build(deps): Bump @rspack/cli, @rspack/core, @rspack/plugin-react-refresh#109656
build(deps): Bump @rspack/cli, @rspack/core, @rspack/plugin-react-refresh#109656
Conversation
github-actions
bot
added
the
Scope: Frontend
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
oioki
force-pushed
the
fix/GHSA-5gfm-wpxj-wjgq-node-forge
branch
from
6b7c94c to
a35adb9
Compare
package.json
Outdated
| "diff@>=4.0.0 <4.0.4": "4.0.4", | ||
| "diff@>=5.0.0 <5.2.2": "5.2.2" | ||
| "diff@>=5.0.0 <5.2.2": "5.2.2", | ||
| "node-forge": "^1.3.2" |
There was a problem hiding this comment.
Do we need this explicit override? Mostly try to avoid overrides because they're difficult to remove later since you have to look up the commit and figure out if you still need it
…ages Bump @rspack/cli and @rspack/core from 1.7.3 to 1.7.6 and @rspack/plugin-react-refresh from 1.6.0 to 1.6.1. The vulnerable node-forge@1.3.1 is introduced transitively via @rspack/cli → @rspack/dev-server@1.1.5 → webpack-dev-server@5.2.2 → selfsigned@2.4.1 → node-forge@^1. Since no 1.x version of @rspack/dev-server yet pins webpack-dev-server@5.2.3 (which dropped node-forge entirely), add a pnpm override forcing node-forge>=1.3.2 to resolve the vulnerability independently of the dep chain. Co-Authored-By: Claude <noreply@anthropic.com>
oioki
force-pushed
the
fix/GHSA-5gfm-wpxj-wjgq-node-forge
branch
from
a35adb9 to
7e87885
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "@rspack/plugin-react-refresh": "1.6.0", | ||
| "@rspack/cli": "1.7.6", | ||
| "@rspack/core": "1.7.6", | ||
| "@rspack/plugin-react-refresh": "1.6.1", |
There was a problem hiding this comment.
Missing node-forge override described in PR
Medium Severity
The PR description explicitly states that node-forge: ">=1.3.2" is added to pnpm.overrides, but the pnpm.overrides section in package.json (line ~240) contains no such entry. The lockfile currently resolves node-forge to 1.3.3, which fixes GHSA-5gfm-wpxj-wjgq, but without the override, a future lockfile regeneration could theoretically re-resolve to a vulnerable version since selfsigned@2.4.1 declares node-forge@^1 which includes vulnerable versions below 1.3.2. The fix is fragile without the stated safeguard.
oioki
changed the title
3 participants
Bumps rspack-related packages to their latest versions:
@rspack/cli1.7.3 → 1.7.6@rspack/core1.7.3 → 1.7.6@rspack/plugin-react-refresh1.6.0 → 1.6.1As a side effect of the lockfile re-resolution,
node-forgeis upgraded from 1.3.1 to 1.3.3, which resolves GHSA-5gfm-wpxj-wjgq.Co-Authored-By: Claude noreply@anthropic.com