Security fixes, Image Optimizationa and merge latest changes to main#434
Merged
sc-chathumikaalwis merged 5 commits intomainfrom Apr 8, 2026
Merged
Security fixes, Image Optimizationa and merge latest changes to main#434sc-chathumikaalwis merged 5 commits intomainfrom
sc-chathumikaalwis merged 5 commits intomainfrom
Conversation
* opti: Image optimization - SYNC authoring * opt: Image optimization - Alaris authoring * opt: Image optimization - Solterra authoring * opt: Image optimization - remaining authoring below 500KB
* Remove .eslintrc file and update ESLint dependencies in package.json and package-lock.json * Refactor ESLint configuration: remove .eslintignore, add eslint.config.mjs, and update linting options in angular.json and package files * fix(basic-nextjs-pages-router): resolve lockfile merge and Prettier build errors * basic-nextjs-pages-router: update .sitecore component-map and import-map --------- Co-authored-by: pamo_sitecore <pamo@sitecore.net> Co-authored-by: sc-sobiyasivakumar <sobiya.sivakumar+sitecore@sitecore.com>
* Fix/dependabot vulnerbility fixes - Basic-spa (#426) * fix(basic-spa): tough-cookie Prototype Pollution vulnerability * fix(basic-spa): Server-Side Request Forgery in Request * fix(basic-spa): tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter * fix(basic-spa): xml2js is vulnerable to prototype pollution --------- Co-authored-by: sc-sobiyasivakumar <sc-sobiyasivakumar@users.noreply.github.com> * fix: bump Next.js to ≥15.5.14 across starters (Dependabot) (#427) * chore: update next and eslint-config-next to latest versions * chore: update next and eslint-config-next to latest patch versions * fix: resolve Dependabot security vulnerabilities in transitive dependencies across multiple starter sites (#425) Co-authored-by: Esari Upendri <upen@sitecore.net> * Fix : Angular vulnerability fixes - High (#421) * Angular vulnerable to XSS in i18n attribute bindings #301-High * path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters #389-High * path-to-regexp vulnerable to Denial of Service via sequential optional groups #108 * Updated package lock for angular * Updated package lock files for every sites --------- Co-authored-by: sc-esariupendri <> * Move axios to devDependencies and harden CI dependency installation (#411) * axios dependency placement for dev dependancy * Replace npm install with npm ci in pr-validation and dmz-validation workflows --------- Co-authored-by: sc-krishanthakumara <sc-krishanthakumara@users.noreply.github.com> * fix(basic-spa): fix hono vulnerabilities for Dependabot (#423) * chore: include overrides for @hono/node-server and hono * Delete examples/basic-spa/angular/package-lock.json * update package-lock basic-spa --------- Co-authored-by: Esari Upendri <upen@sitecore.net> * Fix/dependabot issue lodash (#420) * fix(skate-park): lodash vulnerable to Code Injection via `_.template` imports key names * fix(product-list): lodash vulnerable to Code Injection via `_.template` imports key names * fix(location-finder): lodash vulnerable to Code Injection via `_.template` imports key names * fix(basic-nextjs-pages-router): lodash vulnerable to Code Injection via `_.template` imports key names * fix(article-starter): lodash vulnerable to Code Injection via `_.template` imports key names * fix(basic-nextjs): lodash vulnerable to Code Injection via `_.template` imports key names * fix(basic-spa): Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions * revert package-lock changes --------- Co-authored-by: sc-sobiyasivakumar <sc-sobiyasivakumar@users.noreply.github.com> Co-authored-by: Esari Upendri <upen@sitecore.net> * Code Scanning Issue Fixes (#409) * fix: set compilation debug to false in web.config for production readiness * fix: add custom headers for X-Frame-Options in web.config * fix: add permissions section for DMZ branch validation workflow --------- Co-authored-by: sc-esariupendri <> * Fix: flatted prototype pollution in starter dependencies - High (#415) * Prototype Pollution via parse() in NodeJS flatted #321-High * Prototype Pollution via parse() in NodeJS flatted #320-High * Prototype Pollution via parse() in NodeJS flatted #322-High * Prototype Pollution via parse() in NodeJS flatted #323-High * Prototype Pollution via parse() in NodeJS flatted #324-High * Prototype Pollution via parse() in NodeJS flatted #326-High * Prototype Pollution via parse() in NodeJS flatted #327-High * Prototype Pollution via parse() in NodeJS flatted #151-High --------- Co-authored-by: sc-esariupendri <> * Fix/dependabot serialize js issue (#422) * fix(basic-spa) : Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() * fix(basic-spa): Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects * Revert changes on package-lock --------- Co-authored-by: sc-sobiyasivakumar <sc-sobiyasivakumar@users.noreply.github.com> Co-authored-by: Esari Upendri <upen@sitecore.net> * Fix: fast-xml-parser vulnerability in starter dependencies - High (#416) * fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) #340 - High * fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) #341-High * fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) #342-High * fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) #343-High --------- Co-authored-by: sc-esariupendri <> * fix(video): parse thumbnail URLs for Next/Image unoptimized (#408) - Add isYouTubeThumbnailImageUrl (img.youtube.com, i.ytimg.com) in kit-nextjs-location-finder; replace substring checks on fallbackImage. Co-authored-by: sc-sobiyasivakumar <sobiya.sivakumar+sitecore@sitecore.com> * Rollup 4 has Arbitrary File Write via Path Traversal #240-High (#417) Co-authored-by: sc-esariupendri <> * fix:form-data uses unsafe random function in form-data for choosing boundary #7-Critical (#418) Co-authored-by: sc-esariupendri <> * Resolve Dependabot alerts for webpack, qs, and fast-xml-parser (#428) * Bugfix scb 849 dependabot issue fixes (#54) * feat(video): add utility function to validate YouTube image hosts for optimized loading * Update package dependencies for basic SPA example * update package dependencies for basic-spa example (#55) * Update brace-expansion package versions across multiple examples to latest releases (1.1.13 and 2.0.3) in package.json and package-lock.json files. (#56) * Update qs package to version 6.14.2 across all examples and related lock files (#57) * Update fast-xml-parser and fast-xml-builder versions across multiple examples (#58) * Delete examples/basic-nextjs-pages-router/package-lock.json * Delete examples/basic-nextjs/package-lock.json * Delete examples/basic-spa/angular/package-lock.json * Delete examples/basic-spa/proxy/package-lock.json * Update package-lock files * Update pnpm-lock file --------- Co-authored-by: Esari Upendri <upen@sitecore.net> * Fix/dependabot issue picomatch (#413) * fix(skate-park): Picomatch has a ReDoS vulnerability via extglob quantifiers * fix(location-finder): Picomatch has a ReDoS vulnerability via extglob quantifiers * fix(product-listing): Picomatch has a ReDoS vulnerability via extglob quantifiers * fix(article-starter): Picomatch has a ReDoS vulnerability via extglob quantifiers * fix(basic-spa): Picomatch has a ReDoS vulnerability via extglob quantifiers * fix(basic-spa): Picomatch-Method Injection in POSIX Character Classes causes incorrect Glob Matching * fix(basic-nextjs-pages-router): Picomatch-Method Injection in POSIX Character Classes causes incorrect Glob Matching * fix(basic-nextjs): Picomatch has a ReDoS vulnerability via extglob quantifiers --------- Co-authored-by: sc-sobiyasivakumar <sc-sobiyasivakumar@users.noreply.github.com> Co-authored-by: Esari Upendri <upen@sitecore.net> * fix(security): resolve Wiz scan findings across starters (exclude basic-nextjs-pages-router) (#419) * Wiz scan fixes for Solterra, Alaris, SYNC, Skate-park * Wiz scan fuxes for basic-nextjs * Wiz scan fixes for basic-spa * fix(security) - remediate npm vulnerabilities across examples (#18) - Remove unused eslint-plugin-yaml (fixes lodash CVEs) in article and location starters - Upgrade eslint-config-next v13v15 in pages-router (fixes minimatch ReDoS CVEs) - Run npm audit fix on product-listing and skate-park Co-authored-by: sc-krishanthakumara <sc-krishanthakumara@users.noreply.github.com> * Updated package-lock in all example sites * fix: update package.json files to remove duplicate overrides --------- Co-authored-by: Krishantha Udaya Kumara <236586687+sc-krishanthakumara@users.noreply.github.com> Co-authored-by: sc-krishanthakumara <sc-krishanthakumara@users.noreply.github.com> * refreshed all lock files (#429) * refreshed package-lock files (basic-next/ spa) * refreshed package-lock files (article starter/ location finder) * refreshed package lock files * Security: resolve Dependabot alerts for lodash, Vite, and unused ESLint YAML plugin (#430) * fix(kit-nextjs-article-starter): drop unused eslint-plugin-yaml to clear lodash audit * fix(deps): patch transitive vite and lodash; drop unused eslint-plugin-yaml - Angular SPA: stop overriding lodash to 4.17.23; pin lodash 4.18.1 and vite 7.3.2 (npm overrides + pnpm workspace overrides) and refresh lockfiles. - Location finder: remove unused eslint-plugin-yaml (jshint/lodash chain). --------- Co-authored-by: sc-krishanthakumara <sc-krishanthakumara@users.noreply.github.com> --------- Co-authored-by: Sobiya Sivakumar <siva@sitecore.net> Co-authored-by: sc-sobiyasivakumar <sc-sobiyasivakumar@users.noreply.github.com> Co-authored-by: Naveen Hedalla Arachchi <nvhd@sitecore.net> Co-authored-by: Shakya Wijerathne <shakya.wijerathne@sitecore.com> Co-authored-by: Esari Upendri <upen@sitecore.net> Co-authored-by: Krishantha Udaya Kumara <236586687+sc-krishanthakumara@users.noreply.github.com> Co-authored-by: sc-krishanthakumara <sc-krishanthakumara@users.noreply.github.com> Co-authored-by: sc-sobiyasivakumar <sobiya.sivakumar+sitecore@sitecore.com> Co-authored-by: Pamodith Maduwantha <pamo@sitecore.net>
Co-authored-by: sc-krishanthakumara <sc-krishanthakumara@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
sc-krishanthakumara
approved these changes
Apr 8, 2026
Collaborator
sc-krishanthakumara
left a comment
sc-krishanthakumara
left a comment
There was a problem hiding this comment.
Have noted some component changes, but no breaking changes.
sc-chathumikaalwis
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description / Motivation
Please describe the context and motivation for this change. Why is this PR necessary? What problem does it solve or what feature does it add?
Include information on major design decisions, approaches taken, and any technical details important for reviewers to know.
Testing Details
Explain how to test this PR. Include specific areas to test, relevant test cases, and any setup required.
Types of changes
Terms