroo-m approved these changes

Assignees

@miguelcalderon miguelcalderon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@miguelcalderon @veroo-m