Skip to content

UID2-6699: Fix immutable and svgo HIGH vulnerabilities#1000

Open
cYKatherine wants to merge 1 commit intomainfrom
kchen-UID2-6699-fix-immutable-svgo-vuln
Open

UID2-6699: Fix immutable and svgo HIGH vulnerabilities#1000
cYKatherine wants to merge 1 commit intomainfrom
kchen-UID2-6699-fix-immutable-svgo-vuln

Conversation

@cYKatherine
Copy link
Contributor

@cYKatherine cYKatherine commented Mar 6, 2026

Summary

Trivy scan detected 2 HIGH severity vulnerabilities in npm transitive dependencies. Fixed via overrides in package.json.

Vulnerabilities Fixed

Library CVE Severity Description Fix
immutable 4.3.7 CVE-2026-29063 HIGH Prototype Pollution → 4.3.8
svgo 3.3.2 CVE-2026-29074 HIGH DoS via Billion Laughs (entity expansion in DOCTYPE) → 3.3.3

Fix

Added "immutable": "^4.3.8" and "svgo": "^3.3.3" to npm overrides in package.json and regenerated package-lock.json. Post-fix Trivy scan shows 0 CRITICAL/HIGH findings.

See: UID2-6699

🤖 Generated with Claude Code

@cYKatherine @claude
UID2-6699: Fix immutable and svgo HIGH vulnerabilities
0a39f7e 
Pin immutable to ^4.3.8 (fixes CVE-2026-29063, Prototype Pollution)
and svgo to ^3.3.3 (fixes CVE-2026-29074, Billion Laughs DoS) via
npm overrides in package.json.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cYKatherine