Skip to content

Fix CVE-2026-29074 by removing svgo#346

Merged
rgrunber merged 2 commits intoeclipse-che:mainfrom
sbouchet:CVE-2026-10424
Mar 23, 2026
Merged

Fix CVE-2026-29074 by removing svgo#346
rgrunber merged 2 commits intoeclipse-che:mainfrom
sbouchet:CVE-2026-10424

Conversation

@sbouchet
Copy link
Copy Markdown
Contributor

@sbouchet sbouchet commented Mar 20, 2026
edited
Loading

This PR fixes GHSA-xpqw-6gx7-v673: SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)

Bumping css-loader, style-loader, ts-loader and typescript to a more recent version

fixes https://redhat.atlassian.net/browse/CRW-10424

sbouchet and others added 2 commits March 20, 2026 17:12
@sbouchet
Fix CVE-2026-29074 by removing svgo
e57f8e0 
Bumping css-loader and style-loader to a more recent version

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet @claude
Bump typescript and ts-loader to fix build with css-loader 5.x
fa349e6 
css-loader 5.x introduces @types/json-schema as a transitive dependency,
which triggers a crash in TypeScript 3.4.5 (__spreadArrays not defined).
Upgrade typescript to 4.9.5 and ts-loader to 8.4.0 for compatibility.

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sbouchet sbouchet marked this pull request as ready for review March 23, 2026 11:00
@sbouchet sbouchet requested a review from rgrunber March 23, 2026 11:00
rgrunber
rgrunber approved these changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown

@rgrunber rgrunber left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This continues to build with this change and reduces the listed vulnerabilities by npm audit from 58 (5 low, 43 med, 10 high) to 17 (5 low, 4 moderate, 8 high).

@rgrunber rgrunber merged commit 769cf15 into eclipse-che:main Mar 23, 2026
9 checks passed
@sbouchet sbouchet deleted the CVE-2026-10424 branch March 24, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgrunber rgrunber rgrunber approved these changes

@l0rd l0rd Awaiting requested review from l0rd l0rd is a code owner

@amisevsk amisevsk Awaiting requested review from amisevsk amisevsk is a code owner

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sbouchet @rgrunber