Skip to content

Commit ab82dd8

Browse files
update next CVEs, add ember 0.2.7
1 parent 0bd06dc commit ab82dd8

3 files changed

Lines changed: 161 additions & 37 deletions

File tree

docs/.vuepress/components/ELSTechnology.vue

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -648,7 +648,7 @@ const techData = [
648648
},
649649
{
650650
name: "Ember.js",
651-
versions: "2.18.2 | 3.28.6",
651+
versions: "0.2.7 | 2.18.2 | 3.28.6",
652652
link: "./ember/",
653653
},
654654
{

docs/els-for-libraries/ember/README.md

Lines changed: 149 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ Endless Lifecycle Support (ELS) for Ember.js from TuxCare provides security fixe
44

55
## Supported Ember.js Versions
66

7-
* Ember.js 2.18.2, 3.28.6
7+
* Ember.js 0.2.7, 2.18.2, 3.28.6
88

99
## Connection to ELS for Ember.js Library
1010

@@ -47,6 +47,87 @@ TuxCare publishes patched **transitive** dependencies for supported Ember.js ver
4747

4848
<TableTabs label="Choose Ember.js version: " >
4949

50+
<template #ember_0.2.7>
51+
52+
```text
53+
"dependencies": {
54+
"body-parser": "npm:@els-js/body-parser@>=1.8.4-tuxcare.1",
55+
"chownr": "npm:@els-js/chownr@>=0.0.2-tuxcare.1",
56+
"clean-css": "npm:@els-js/clean-css@>=2.2.23-tuxcare.1",
57+
"concat-stream": "npm:@els-js/concat-stream@>=1.4.8-tuxcare.1",
58+
"cross-spawn": "npm:@els-js/cross-spawn@>=0.2.9-tuxcare.1",
59+
"decompress-zip": "npm:@els-js/decompress-zip@>=0.1.0-tuxcare.1",
60+
"deep-extend": "npm:@els-js/deep-extend@>=0.2.11-tuxcare.1",
61+
"es5-ext": "npm:@els-js/es5-ext@>=0.10.7-tuxcare.1",
62+
"forwarded": "npm:@els-js/forwarded@>=0.1.0-tuxcare.1",
63+
"fresh": "npm:@els-js/fresh@>=0.2.4-tuxcare.1",
64+
"got": "npm:@els-js/got@>=2.9.2-tuxcare.1",
65+
"hoek": "npm:@els-js/hoek@>=2.14.0-tuxcare.1",
66+
"ini": "npm:@els-js/ini@>=1.3.3-tuxcare.1",
67+
"is-my-json-valid": "npm:@els-js/is-my-json-valid@>=2.10.1-tuxcare.1",
68+
"js-yaml": "npm:@els-js/js-yaml@>=3.3.1-tuxcare.1",
69+
"json5": "npm:@els-js/json5@>=0.5.1-tuxcare.1",
70+
"jsonpointer": "npm:@els-js/jsonpointer@>=1.1.0-tuxcare.1",
71+
"markdown-it": "npm:@els-js/markdown-it@>=4.0.3-tuxcare.1",
72+
"merge": "npm:@els-js/merge@>=1.2.1-tuxcare.1",
73+
"morgan": "npm:@els-js/morgan@>=1.5.3-tuxcare.1",
74+
"mout": "npm:@els-js/mout@>=0.11.0-tuxcare.1",
75+
"parsejson": "npm:@els-js/parsejson@>=0.0.3-tuxcare.1",
76+
"path-to-regexp": "npm:@els-js/path-to-regexp@>=0.1.3-tuxcare.1",
77+
"qs": "npm:@els-js/qs@>=2.4.2-tuxcare.1",
78+
"semver": "npm:@els-js/semver@>=2.3.2-tuxcare.1",
79+
"shell-quote": "npm:@els-js/shell-quote@>=1.4.3-tuxcare.1",
80+
"stringstream": "npm:@els-js/stringstream@>=0.0.4-tuxcare.1",
81+
"tar": "npm:@els-js/tar@>=2.1.1-tuxcare.1",
82+
"tar-fs": "npm:@els-js/tar-fs@>=1.5.1-tuxcare.1",
83+
"tough-cookie": "npm:@els-js/tough-cookie@>=1.2.0-tuxcare.1",
84+
"tunnel-agent": "npm:@els-js/tunnel-agent@>=0.4.0-tuxcare.1",
85+
"uglify-js": "npm:@els-js/uglify-js@>=1.1.1-tuxcare.1",
86+
"websocket-extensions": "npm:@els-js/websocket-extensions@>=0.1.1-tuxcare.1",
87+
"xmldom": "npm:@els-js/xmldom@>=0.1.31-tuxcare.1"
88+
},
89+
"overrides": {
90+
"body-parser@1.8.4": "npm:@els-js/body-parser@>=1.8.4-tuxcare.1",
91+
"chownr@0.0.2": "npm:@els-js/chownr@>=0.0.2-tuxcare.1",
92+
"clean-css@2.2.23": "npm:@els-js/clean-css@>=2.2.23-tuxcare.1",
93+
"concat-stream@1.4.8": "npm:@els-js/concat-stream@>=1.4.8-tuxcare.1",
94+
"cross-spawn@0.2.9": "npm:@els-js/cross-spawn@>=0.2.9-tuxcare.1",
95+
"decompress-zip@0.1.0": "npm:@els-js/decompress-zip@>=0.1.0-tuxcare.1",
96+
"deep-extend@0.2.11": "npm:@els-js/deep-extend@>=0.2.11-tuxcare.1",
97+
"es5-ext@0.10.7": "npm:@els-js/es5-ext@>=0.10.7-tuxcare.1",
98+
"forwarded@0.1.0": "npm:@els-js/forwarded@>=0.1.0-tuxcare.1",
99+
"fresh@0.2.4": "npm:@els-js/fresh@>=0.2.4-tuxcare.1",
100+
"got@2.9.2": "npm:@els-js/got@>=2.9.2-tuxcare.1",
101+
"hoek@2.12.0": "npm:@els-js/hoek@>=2.12.0-tuxcare.1",
102+
"hoek@2.14.0": "npm:@els-js/hoek@>=2.14.0-tuxcare.1",
103+
"ini@1.3.3": "npm:@els-js/ini@>=1.3.3-tuxcare.1",
104+
"is-my-json-valid@2.10.1": "npm:@els-js/is-my-json-valid@>=2.10.1-tuxcare.1",
105+
"js-yaml@3.3.1": "npm:@els-js/js-yaml@>=3.3.1-tuxcare.1",
106+
"json5@0.5.1": "npm:@els-js/json5@>=0.5.1-tuxcare.1",
107+
"jsonpointer@1.1.0": "npm:@els-js/jsonpointer@>=1.1.0-tuxcare.1",
108+
"markdown-it@4.0.3": "npm:@els-js/markdown-it@>=4.0.3-tuxcare.1",
109+
"merge@1.2.1": "npm:@els-js/merge@>=1.2.1-tuxcare.1",
110+
"morgan@1.5.3": "npm:@els-js/morgan@>=1.5.3-tuxcare.1",
111+
"mout@0.11.0": "npm:@els-js/mout@>=0.11.0-tuxcare.1",
112+
"parsejson@0.0.3": "npm:@els-js/parsejson@>=0.0.3-tuxcare.1",
113+
"path-to-regexp@0.1.3": "npm:@els-js/path-to-regexp@>=0.1.3-tuxcare.1",
114+
"qs@2.2.5": "npm:@els-js/qs@>=2.2.5-tuxcare.1",
115+
"qs@2.4.2": "npm:@els-js/qs@>=2.4.2-tuxcare.1",
116+
"semver@2.3.2": "npm:@els-js/semver@>=2.3.2-tuxcare.1",
117+
"shell-quote@1.4.3": "npm:@els-js/shell-quote@>=1.4.3-tuxcare.1",
118+
"stringstream@0.0.4": "npm:@els-js/stringstream@>=0.0.4-tuxcare.1",
119+
"tar@2.1.1": "npm:@els-js/tar@>=2.1.1-tuxcare.1",
120+
"tar-fs@1.5.1": "npm:@els-js/tar-fs@>=1.5.1-tuxcare.1",
121+
"tough-cookie@1.2.0": "npm:@els-js/tough-cookie@>=1.2.0-tuxcare.1",
122+
"tunnel-agent@0.4.0": "npm:@els-js/tunnel-agent@>=0.4.0-tuxcare.1",
123+
"uglify-js@1.1.1": "npm:@els-js/uglify-js@>=1.1.1-tuxcare.1",
124+
"websocket-extensions@0.1.1": "npm:@els-js/websocket-extensions@>=0.1.1-tuxcare.1",
125+
"xmldom@0.1.31": "npm:@els-js/xmldom@>=0.1.31-tuxcare.1"
126+
}
127+
```
128+
129+
</template>
130+
50131
<template #ember_2.18.2>
51132
52133
* **Option 1: Manual update**
@@ -221,6 +302,73 @@ Fixes for the following **transitive** vulnerabilities are available in ELS for
221302

222303
</template>
223304

305+
<template #ember_0.2.7>
306+
307+
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
308+
| :------------: | :------: |:--------:|:------------------:| :----------------: |
309+
| CVE-2021-21366 | Transitive | Medium | xmldom | < 0.5.0 |
310+
| CVE-2022-39353 | Transitive | Critical | xmldom | < 0.6.0, >= 0.7.0 < 0.7.8, >= 0.8.0 < 0.8.5, 0.9.0 betas |
311+
| CVE-2021-32796 | Transitive | Medium | xmldom | <= 0.6.0 |
312+
| CVE-2020-7662 | Transitive | High | websocket-extensions | < 0.1.4 |
313+
| CVE-2015-8858 | Transitive | High | uglify-js | < 2.6.0 |
314+
| CVE-2015-8857 | Transitive | Critical | uglify-js | < 2.4.24 |
315+
| GHSA-xc7v-wxcw-j472 | Transitive | Medium | tunnel-agent | < 0.6.0 |
316+
| CVE-2016-1000232 | Transitive | Medium | tough-cookie | >= 0.9.7 <= 2.2.2 |
317+
| CVE-2017-15010 | Transitive | High | tough-cookie | <= 2.3.2 |
318+
| CVE-2023-26136 | Transitive | Critical | tough-cookie | < 4.1.3 |
319+
| CVE-2018-20835 | Transitive | High | tar-fs | < 1.16.2 |
320+
| CVE-2025-59343 | Transitive || tar-fs | < 1.16.6, < 2.1.4, < 3.1.1 |
321+
| CVE-2025-48387 | Transitive || tar-fs | < 1.16.5, < 2.1.3, < 3.0.9 |
322+
| CVE-2024-12905 | Transitive | High | tar-fs | < 1.16.4, >= 2.0.0 < 2.1.2, >= 3.0.0 < 3.0.8 |
323+
| CVE-2021-32804 | Transitive | High | tar | < 3.2.3, >= 4.0.0 < 4.4.15, >= 5.0.0 < 5.0.7, >= 6.0.0 < 6.1.2 |
324+
| CVE-2015-8860 | Transitive | High | tar | < 2.0.0 |
325+
| CVE-2021-37713 | Transitive | High | tar | < 4.4.18, >= 5.0.0 < 5.0.11, >= 6.0.0 < 6.1.10 |
326+
| CVE-2018-20834 | Transitive | High | tar | < 2.2.2, >= 3.0.0 < 4.4.2 |
327+
| CVE-2024-28863 | Transitive | Medium | tar | < 6.2.1 |
328+
| CVE-2026-23950 | Transitive | High | tar | <= 7.5.3 |
329+
| CVE-2026-24842 | Transitive | High | tar | < 7.5.7 |
330+
| CVE-2026-23745 | Transitive || tar | <= 7.5.2 |
331+
| CVE-2026-26960 | Transitive | High | tar | <= 7.5.7 |
332+
| CVE-2026-29786 | Transitive || tar | < 7.5.10 |
333+
| CVE-2018-21270 | Transitive | Medium | stringstream | < 0.0.6 |
334+
| CVE-2016-10541 | Transitive | Critical | shell-quote | <= 1.6.0 |
335+
| CVE-2022-25883 | Transitive | High | semver | < 7.5.2 |
336+
| CVE-2015-8855 | Transitive | High | semver | < 4.3.2 |
337+
| CVE-2017-1000048 | Transitive | High | qs | <= 5.2.1, >= 6.0.0 < 6.0.4, >= 6.1.0 < 6.1.2, >= 6.2.0 < 6.2.3, >= 6.3.0 < 6.3.2 |
338+
| CVE-2022-24999 | Transitive | High | qs | < 6.10.3 |
339+
| CVE-2025-15284 | Transitive || qs | < 6.14.1 |
340+
| CVE-2024-45296 | Transitive | High | path-to-regexp | < 0.1.10 (0.1.x), < 8.0.0 (≥ 0.2) |
341+
| CVE-2024-52798 | Transitive || path-to-regexp | >= 0.1.0 < 0.1.12 |
342+
| CVE-2017-16113 | Transitive | High | parsejson | <= 0.0.3 |
343+
| CVE-2020-7792 | Transitive | High | mout | all versions |
344+
| CVE-2022-21213 | Transitive | High | mout | all versions |
345+
| CVE-2019-5413 | Transitive | Critical | morgan | < 1.9.1 |
346+
| CVE-2020-28499 | Transitive | Critical | merge | all versions |
347+
| CVE-2022-21670 | Transitive | Medium | markdown-it | <= 12.3.1 |
348+
| CVE-2021-23807 | Transitive | Critical | jsonpointer | < 5.0.0 |
349+
| CVE-2022-46175 | Transitive | High | json5 | <= 1.0.1, >= 2.0.0 <= 2.2.1 |
350+
| GHSA-2pr6-76vf-7546 | Transitive | Medium | js-yaml | < 3.13.0 |
351+
| GHSA-8j8c-7jfh-h6hx | Transitive | High | js-yaml | < 3.13.1 |
352+
| CVE-2025-64718 | Transitive | Medium | js-yaml | < 3.14.2, >= 4.0.0 < 4.1.1 |
353+
| CVE-2018-1107 | Transitive | Medium | is-my-json-valid | < 1.4.1, >= 2.0.0 < 2.17.2 |
354+
| CVE-2016-2537 | Transitive | High | is-my-json-valid | < 2.12.4 |
355+
| CVE-2020-7788 | Transitive | Critical | ini | < 1.3.6 |
356+
| CVE-2020-36604 | Transitive | High | hoek | < 8.5.1, >= 9.0.0 < 9.0.3 |
357+
| CVE-2018-3728 | Transitive | High | hoek | < 4.2.0, >= 5.0.0 < 5.0.3 |
358+
| CVE-2022-33987 | Transitive | Medium | got | < 11.8.5, >= 12.0.0 < 12.1.0 |
359+
| CVE-2017-16119 | Transitive | High | fresh | < 0.5.2 |
360+
| CVE-2017-16118 | Transitive | High | forwarded | < 0.1.2 |
361+
| CVE-2024-27088 | Transitive || es5-ext | >= 0.10.0 < 0.10.63 |
362+
| CVE-2018-3750 | Transitive | Critical | deep-extend | <= 0.5.0 |
363+
| GHSA-73v8-v6g4-vrpm | Transitive | High | decompress-zip | < 0.2.2 |
364+
| CVE-2024-21538 | Transitive || cross-spawn | < 6.0.6, >= 7.0.0 < 7.0.5 |
365+
| GHSA-g74r-ffvr-5q9f | Transitive | Medium | concat-stream | >= 1.5.0 < 1.5.2 |
366+
| GHSA-wxhq-pm8v-cw75 | Transitive | Low | clean-css | < 4.1.11 |
367+
| CVE-2017-18869 | Transitive | Low | chownr | < 1.1.0 |
368+
| CVE-2024-45590 | Transitive | High | body-parser | < 1.20.3 |
369+
370+
</template>
371+
224372
<template #ember_3.28.6>
225373

