From 64eadb5d3309320e4c276108b147b43d06165013 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Tue, 3 Mar 2026 11:43:05 +1100 Subject: [PATCH] UID2-6681: Fix HIGH npm vulnerabilities in web-integrations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - minimatch: 10.2.1 → 10.2.3+ (CVE-2026-27903, CVE-2026-27904) - DoS via backtracking - serialize-javascript: 4.0.0/6.0.2 → 7.0.3+ (GHSA-5c6j-r48x-rmvq) - RCE via RegExp/Date - rollup: 2.79.2 → 2.80.0 (CVE-2026-27606) - RCE via path traversal Updated overrides in all 7 web-integrations package.json files and regenerated lock files. Co-Authored-By: Claude Sonnet 4.6 --- .../client-server/package-lock.json | 8 ++-- .../client-server/package.json | 2 +- .../react-client-side/package-lock.json | 40 ++++++------------- .../react-client-side/package.json | 4 +- .../server-side/package-lock.json | 8 ++-- .../server-side/package.json | 2 +- .../client-server/package-lock.json | 8 ++-- .../javascript-sdk/client-server/package.json | 2 +- .../react-client-side/package-lock.json | 40 ++++++------------- .../react-client-side/package.json | 4 +- .../client-server/package-lock.json | 8 ++-- .../client-server/package.json | 2 +- .../server-side/package-lock.json | 8 ++-- web-integrations/server-side/package.json | 2 +- 14 files changed, 55 insertions(+), 83 deletions(-) diff --git a/web-integrations/google-secure-signals/client-server/package-lock.json b/web-integrations/google-secure-signals/client-server/package-lock.json index c5423be..870946f 100644 --- a/web-integrations/google-secure-signals/client-server/package-lock.json +++ b/web-integrations/google-secure-signals/client-server/package-lock.json @@ -2791,14 +2791,14 @@ } }, "node_modules/minimatch": { - "version": "10.2.1", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.1.tgz", - "integrity": "sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", "dependencies": { "brace-expansion": "^5.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" diff --git a/web-integrations/google-secure-signals/client-server/package.json b/web-integrations/google-secure-signals/client-server/package.json index d233751..f3ed1d8 100644 --- a/web-integrations/google-secure-signals/client-server/package.json +++ b/web-integrations/google-secure-signals/client-server/package.json @@ -20,7 +20,7 @@ }, "overrides": { "form-data": "^4.0.4", - "minimatch": "^10.2.1", + "minimatch": "^10.2.3", "qs": "6.14.1" }, "devDependencies": { diff --git a/web-integrations/google-secure-signals/react-client-side/package-lock.json b/web-integrations/google-secure-signals/react-client-side/package-lock.json index a8eb4fa..7d0542d 100644 --- a/web-integrations/google-secure-signals/react-client-side/package-lock.json +++ b/web-integrations/google-secure-signals/react-client-side/package-lock.json @@ -10790,14 +10790,14 @@ "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==" }, "node_modules/minimatch": { - "version": "10.2.1", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.1.tgz", - "integrity": "sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", "dependencies": { "brace-expansion": "^5.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" @@ -12945,14 +12945,6 @@ "performance-now": "^2.1.0" } }, - "node_modules/randombytes": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", - "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", - "dependencies": { - "safe-buffer": "^5.1.0" - } - }, "node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", @@ -14071,9 +14063,9 @@ } }, "node_modules/rollup": { - "version": "2.79.2", - "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.2.tgz", - "integrity": "sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ==", + "version": "2.80.0", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.80.0.tgz", + "integrity": "sha512-cIFJOD1DESzpjOBl763Kp1AH7UE/0fcdHe6rZXUdQ9c50uvgigvW97u3IcSeBwOkgqL/PXPBktBCh0KEu5L8XQ==", "bin": { "rollup": "dist/bin/rollup" }, @@ -14112,14 +14104,6 @@ "node": ">= 10.13.0" } }, - "node_modules/rollup-plugin-terser/node_modules/serialize-javascript": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz", - "integrity": "sha512-GaNA54380uFefWghODBWEGisLZFj00nS5ACs6yHa9nLqlLpVLO8ChDGeKRjZnV4Nh4n0Qi7nhYZD/9fCPzEqkw==", - "dependencies": { - "randombytes": "^2.1.0" - } - }, "node_modules/run-applescript": { "version": "7.1.0", "resolved": "https://registry.npmjs.org/run-applescript/-/run-applescript-7.1.0.tgz", @@ -14408,11 +14392,11 @@ } }, "node_modules/serialize-javascript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", - "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", - "dependencies": { - "randombytes": "^2.1.0" + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.4.tgz", + "integrity": "sha512-DuGdB+Po43Q5Jxwpzt1lhyFSYKryqoNjQSA9M92tyw0lyHIOur+XCalOUe0KTJpyqzT8+fQ5A0Jf7vCx/NKmIg==", + "engines": { + "node": ">=20.0.0" } }, "node_modules/serve-index": { diff --git a/web-integrations/google-secure-signals/react-client-side/package.json b/web-integrations/google-secure-signals/react-client-side/package.json index a0ec623..119df47 100644 --- a/web-integrations/google-secure-signals/react-client-side/package.json +++ b/web-integrations/google-secure-signals/react-client-side/package.json @@ -25,7 +25,9 @@ "nth-check": "^2.0.1", "form-data": "^4.0.4", "glob": "^11.1.0", - "minimatch": "^10.2.1", + "minimatch": "^10.2.3", + "rollup": "^2.80.0", + "serialize-javascript": "^7.0.3", "node-forge": "^1.3.2", "postcss": "^8.4.31", "webpack-dev-server": "^5.2.1", diff --git a/web-integrations/google-secure-signals/server-side/package-lock.json b/web-integrations/google-secure-signals/server-side/package-lock.json index b7327c9..0d2e6cc 100644 --- a/web-integrations/google-secure-signals/server-side/package-lock.json +++ b/web-integrations/google-secure-signals/server-side/package-lock.json @@ -2915,14 +2915,14 @@ } }, "node_modules/minimatch": { - "version": "10.2.1", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.1.tgz", - "integrity": "sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", "dependencies": { "brace-expansion": "^5.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" diff --git a/web-integrations/google-secure-signals/server-side/package.json b/web-integrations/google-secure-signals/server-side/package.json index 616fb8d..f3b9f6c 100644 --- a/web-integrations/google-secure-signals/server-side/package.json +++ b/web-integrations/google-secure-signals/server-side/package.json @@ -22,7 +22,7 @@ }, "overrides": { "form-data": "^4.0.4", - "minimatch": "^10.2.1", + "minimatch": "^10.2.3", "qs": "6.14.1" }, "devDependencies": { diff --git a/web-integrations/javascript-sdk/client-server/package-lock.json b/web-integrations/javascript-sdk/client-server/package-lock.json index af8cadf..51b5355 100644 --- a/web-integrations/javascript-sdk/client-server/package-lock.json +++ b/web-integrations/javascript-sdk/client-server/package-lock.json @@ -2892,14 +2892,14 @@ } }, "node_modules/minimatch": { - "version": "10.2.1", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.1.tgz", - "integrity": "sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", "dependencies": { "brace-expansion": "^5.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" diff --git a/web-integrations/javascript-sdk/client-server/package.json b/web-integrations/javascript-sdk/client-server/package.json index b1d79ba..64ba2ad 100644 --- a/web-integrations/javascript-sdk/client-server/package.json +++ b/web-integrations/javascript-sdk/client-server/package.json @@ -27,7 +27,7 @@ }, "overrides": { "jws": "4.0.1", - "minimatch": "^10.2.1", + "minimatch": "^10.2.3", "qs": "6.14.1" }, "resolutions": { diff --git a/web-integrations/javascript-sdk/react-client-side/package-lock.json b/web-integrations/javascript-sdk/react-client-side/package-lock.json index e3971f9..903c286 100644 --- a/web-integrations/javascript-sdk/react-client-side/package-lock.json +++ b/web-integrations/javascript-sdk/react-client-side/package-lock.json @@ -10762,14 +10762,14 @@ "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==" }, "node_modules/minimatch": { - "version": "10.2.1", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.1.tgz", - "integrity": "sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", "dependencies": { "brace-expansion": "^5.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" @@ -12909,14 +12909,6 @@ "performance-now": "^2.1.0" } }, - "node_modules/randombytes": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", - "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", - "dependencies": { - "safe-buffer": "^5.1.0" - } - }, "node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", @@ -14028,9 +14020,9 @@ } }, "node_modules/rollup": { - "version": "2.79.2", - "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.2.tgz", - "integrity": "sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ==", + "version": "2.80.0", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.80.0.tgz", + "integrity": "sha512-cIFJOD1DESzpjOBl763Kp1AH7UE/0fcdHe6rZXUdQ9c50uvgigvW97u3IcSeBwOkgqL/PXPBktBCh0KEu5L8XQ==", "bin": { "rollup": "dist/bin/rollup" }, @@ -14069,14 +14061,6 @@ "node": ">= 10.13.0" } }, - "node_modules/rollup-plugin-terser/node_modules/serialize-javascript": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-4.0.0.tgz", - "integrity": "sha512-GaNA54380uFefWghODBWEGisLZFj00nS5ACs6yHa9nLqlLpVLO8ChDGeKRjZnV4Nh4n0Qi7nhYZD/9fCPzEqkw==", - "dependencies": { - "randombytes": "^2.1.0" - } - }, "node_modules/run-applescript": { "version": "7.1.0", "resolved": "https://registry.npmjs.org/run-applescript/-/run-applescript-7.1.0.tgz", @@ -14365,11 +14349,11 @@ } }, "node_modules/serialize-javascript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", - "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", - "dependencies": { - "randombytes": "^2.1.0" + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.4.tgz", + "integrity": "sha512-DuGdB+Po43Q5Jxwpzt1lhyFSYKryqoNjQSA9M92tyw0lyHIOur+XCalOUe0KTJpyqzT8+fQ5A0Jf7vCx/NKmIg==", + "engines": { + "node": ">=20.0.0" } }, "node_modules/serve-index": { diff --git a/web-integrations/javascript-sdk/react-client-side/package.json b/web-integrations/javascript-sdk/react-client-side/package.json index 4c28367..403b7e9 100644 --- a/web-integrations/javascript-sdk/react-client-side/package.json +++ b/web-integrations/javascript-sdk/react-client-side/package.json @@ -25,7 +25,9 @@ "nth-check": "^2.0.1", "form-data": "^4.0.4", "glob": "^11.1.0", - "minimatch": "^10.2.1", + "minimatch": "^10.2.3", + "rollup": "^2.80.0", + "serialize-javascript": "^7.0.3", "node-forge": "^1.3.2", "postcss": "^8.4.31", "webpack-dev-server": "^5.2.1", diff --git a/web-integrations/prebid-integrations/client-server/package-lock.json b/web-integrations/prebid-integrations/client-server/package-lock.json index b81d1b3..4f3655b 100644 --- a/web-integrations/prebid-integrations/client-server/package-lock.json +++ b/web-integrations/prebid-integrations/client-server/package-lock.json @@ -650,14 +650,14 @@ } }, "node_modules/minimatch": { - "version": "10.2.1", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.1.tgz", - "integrity": "sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", "dependencies": { "brace-expansion": "^5.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" diff --git a/web-integrations/prebid-integrations/client-server/package.json b/web-integrations/prebid-integrations/client-server/package.json index 67b7925..f35157d 100644 --- a/web-integrations/prebid-integrations/client-server/package.json +++ b/web-integrations/prebid-integrations/client-server/package.json @@ -18,7 +18,7 @@ }, "overrides": { "body-parser": "^2.2.1", - "minimatch": "^10.2.1", + "minimatch": "^10.2.3", "qs": "6.14.1" } } diff --git a/web-integrations/server-side/package-lock.json b/web-integrations/server-side/package-lock.json index d4450c0..0f82564 100644 --- a/web-integrations/server-side/package-lock.json +++ b/web-integrations/server-side/package-lock.json @@ -2447,14 +2447,14 @@ } }, "node_modules/minimatch": { - "version": "10.2.1", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.1.tgz", - "integrity": "sha512-MClCe8IL5nRRmawL6ib/eT4oLyeKMGCghibcDWK+J0hh0Q8kqSdia6BvbRMVk6mPa6WqUa5uR2oxt6C5jd533A==", + "version": "10.2.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz", + "integrity": "sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==", "dependencies": { "brace-expansion": "^5.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" }, "funding": { "url": "https://github.com/sponsors/isaacs" diff --git a/web-integrations/server-side/package.json b/web-integrations/server-side/package.json index 88d2f54..4343089 100644 --- a/web-integrations/server-side/package.json +++ b/web-integrations/server-side/package.json @@ -27,7 +27,7 @@ "eslint-plugin-testing-library": "^4.6.0" }, "overrides": { - "minimatch": "^10.2.1", + "minimatch": "^10.2.3", "qs": "6.14.1" }, "resolutions": {