fix: refresh yarn.lock to upgrade fast-xml-builder to ^1.2.0 (CVE-2026-44664, CVE-2026-44665)

brendan-kellam · claude · brendan-kellam · commit a28b9947f215 · 2026-05-09T15:35:00.000-07:00
Replaces the prior resolution-override approach with a lockfile refresh. The existing fast-xml-builder@^1.1.5 range already admits the patched 1.2.0; the lockfile was just stale. Also consolidates SOU-1073 / CVE-2026-44664 (previously #1185) into this PR — same package release fixes both sibling CVEs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178)
 - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181)
 - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183)
-- Upgraded `fast-xml-builder` to `^1.1.7` to address CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184)
+- Upgraded `fast-xml-builder` to `^1.2.0` to address CVE-2026-44664, CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184)
 
 ### Changed
 - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)
diff --git a/package.json b/package.json
@@ -59,7 +59,6 @@
         "smol-toml@npm:^1.6.0": "^1.6.1",
         "teeny-request@npm:^10.0.0": "^10.1.2",
         "uuid": "^14.0.0",
-        "fast-uri@npm:^3.0.1": "^3.1.2",
-        "fast-xml-builder": "^1.1.7"
+        "fast-uri@npm:^3.0.1": "^3.1.2"
     }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -13677,7 +13677,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fast-xml-builder@npm:^1.1.7":
+"fast-xml-builder@npm:^1.1.5":
   version: 1.2.0
   resolution: "fast-xml-builder@npm:1.2.0"
   dependencies:

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,6 @@`
`59`	`59`	`"smol-toml@npm:^1.6.0": "^1.6.1",`
`60`	`60`	`"teeny-request@npm:^10.0.0": "^10.1.2",`
`61`	`61`	`"uuid": "^14.0.0",`
`62`		`- "fast-uri@npm:^3.0.1": "^3.1.2",`
`63`		`- "fast-xml-builder": "^1.1.7"`
	`62`	`+ "fast-uri@npm:^3.0.1": "^3.1.2"`
`64`	`63`	`}`
`65`	`64`	`}`