From 8a889e67efa7540b2ede94f6be80a6e1bb8ac173 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Fri, 15 May 2026 08:50:00 +0000 Subject: [PATCH] fix(security): bump devalue override to ^5.8.1 (CVE-2026-42570) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bump the devalue pnpm override in docs/package.json from ^5.6.4 to ^5.8.1 to fix Dependabot alert #158 — DoS via sparse array deserialization in devalue.parse. --- docs/package.json | 2 +- docs/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/package.json b/docs/package.json index e1318ce9..9c2723e7 100644 --- a/docs/package.json +++ b/docs/package.json @@ -15,7 +15,7 @@ "pnpm": { "overrides": { "h3": "^1.15.6", - "devalue": "^5.6.4", + "devalue": "^5.8.1", "rollup": "^4.59.0", "svgo": "^4.0.1", "smol-toml": "^1.6.1", diff --git a/docs/pnpm-lock.yaml b/docs/pnpm-lock.yaml index d3bf75c5..b647cea2 100644 --- a/docs/pnpm-lock.yaml +++ b/docs/pnpm-lock.yaml @@ -6,7 +6,7 @@ settings: overrides: h3: ^1.15.6 - devalue: ^5.6.4 + devalue: ^5.8.1 rollup: ^4.59.0 svgo: ^4.0.1 smol-toml: ^1.6.1 @@ -971,8 +971,8 @@ packages: resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==} engines: {node: '>=8'} - devalue@5.7.1: - resolution: {integrity: sha512-MUbZ586EgQqdRnC4yDrlod3BEdyvE4TapGYHMW2CiaW+KkkFmWEFqBUaLltEZCGi0iFXCEjRF0OjF0DV2QHjOA==} + devalue@5.8.1: + resolution: {integrity: sha512-4CXDYRBGqN+57wVJkuXBYmpAVUSg3L6JAQa/DFqm238G73E1wuyc/JhGQJzN7vUf/CMphYau2zXbfWzDR5aTEw==} devlop@1.1.0: resolution: {integrity: sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==} @@ -2699,7 +2699,7 @@ snapshots: clsx: 2.1.1 common-ancestor-path: 2.0.0 cookie: 1.1.1 - devalue: 5.7.1 + devalue: 5.8.1 diff: 8.0.4 dset: 3.1.4 es-module-lexer: 2.0.0 @@ -2884,7 +2884,7 @@ snapshots: detect-libc@2.1.2: {} - devalue@5.7.1: {} + devalue@5.8.1: {} devlop@1.1.0: dependencies: