Skip to content

fix(deps): patch CVE-2025-55182 and 4 additional vulnerabilities#11

Open
tvl83 wants to merge 2 commits into
nikunjsingh93:mainfrom
tvl83:main
Open

fix(deps): patch CVE-2025-55182 and 4 additional vulnerabilities#11
tvl83 wants to merge 2 commits into
nikunjsingh93:mainfrom
tvl83:main

Conversation

@tvl83
Copy link
Copy Markdown

@tvl83 tvl83 commented Dec 30, 2025

Summary

Security dependency updates - no breaking changes.

CVE-2025-55182 (Critical, CVSS 10.0)

React 19.1.1 is vulnerable to RCE via insecure deserialization in React Server Components. While Glass Keep is intended for local use and doesn't use RSC, bumping to 19.1.2 is good hygiene.

Other fixes (via npm audit fix)

Package Issue
js-yaml Prototype pollution in merge
jws HMAC signature verification bypass
tar-fs Symlink validation bypass
vite Multiple server.fs.deny bypasses

Testing

  • npm install
  • npm run build
  • npm audit returns 0 vulnerabilities

tvl83 added 2 commits December 29, 2025 21:49
@tvl83
Update react dependency to version 19.1.2
2311782 
Updating to react 19.1.2 that fixes CVE-2025-55182.
@tvl83
fix(deps): patch CVE-2025-55182 and 4 additional vulnerabilities
8443d4b 
- react, react-dom: ^19.1.2 (CVE-2025-55182, CVSS 10.0)
- js-yaml: prototype pollution (GHSA-mh29-5h37-fv8m)
- jws: HMAC verification bypass (GHSA-869p-cjfg-cm3x)
- tar-fs: symlink validation bypass (GHSA-vj76-c3g6-qr5v)
- vite: multiple fs.deny bypasses
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tvl83