Skip to content

[Snyk] Security upgrade liquidjs from 10.25.7 to 10.26.0#109

Open
snyk-io[bot] wants to merge 1 commit into
mainfrom
snyk-fix-e2f45ac1ee0457063d63a1f528ae590a
Open

[Snyk] Security upgrade liquidjs from 10.25.7 to 10.26.0#109
snyk-io[bot] wants to merge 1 commit into
mainfrom
snyk-fix-e2f45ac1ee0457063d63a1f528ae590a

Conversation

@snyk-io
Copy link
Copy Markdown

@snyk-io snyk-io Bot commented May 27, 2026
edited by Dustin4444
Loading

snyk-top-banner

Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
⚠️ Warning 
Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue
high severity Denial of Service (DoS)
SNYK-JS-LIQUIDJS-16882546
medium severity Insecure Default Initialization of Resource
SNYK-JS-LIQUIDJS-16887887
medium severity Cross-site Scripting (XSS)
SNYK-JS-LIQUIDJS-16887888

Breaking Change Risk

Merge Risk: Medium

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Cross-site Scripting (XSS)

This change is Reviewable

@snyk-io
Copy link
Copy Markdown
Author

snyk-io Bot commented May 27, 2026

Merge Risk: Medium

This minor upgrade introduces security fixes and new features. The risk is assessed as medium due to behavioral changes in security hardening that may require verification.

Key Changes:

  • Behavioral/Security Change: A security fix has been implemented to block filter and tag lookups from Object.prototype to prevent a potential Remote Code Execution (RCE) vulnerability. [1, 2, 3] Applications improperly relying on prototype chain lookups for filters or tags may break.
  • Bug Fix / Security: The strip_html filter was rewritten to prevent a Regular Expression Denial of Service (ReDoS) vulnerability. [1, 2, 3] This may result in subtle output changes.
  • New Features: New cryptographic filters sha256 and hmac_sha256 have been added. [1, 3]

Recommendation:
Verify that your templates do not depend on resolving filters or tags from the object prototype. It is also advisable to test any functionality that uses the strip_html filter to ensure the output remains as expected.

Source: Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 27, 2026

⚠️ No Changeset found

Latest commit: 77f5a88

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@snyk-io
Copy link
Copy Markdown
Author

snyk-io Bot commented May 27, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
🔚 Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-io
Copy link
Copy Markdown
Author

snyk-io Bot commented May 27, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants