From 62e627b78e350409e9b8b37bd2f5ff0ca5ea7ab9 Mon Sep 17 00:00:00 2001 From: Jessica He Date: Tue, 30 Jun 2026 15:58:52 -0400 Subject: [PATCH] chore(lightspeed): patch yarn.lock to resolve 1.10.2 CVEs Signed-off-by: Jessica He --- .../lightspeed/patches/0-cve-yarn-lock.patch | 178 ++++++++++++++++++ .../lightspeed/patches/cve-backports.yaml | 34 ++++ 2 files changed, 212 insertions(+) create mode 100644 workspaces/lightspeed/patches/0-cve-yarn-lock.patch create mode 100644 workspaces/lightspeed/patches/cve-backports.yaml diff --git a/workspaces/lightspeed/patches/0-cve-yarn-lock.patch b/workspaces/lightspeed/patches/0-cve-yarn-lock.patch new file mode 100644 index 000000000..b76e71bc4 --- /dev/null +++ b/workspaces/lightspeed/patches/0-cve-yarn-lock.patch @@ -0,0 +1,178 @@ +--- yarn.lock ++++ yarn.lock +@@ -21220,13 +21220,13 @@ + linkType: hard + + "express-rate-limit@npm:^8.2.2": +- version: 8.3.1 +- resolution: "express-rate-limit@npm:8.3.1" ++ version: 8.5.2 ++ resolution: "express-rate-limit@npm:8.5.2" + dependencies: +- ip-address: "npm:10.1.0" ++ ip-address: "npm:^10.2.0" + peerDependencies: + express: ">= 4.11" +- checksum: 10c0/e3229938457cec617460c54ef4e90c8c254facc884729325d20ea35e3838bd273e4c611fc1f4a76f6d14c411e30d31b15e88eb4be87408615ff0aacc142511a2 ++ checksum: 10c0/c98c49b93e94627940cf5e7c2578718b94d77163357161c3343d148e46257136c988933a96d6e1e728a010683133a58f68cad46928b063cf8d99521c8772578d + languageName: node + linkType: hard + +@@ -21802,29 +21802,29 @@ + linkType: hard + + "form-data@npm:^2.5.5": +- version: 2.5.5 +- resolution: "form-data@npm:2.5.5" ++ version: 2.5.6 ++ resolution: "form-data@npm:2.5.6" + dependencies: + asynckit: "npm:^0.4.0" + combined-stream: "npm:^1.0.8" + es-set-tostringtag: "npm:^2.1.0" +- hasown: "npm:^2.0.2" ++ hasown: "npm:^2.0.4" + mime-types: "npm:^2.1.35" + safe-buffer: "npm:^5.2.1" +- checksum: 10c0/7fb70447849fc9bce4d01fe9a626f6587441f85779a2803b67f803e1ab52b0bd78db0a7acd80d944c665f68ca90936c327f1244b730719b638a0219e98b20488 ++ checksum: 10c0/de6b085a2b0d013299ccc888b677dbdb3d2a54ef8d74982bda9ad7d928f57440abae1bc736a5b85ea01077cfb6c72e9a7752dc786304271c03bd0013ef8f08cb + languageName: node + linkType: hard + + "form-data@npm:^4.0.0, form-data@npm:^4.0.1, form-data@npm:^4.0.4, form-data@npm:^4.0.5": +- version: 4.0.5 +- resolution: "form-data@npm:4.0.5" ++ version: 4.0.6 ++ resolution: "form-data@npm:4.0.6" + dependencies: + asynckit: "npm:^0.4.0" + combined-stream: "npm:^1.0.8" + es-set-tostringtag: "npm:^2.1.0" +- hasown: "npm:^2.0.2" +- mime-types: "npm:^2.1.12" +- checksum: 10c0/dd6b767ee0bbd6d84039db12a0fa5a2028160ffbfaba1800695713b46ae974a5f6e08b3356c3195137f8530dcd9dfcb5d5ae1eeff53d0db1e5aad863b619ce3b ++ hasown: "npm:^2.0.4" ++ mime-types: "npm:^2.1.35" ++ checksum: 10c0/43947a77bf0ff45c6ceed789778982d47a3f3e720a74b71721174ebf3310a5f1a8be1d6b38a3ee3688e8a18a2c4273073ec0844cd37efda3eaf46d41c9c318ff + languageName: node + linkType: hard + +@@ -22822,6 +22822,15 @@ + dependencies: + function-bind: "npm:^1.1.2" + checksum: 10c0/3769d434703b8ac66b209a4cca0737519925bbdb61dd887f93a16372b14694c63ff4e797686d87c90f08168e81082248b9b028bad60d4da9e0d1148766f56eb9 ++ languageName: node ++ linkType: hard ++ ++"hasown@npm:^2.0.4": ++ version: 2.0.4 ++ resolution: "hasown@npm:2.0.4" ++ dependencies: ++ function-bind: "npm:^1.1.2" ++ checksum: 10c0/2d8de939e270b70618f8cebb69746620db10617dbb495bc66ddad326955ea24d3ca4af133aff3eb7c1853e0218f867bc2b050ec26fe02e3aea58f880ffc5e506 + languageName: node + linkType: hard + +@@ -23818,20 +23827,10 @@ + languageName: node + linkType: hard + +-"ip-address@npm:10.1.0": +- version: 10.1.0 +- resolution: "ip-address@npm:10.1.0" +- checksum: 10c0/0103516cfa93f6433b3bd7333fa876eb21263912329bfa47010af5e16934eeeff86f3d2ae700a3744a137839ddfad62b900c7a445607884a49b5d1e32a3d7566 +- languageName: node +- linkType: hard +- +-"ip-address@npm:^9.0.5": +- version: 9.0.5 +- resolution: "ip-address@npm:9.0.5" +- dependencies: +- jsbn: "npm:1.1.0" +- sprintf-js: "npm:^1.1.3" +- checksum: 10c0/331cd07fafcb3b24100613e4b53e1a2b4feab11e671e655d46dc09ee233da5011284d09ca40c4ecbdfe1d0004f462958675c224a804259f2f78d2465a87824bc ++"ip-address@npm:^10.1.1, ip-address@npm:^10.2.0": ++ version: 10.2.0 ++ resolution: "ip-address@npm:10.2.0" ++ checksum: 10c0/5a00aada6e922c9c69dfc800ed5d0fa3348675ebdeed0e1575f503f27ca385b5f534363c9af7ad1daf64c1f1409388cdd3cc2e9b9b0fe1c924a431378d55075a + languageName: node + linkType: hard + +@@ -25246,7 +25245,7 @@ + languageName: node + linkType: hard + +-"jsbn@npm:1.1.0, jsbn@npm:^1.1.0": ++"jsbn@npm:^1.1.0": + version: 1.1.0 + resolution: "jsbn@npm:1.1.0" + checksum: 10c0/4f907fb78d7b712e11dea8c165fe0921f81a657d3443dde75359ed52eb2b5d33ce6773d97985a089f09a65edd80b11cb75c767b57ba47391fee4c969f7215c96 +@@ -27950,7 +27949,7 @@ + languageName: node + linkType: hard + +-"mime-types@npm:^2.1.12, mime-types@npm:^2.1.27, mime-types@npm:^2.1.31, mime-types@npm:^2.1.35, mime-types@npm:~2.1.17, mime-types@npm:~2.1.24, mime-types@npm:~2.1.34": ++"mime-types@npm:^2.1.27, mime-types@npm:^2.1.31, mime-types@npm:^2.1.35, mime-types@npm:~2.1.17, mime-types@npm:~2.1.24, mime-types@npm:~2.1.34": + version: 2.1.35 + resolution: "mime-types@npm:2.1.35" + dependencies: +@@ -33789,12 +33788,12 @@ + linkType: hard + + "socks@npm:^2.6.2, socks@npm:^2.8.3": +- version: 2.8.3 +- resolution: "socks@npm:2.8.3" +- dependencies: +- ip-address: "npm:^9.0.5" ++ version: 2.8.9 ++ resolution: "socks@npm:2.8.9" ++ dependencies: ++ ip-address: "npm:^10.1.1" + smart-buffer: "npm:^4.2.0" +- checksum: 10c0/d54a52bf9325165770b674a67241143a3d8b4e4c8884560c4e0e078aace2a728dffc7f70150660f51b85797c4e1a3b82f9b7aa25e0a0ceae1a243365da5c51a7 ++ checksum: 10c0/2d4350c31142b0931eb1758825b426bcbf4bfb5eed682ca48bc46dc9e7d1930ec366ea574ad49fc6c1fd9e9e17ce243be0ef13e31fc4b0319d9093f1fb19743c + languageName: node + linkType: hard + +@@ -33958,7 +33957,7 @@ + languageName: node + linkType: hard + +-"sprintf-js@npm:^1.1.2, sprintf-js@npm:^1.1.3": ++"sprintf-js@npm:^1.1.2": + version: 1.1.3 + resolution: "sprintf-js@npm:1.1.3" + checksum: 10c0/09270dc4f30d479e666aee820eacd9e464215cdff53848b443964202bf4051490538e5dd1b42e1a65cf7296916ca17640aebf63dae9812749c7542ee5f288dec +@@ -35999,9 +35998,9 @@ + linkType: hard + + "undici@npm:^7.1.1, undici@npm:^7.16.0, undici@npm:^7.24.5": +- version: 7.25.0 +- resolution: "undici@npm:7.25.0" +- checksum: 10c0/02a0b45dc14eb91bc488948750232450fe52f27a6b08086d6ac6736bb47908d600fe3a96d346f12eab24729c782e5c2f693bc8e8eca6696d4e4c09b1ed4cb4ec ++ version: 7.28.0 ++ resolution: "undici@npm:7.28.0" ++ checksum: 10c0/fe781983a26098795e99bb1f64906cbb7d0bcaa029a26baade007b53ea67f2631d189b8f9671a31f4c8d0cb3773b7559608628ba54452fef51fec90e7c78bb0d + languageName: node + linkType: hard + +@@ -37294,8 +37293,8 @@ + linkType: hard + + "ws@npm:*, ws@npm:^8.18.0, ws@npm:^8.18.2, ws@npm:^8.18.3, ws@npm:^8.8.0": +- version: 8.20.0 +- resolution: "ws@npm:8.20.0" ++ version: 8.21.0 ++ resolution: "ws@npm:8.21.0" + peerDependencies: + bufferutil: ^4.0.1 + utf-8-validate: ">=5.0.2" +@@ -37304,7 +37303,7 @@ + optional: true + utf-8-validate: + optional: true +- checksum: 10c0/956ac5f11738c914089b65878b9223692ace77337ba55379ae68e1ecbeae9b47a0c6eb9403688f609999a58c80d83d99865fe0029b229d308b08c1ef93d4ea14 ++ checksum: 10c0/ef4a243476283fc49bc7550966c4af4aa0eef56273837211e700de3b664e08604a760cdddcb5ba43c049140e74ccfec5b0ee0bb439e08c2adf9138902fdde5f9 + languageName: node + linkType: hard + diff --git a/workspaces/lightspeed/patches/cve-backports.yaml b/workspaces/lightspeed/patches/cve-backports.yaml new file mode 100644 index 000000000..28eb0a7ca --- /dev/null +++ b/workspaces/lightspeed/patches/cve-backports.yaml @@ -0,0 +1,34 @@ +# CVE backports applied via workspace patches (not repo-ref bumps). +# Auto-generated by scripts/yarnlock-backport. +# Optional: add notes on any backport row (preserved when you re-run generate). + +patch_file: 0-cve-yarn-lock.patch +backports: + - cve_ids: + - CVE-2026-12143 + package: form-data + patch_version: 2.5.6, 4.0.6 + - cve_ids: + - CVE-2026-42338 + package: ip-address + patch_version: 10.2.0 + - cve_ids: + - CVE-2026-12151 + - CVE-2026-6734 + - CVE-2026-9697 + package: undici + patch_version: 7.28.0 + - cve_ids: + - CVE-2026-45736 + - CVE-2026-48779 + package: ws + patch_version: 8.18.0, 8.21.0 + notes: |- + [auto] ws@8.18.0 is still in CVE affected range; verify dev-only + └─┬ @internal/lightspeed@1.0.0 + └─┬ @backstage/cli-defaults@0.1.0 + └─┬ @backstage/cli-module-build@0.1.2 + └─┬ @module-federation/enhanced@0.21.6 + └─┬ @module-federation/dts-plugin@0.21.6 + └─┬ isomorphic-ws@5.0.0 + └── ws@8.18.0