226374
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |

docs/els-for-libraries/next/README.md

Lines changed: 11 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -43,13 +43,9 @@ TuxCare provides ELS for Next.js as an NPM package, hosted on a secure internal
4343
Replace ${TOKEN} with the token you received from [sales@tuxcare.com](mailto:sales@tuxcare.com).
4444
:::
4545

46-
4. Update your `package.json` file to replace your Next.js dependencies with the TuxCare packages. You can do this in two ways:
46+
4. Update your `package.json` file to replace your Next.js dependencies with the TuxCare packages. Choose your Next.js version below and add the `dependencies` and `overrides` entries shown.
4747

48-
* **Option 1: Manual update**
49-
50-
Manually update your `package.json` file by replacing your Next.js dependencies with the TuxCare packages. This method gives you full control over which packages to update.
51-
52-
<TableTabs label="Choose Next.js version: " >
48+
<TableTabs label="Choose Next.js version: " >
5349

5450
<template #next_12.3.7>
5551

@@ -103,35 +99,7 @@ TuxCare provides ELS for Next.js as an NPM package, hosted on a secure internal
10399

104100
</template>
105101

106-
</TableTabs>
107-
108-
* **Option 2: TuxCare Patcher (Automated)**
109-
110-
Install the Patcher globally and run it. The TuxCare Patcher automatically detects the Next.js version in your `package.json` and updates your `dependencies` and `overrides` to use the corresponding TuxCare `@els-js/*` packages.
111-
112-
```text
113-
npm install -g @els-js/tuxcare-patcher --userconfig ./.npmrc
114-
tuxcare-patch-js
115-
```
116-
117-
The patcher will update your `package.json`, for example, from:
118-
119-
```text
120-
"dependencies": {
121-
"next": "^12.3.7"
122-
}
123-
```
124-
125-
to:
126-
127-
```text
128-
"dependencies": {
129-
"next": "npm:@els-js/next@>=12.3.7-tuxcare.1"
130-
},
131-
"overrides": {
132-
"next@12.3.7": "npm:@els-js/next@>=12.3.7-tuxcare.1"
133-
}
134-
```
102+
</TableTabs>
135103

136104
5. You need to remove the `node_modules` directory and the `package-lock.json` file, and also clear the `npm cache` before installing the patched packages. Use the following commands:
137105

@@ -191,6 +159,8 @@ Fixes for the following vulnerabilities are available in ELS for Next.js from Tu
191159
| CVE-2025-55173 | Direct | Medium | next | < 14.2.31, >= 15.0.0 < 15.4.5 |
192160
| CVE-2025-48068 | Direct | Low | next | >= 13.0.0 < 14.2.30, >= 15.0.0 < 15.2.2 |
193161
| CVE-2025-32421 | Direct | Low | next | < 14.2.24, >= 15.0.0 < 15.1.6 |
162+
| CVE-2026-29057 | Direct | Medium | next | >= 9.5.0 < 15.5.13, >= 16.0.0 < 16.1.7 |
163+
| CVE-2026-27980 | Direct | High | next | >= 10.0.0 < 16.1.7 |
194164

195165
</template>
196166

@@ -208,6 +178,8 @@ Fixes for the following vulnerabilities are available in ELS for Next.js from Tu
208178
| CVE-2025-55173 | Direct | Medium | next | < 14.2.31, >= 15.0.0 < 15.4.5 |
209179
| CVE-2025-48068 | Direct | Low | next | >= 13.0.0 < 14.2.30, >= 15.0.0 < 15.2.2 |
210180
| CVE-2025-32421 | Direct | Low | next | < 14.2.24, >= 15.0.0 < 15.1.6 |
181+
| CVE-2026-29057 | Direct | Medium | next | >= 9.5.0 < 15.5.13, >= 16.0.0 < 16.1.7 |
182+
| CVE-2026-27980 | Direct | High | next | >= 10.0.0 < 16.1.7 |
211183

212184
</template>
213185

@@ -225,6 +197,8 @@ Fixes for the following vulnerabilities are available in ELS for Next.js from Tu
225197
| CVE-2025-55173 | Direct | Medium | next | < 14.2.31, >= 15.0.0 < 15.4.5 |
226198
| CVE-2025-48068 | Direct | Low | next | >= 13.0.0 < 14.2.30, >= 15.0.0 < 15.2.2 |
227199
| CVE-2025-32421 | Direct | Low | next | < 14.2.24, >= 15.0.0 < 15.1.6 |
200+
| CVE-2026-29057 | Direct | Medium | next | >= 9.5.0 < 15.5.13, >= 16.0.0 < 16.1.7 |
201+
| CVE-2026-27980 | Direct | High | next | >= 10.0.0 < 16.1.7 |
228202

229203
</template>
230204

@@ -233,6 +207,8 @@ Fixes for the following vulnerabilities are available in ELS for Next.js from Tu
233207
| CVE ID | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
234208
|:--------------:| :------: |:--------:|:------------------:|:------------------------------:|
235209
| CVE-2025-55182 | Direct | Critical | next | >= 16.0.0 <= 16.0.7 |
210+
| CVE-2026-29057 | Direct | Medium | next | >= 9.5.0 < 15.5.13, >= 16.0.0 < 16.1.7 |
211+
| CVE-2026-27980 | Direct | High | next | >= 10.0.0 < 16.1.7 |
236212

237213
</template>
238214

0 commit comments

Comments
 (0)