Skip to content

Address high severity vulnerabilities.#95

Merged
miguelcalderon merged 1 commit into
mainfrom
miguel/fix-high-severity-vulns
Jun 24, 2026
Merged

Address high severity vulnerabilities.#95
miguelcalderon merged 1 commit into
mainfrom
miguel/fix-high-severity-vulns

Conversation

@miguelcalderon

@miguelcalderon miguelcalderon commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Remediates the three open high-severity Dependabot alerts.

Alert Package From → To Manifest
#1053GHSA-5vg9-5847-vvmq (CRLF injection in default email rule) laravel/framework v12.10.2 → v12.62.0 examples/laravel/composer.lock
#946CVE-2026-45067 / GHSA-qpmx-3rfj-7rhv (email header / SMTP command injection via CRLF) symfony/mime v7.2.4 → v7.4.13 examples/laravel/composer.lock
#1010CVE-2026-53571 / GHSA-fx2h-pf6j-xcff (server.fs.deny bypass on Windows) vite 8.0.9 → 8.1.0 examples/svelte-kit/pnpm-lock.yaml

Notes

  • The laravel/framework bump cascades the bundled Symfony 7.4.x components in examples/laravel (inherent to moving 52 minor versions); symfony/mime 7.4.13 lands in the same update.
  • The svelte-kit lockfile also reconciles @nutrient-sdk/viewer to the 1.16.1 already pinned in package.json (lockfile was stale at 1.13.1).
  • All existing version constraints already permitted the patched releases — only lockfiles (and the vite caret range) changed.

🤖 Generated with Claude Code

Bump dependencies to remediate three open high-severity Dependabot alerts:

- laravel/framework v12.10.2 -> v12.62.0 (GHSA-5vg9-5847-vvmq, CRLF
  injection in default email rule; patched in 12.60.0). Cascades the
  bundled Symfony 7.4.x components in examples/laravel.
- symfony/mime v7.2.4 -> v7.4.13 (CVE-2026-45067 / GHSA-qpmx-3rfj-7rhv,
  email header / SMTP command injection via CRLF; patched in 7.4.12).
- vite 8.0.9 -> 8.1.0 in examples/svelte-kit (CVE-2026-53571 /
  GHSA-fx2h-pf6j-xcff, server.fs.deny bypass on Windows; patched in
  8.0.16).

The svelte-kit lockfile also reconciles @nutrient-sdk/viewer to the
1.16.1 already pinned in package.json. Verified: composer validate
passes and the svelte-kit production build succeeds.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@miguelcalderon miguelcalderon self-assigned this Jun 24, 2026
@miguelcalderon miguelcalderon marked this pull request as ready for review June 24, 2026 07:51
@miguelcalderon miguelcalderon merged commit 988ce0a into main Jun 24, 2026
3 checks passed
@miguelcalderon miguelcalderon deleted the miguel/fix-high-severity-vulns branch June 24, 2026 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants