From a3e9e3db62f9794fe4b3ae414a2d252edb6196aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?= =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?= =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?= Date: Tue, 5 Mar 2024 17:20:07 +0100 Subject: [PATCH] fix(editor): Upgrade sanitize-html to address CVE-2024-21501 (#8816) --- packages/design-system/package.json | 4 +-- pnpm-lock.yaml | 55 +++++++++-------------------- 2 files changed, 18 insertions(+), 41 deletions(-) diff --git a/packages/design-system/package.json b/packages/design-system/package.json index 651009b758..ac42e7e93a 100644 --- a/packages/design-system/package.json +++ b/packages/design-system/package.json @@ -46,7 +46,7 @@ "@types/markdown-it": "^12.2.3", "@types/markdown-it-emoji": "^2.0.2", "@types/markdown-it-link-attributes": "^3.0.1", - "@types/sanitize-html": "^2.9.0", + "@types/sanitize-html": "^2.11.0", "@vitejs/plugin-vue": "^4.5.2", "@vue/test-utils": "^2.4.3", "@vue/tsconfig": "^0.5.1", @@ -71,7 +71,7 @@ "markdown-it-emoji": "^2.0.2", "markdown-it-link-attributes": "^4.0.1", "markdown-it-task-lists": "^2.1.1", - "sanitize-html": "2.10.0", + "sanitize-html": "2.12.1", "vue": "^3.4.21", "vue-boring-avatars": "^1.3.0", "vue-router": "^4.2.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index d71017c99b..b294605ef1 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -836,8 +836,8 @@ importers: specifier: ^2.1.1 version: 2.1.1 sanitize-html: - specifier: 2.10.0 - version: 2.10.0 + specifier: 2.12.1 + version: 2.12.1 vue: specifier: ^3.4.21 version: 3.4.21(typescript@5.3.2) @@ -909,8 +909,8 @@ importers: specifier: ^3.0.1 version: 3.0.1 '@types/sanitize-html': - specifier: ^2.9.0 - version: 2.9.0 + specifier: ^2.11.0 + version: 2.11.0 '@vitejs/plugin-vue': specifier: ^4.5.2 version: 4.5.2(vite@5.1.5)(vue@3.4.21) @@ -9377,7 +9377,7 @@ packages: ts-dedent: 2.2.0 type-fest: 2.19.0 vue: 3.4.21(typescript@5.3.2) - vue-component-type-helpers: 2.0.4 + vue-component-type-helpers: 2.0.5 transitivePeerDependencies: - encoding - supports-color @@ -10128,10 +10128,10 @@ packages: '@types/node': 18.16.16 dev: false - /@types/sanitize-html@2.9.0: - resolution: {integrity: sha512-4fP/kEcKNj2u39IzrxWYuf/FnCCwwQCpif6wwY6ROUS1EPRIfWJjGkY3HIowY1EX/VbX5e86yq8AAE7UPMgATg==} + /@types/sanitize-html@2.11.0: + resolution: {integrity: sha512-7oxPGNQHXLHE48r/r/qjn7q0hlrs3kL7oZnGj0Wf/h9tj/6ibFyRkNbsDxaBBZ4XUZ0Dx5LGCyDJ04ytSofacQ==} dependencies: - htmlparser2: 8.0.1 + htmlparser2: 8.0.2 dev: true /@types/scheduler@0.16.2: @@ -13735,11 +13735,6 @@ packages: /deep-is@0.1.4: resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==} - /deepmerge@4.2.2: - resolution: {integrity: sha512-FJ3UgI4gIl+PHZm53knsuSFpE+nESMr7M4v9QcgB7S63Kj/6WqMiFQJpBBYz1Pt+66bZpP3Q7Lye0Oo9MPKEdg==} - engines: {node: '>=0.10.0'} - dev: false - /deepmerge@4.3.1: resolution: {integrity: sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==} engines: {node: '>=0.10.0'} @@ -16500,14 +16495,6 @@ packages: entities: 2.2.0 dev: false - /htmlparser2@8.0.1: - resolution: {integrity: sha512-4lVbmc1diZC7GUJQtRQ5yBAeUCL1exyMwmForWkRLnwyzWBFxN633SALPMGYaWZvKe9j1pRZJpauvmxENSp/EA==} - dependencies: - domelementtype: 2.3.0 - domhandler: 5.0.3 - domutils: 3.0.1 - entities: 4.4.0 - /htmlparser2@8.0.2: resolution: {integrity: sha512-GYdjWKDkbRLkZ5geuHs5NY1puJ+PXwP7+fHPRz06Eirsb9ugf6d8kkXav6ADhcODhFFPMIXyxkxSuMf3D6NCFA==} dependencies: @@ -16515,7 +16502,6 @@ packages: domhandler: 5.0.3 domutils: 3.0.1 entities: 4.4.0 - dev: false /http-cache-semantics@4.1.1: resolution: {integrity: sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==} @@ -21060,7 +21046,7 @@ packages: /parse5@7.1.2: resolution: {integrity: sha512-Czj1WaSVpaoj0wbhMzLmWD69anp2WH7FXMB9n1Sy8/ZFF9jolSQVMu1Ij5WIyGmcBmhk7EOndpO4mIpihVqAXw==} dependencies: - entities: 4.4.0 + entities: 4.5.0 dev: true /parseley@0.12.1: @@ -21833,15 +21819,6 @@ packages: source-map: 0.6.1 dev: true - /postcss@8.4.21: - resolution: {integrity: sha512-tP7u/Sn/dVxK2NnruI4H9BG+x+Wxz6oeZ1cJ8P6G/PZY0IKk4k/63TDsQf2kQq3+qoJeLm2kIBUNlZe3zgb4Zg==} - engines: {node: ^10 || ^12 || >=14} - dependencies: - nanoid: 3.3.6 - picocolors: 1.0.0 - source-map-js: 1.0.2 - dev: false - /postcss@8.4.31: resolution: {integrity: sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==} engines: {node: ^10 || ^12 || >=14} @@ -23253,15 +23230,15 @@ packages: xpath: 0.0.32 dev: false - /sanitize-html@2.10.0: - resolution: {integrity: sha512-JqdovUd81dG4k87vZt6uA6YhDfWkUGruUu/aPmXLxXi45gZExnt9Bnw/qeQU8oGf82vPyaE0vO4aH0PbobB9JQ==} + /sanitize-html@2.12.1: + resolution: {integrity: sha512-Plh+JAn0UVDpBRP/xEjsk+xDCoOvMBwQUf/K+/cBAVuTbtX8bj2VB7S1sL1dssVpykqp0/KPSesHrqXtokVBpA==} dependencies: - deepmerge: 4.2.2 + deepmerge: 4.3.1 escape-string-regexp: 4.0.0 - htmlparser2: 8.0.1 + htmlparser2: 8.0.2 is-plain-object: 5.0.0 parse-srcset: 1.0.2 - postcss: 8.4.21 + postcss: 8.4.35 dev: false /sass-loader@13.3.2(sass@1.64.1)(webpack@5.75.0): @@ -26042,8 +26019,8 @@ packages: resolution: {integrity: sha512-NCA6sekiJIMnMs4DdORxATXD+/NRkQpS32UC+I1KQJUasx+Z7MZUb3Y+MsKsFmX+PgyTYSteb73JW77AibaCCw==} dev: true - /vue-component-type-helpers@2.0.4: - resolution: {integrity: sha512-IFZ8rjfV1zWf1LOMPfmMaHe28zZfo5w2NyZxCqeqLGT3CGur0Y9+R3/bvX400tqVukuzf8mLw2fOvGTyXKPWjg==} + /vue-component-type-helpers@2.0.5: + resolution: {integrity: sha512-v9N4ufDSnd8YHcDq/vURPjxDyBVak5ZVAQ6aGNIrf7ZAj/VxRKpLZXFHEaqt9yHkWi0/TZp76Jmf8yNJxDQi4g==} dev: true /vue-demi@0.14.5(vue@3.4.21):