From 4ddadd14211fd6100b0226ed708e924a5135cc1a Mon Sep 17 00:00:00 2001 From: Jefferson Ramos Date: Thu, 2 Jul 2026 15:48:52 -0300 Subject: [PATCH] OCPBUGS-94130: Fix CVE-2026-45822 decode-uri-component DoS vulnerability Bump decode-uri-component from 0.2.0 to 0.5.0 via yarn resolutions to fix a denial of service vulnerability where crafted input causes super-linear parsing time in decodeComponents(). Version 0.5.0 rewrites the decoder as a single-pass UTF-8 scanner, eliminating the issue. Co-Authored-By: Claude Opus 4.6 --- frontend/package.json | 5 +++-- frontend/yarn.lock | 8 ++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index 97d4e5f9f7b..0649431cf12 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -97,7 +97,7 @@ ] }, "transformIgnorePatterns": [ - "/node_modules/(?!(@patternfly(-\\S+)?|d3(-\\S+)?|delaunator|robust-predicates|internmap|lodash-es|istextorbinary|@console|@novnc|@spice-project|@popperjs|i18next(-\\S+)?|@babel/runtime|jsonpath-plus|nanoid|@rjsf|git-url-parse|git-up|parse-url|protocols|sanitize-html|fuzzysearch)/.*)" + "/node_modules/(?!(@patternfly(-\\S+)?|d3(-\\S+)?|delaunator|robust-predicates|internmap|lodash-es|istextorbinary|@console|@novnc|@spice-project|@popperjs|i18next(-\\S+)?|@babel/runtime|jsonpath-plus|nanoid|@rjsf|git-url-parse|git-up|parse-url|protocols|sanitize-html|fuzzysearch|decode-uri-component)/.*)" ], "testPathIgnorePatterns": [ "/node_modules/", @@ -336,7 +336,8 @@ "minimatch@^10.1.2": "^10.2.1", "shell-quote": "1.8.4", "protobufjs": "7.5.8", - "fast-uri": "3.1.2" + "fast-uri": "3.1.2", + "decode-uri-component": "0.5.0" }, "lint-staged": { "*.{js,jsx,ts,tsx,json,gql,graphql}": "eslint --color --fix" diff --git a/frontend/yarn.lock b/frontend/yarn.lock index b3b2f469739..57263a59f88 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -10075,10 +10075,10 @@ __metadata: languageName: node linkType: hard -"decode-uri-component@npm:^0.2.0": - version: 0.2.0 - resolution: "decode-uri-component@npm:0.2.0" - checksum: 10c0/dbc3c72e4a740703f76fb3f51e35bb81546aa3e8c7897e015b8bc289813d3044ad6eaa6048fbb43f6b7b34ef005527b7511da50399caa78b91ee39266a341822 +"decode-uri-component@npm:0.5.0": + version: 0.5.0 + resolution: "decode-uri-component@npm:0.5.0" + checksum: 10c0/b913bb2ec3a83b4c96d961dcd7808c538f2f69f9a8581ab1bfbbb3d48c90e36779cc4580334198315d4c17f9c32d88ae4467c96582419a70b5f35df2c5a05cb1 languageName: node linkType: hard