From 32e856a6d0d97c7f6fe1b40ed2edec6c2cb3774e Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Sat, 9 May 2026 21:24:37 +0000 Subject: [PATCH 1/3] fix: upgrade fast-xml-builder to ^1.1.7 to address CVE-2026-44665 Co-authored-by: Brendan Kellam --- package.json | 3 ++- yarn.lock | 25 +++++++++++++------------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/package.json b/package.json index 63eae0429..335fba683 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,7 @@ "smol-toml@npm:^1.6.0": "^1.6.1", "teeny-request@npm:^10.0.0": "^10.1.2", "uuid": "^14.0.0", - "fast-uri@npm:^3.0.1": "^3.1.2" + "fast-uri@npm:^3.0.1": "^3.1.2", + "fast-xml-builder": "^1.1.7" } } diff --git a/yarn.lock b/yarn.lock index 0f7a4f949..303b04da5 100644 --- a/yarn.lock +++ b/yarn.lock @@ -13677,12 +13677,13 @@ __metadata: languageName: node linkType: hard -"fast-xml-builder@npm:^1.1.5": - version: 1.1.5 - resolution: "fast-xml-builder@npm:1.1.5" +"fast-xml-builder@npm:^1.1.7": + version: 1.2.0 + resolution: "fast-xml-builder@npm:1.2.0" dependencies: - path-expression-matcher: "npm:^1.1.3" - checksum: 10c0/b814ba5559cb3140de46d2846045607ab4d4c0bfc312a49d22c91efb9f7cd7004971314841e5823eeb467a5bf403e3ade8371b7912200e111df027d42ae51715 + path-expression-matcher: "npm:^1.5.0" + xml-naming: "npm:^0.1.0" + checksum: 10c0/84bb105cd04e91d6dcb746c4dbaeb12903b510e7ab9a06ffde55b5a582e005559a87d84467f18a655c6c4baf098f696fd74cee3cbe1aea9d01385907768ba32d languageName: node linkType: hard @@ -18053,13 +18054,6 @@ __metadata: languageName: node linkType: hard -"path-expression-matcher@npm:^1.1.3": - version: 1.2.0 - resolution: "path-expression-matcher@npm:1.2.0" - checksum: 10c0/86c661dfb265ed5dd1ddd9188f0dfbecf4ec4dc3ea6cabab081d3a2ba285054d9767a641a233bd6fd694fd89f7d0ef94913032feddf5365252700b02db4bf4e1 - languageName: node - linkType: hard - "path-expression-matcher@npm:^1.5.0": version: 1.5.0 resolution: "path-expression-matcher@npm:1.5.0" @@ -22617,6 +22611,13 @@ __metadata: languageName: node linkType: hard +"xml-naming@npm:^0.1.0": + version: 0.1.0 + resolution: "xml-naming@npm:0.1.0" + checksum: 10c0/8c7614865361bcb7e53e3e091dac21c567e2b92d447919b2f072775aa9dcfc94a5255bd52fbaa0fd53c93513e53a23a6a835218ad2af512451dbc678392f85fe + languageName: node + linkType: hard + "xmlchars@npm:^2.2.0": version: 2.2.0 resolution: "xmlchars@npm:2.2.0" From 40073904b5aea321bfda3eb3172f4b0a29646958 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Sat, 9 May 2026 21:25:18 +0000 Subject: [PATCH 2/3] Update CHANGELOG.md for PR #1184 Co-authored-by: Brendan Kellam --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 081d4c8d6..66857d270 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178) - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181) - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183) +- Upgraded `fast-xml-builder` to `^1.1.7` to address CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184) ### Changed - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179) From a28b9947f215a63af185fb4cbbe967fea56c53c0 Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Sat, 9 May 2026 15:35:00 -0700 Subject: [PATCH 3/3] fix: refresh yarn.lock to upgrade fast-xml-builder to ^1.2.0 (CVE-2026-44664, CVE-2026-44665) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the prior resolution-override approach with a lockfile refresh. The existing fast-xml-builder@^1.1.5 range already admits the patched 1.2.0; the lockfile was just stale. Also consolidates SOU-1073 / CVE-2026-44664 (previously #1185) into this PR — same package release fixes both sibling CVEs. Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 2 +- package.json | 3 +-- yarn.lock | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 66857d270..25e7fc34a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178) - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181) - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183) -- Upgraded `fast-xml-builder` to `^1.1.7` to address CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184) +- Upgraded `fast-xml-builder` to `^1.2.0` to address CVE-2026-44664, CVE-2026-44665. [#1184](https://github.com/sourcebot-dev/sourcebot/pull/1184) ### Changed - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179) diff --git a/package.json b/package.json index 335fba683..63eae0429 100644 --- a/package.json +++ b/package.json @@ -59,7 +59,6 @@ "smol-toml@npm:^1.6.0": "^1.6.1", "teeny-request@npm:^10.0.0": "^10.1.2", "uuid": "^14.0.0", - "fast-uri@npm:^3.0.1": "^3.1.2", - "fast-xml-builder": "^1.1.7" + "fast-uri@npm:^3.0.1": "^3.1.2" } } diff --git a/yarn.lock b/yarn.lock index 303b04da5..3f138c44b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -13677,7 +13677,7 @@ __metadata: languageName: node linkType: hard -"fast-xml-builder@npm:^1.1.7": +"fast-xml-builder@npm:^1.1.5": version: 1.2.0 resolution: "fast-xml-builder@npm:1.2.0" dependencies: