From 4f66b1aa5beff68ae66d4fc9c77c5595f8395020 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tha=C3=ADs=20Rodeiro?= Date: Tue, 2 Jun 2026 13:40:49 -0300 Subject: [PATCH 1/2] patch brace-expansion and ws transitive vulnerabilities in vercel-quickdeploy-nextjs --- .../vercel-quickdeploy-nextjs/pnpm-lock.yaml | 38 ++++++------------- .../pnpm-workspace.yaml | 10 +++++ 2 files changed, 21 insertions(+), 27 deletions(-) diff --git a/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml b/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml index e248964..3d5b77d 100644 --- a/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml +++ b/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml @@ -6,6 +6,8 @@ settings: overrides: postcss: '>=8.5.10' + brace-expansion: '>=5.0.6' + ws: '>=8.20.1' importers: @@ -1224,9 +1226,6 @@ packages: resolution: {integrity: sha512-Cg7TFGpIr01vOQNODXOOaGz2NpCU5gl8x1qJFbb6hbZxR7XrcE2vtbAsTAbJ7/xwJtUuJEw8K8Zr/AE0LHlesg==} engines: {node: '>=10', npm: '>=6'} - balanced-match@1.0.2: - resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} - balanced-match@4.0.4: resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==} engines: {node: 18 || 20 || >=22} @@ -1239,11 +1238,8 @@ packages: belter@1.0.190: resolution: {integrity: sha512-jz05FHrO+bwitdI6JxV5ESyRdVhTcwMWQ7L4o+q/R4LNJFQrG58sp9EiwsSjhbihhiyYFcmmCMRRagxte6igtw==} - brace-expansion@1.1.14: - resolution: {integrity: sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==} - - brace-expansion@5.0.5: - resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} + brace-expansion@5.0.6: + resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==} engines: {node: 18 || 20 || >=22} braces@3.0.3: @@ -1306,9 +1302,6 @@ packages: resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==} engines: {node: '>= 0.8'} - concat-map@0.0.1: - resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} - convert-source-map@1.9.0: resolution: {integrity: sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==} @@ -2648,8 +2641,8 @@ packages: wrappy@1.0.2: resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==} - ws@8.20.0: - resolution: {integrity: sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==} + ws@8.20.1: + resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -3247,7 +3240,7 @@ snapshots: '@types/phoenix': 1.6.7 '@types/ws': 8.18.1 tslib: 2.8.1 - ws: 8.20.0 + ws: 8.20.1 transitivePeerDependencies: - bufferutil - utf-8-validate @@ -4237,8 +4230,6 @@ snapshots: cosmiconfig: 7.1.0 resolve: 1.22.12 - balanced-match@1.0.2: {} - balanced-match@4.0.4: {} baseline-browser-mapping@2.10.24: {} @@ -4249,12 +4240,7 @@ snapshots: cross-domain-utils: 2.0.38 zalgo-promise: 1.0.48 - brace-expansion@1.1.14: - dependencies: - balanced-match: 1.0.2 - concat-map: 0.0.1 - - brace-expansion@5.0.5: + brace-expansion@5.0.6: dependencies: balanced-match: 4.0.4 @@ -4326,8 +4312,6 @@ snapshots: dependencies: delayed-stream: 1.0.0 - concat-map@0.0.1: {} - convert-source-map@1.9.0: {} convert-source-map@2.0.0: {} @@ -5266,11 +5250,11 @@ snapshots: minimatch@10.2.5: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 minimatch@3.1.5: dependencies: - brace-expansion: 1.1.14 + brace-expansion: 5.0.6 minimist@1.2.8: {} @@ -5909,7 +5893,7 @@ snapshots: wrappy@1.0.2: {} - ws@8.20.0: {} + ws@8.20.1: {} yallist@3.1.1: {} diff --git a/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml b/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml index e0b07ec..426ee21 100644 --- a/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml +++ b/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml @@ -132,3 +132,13 @@ overrides: # output). 8.5.10 contains the fix. API is backward-compatible # within postcss 8.x; override here until next bumps its own pin. postcss: '>=8.5.10' + # eslint-config-next pulls in minimatch which depends on brace-expansion; + # versions <5.0.6 are vulnerable to GHSA-jxxr-4gwj-5jf2 (large numeric + # range DoS defeating the documented `max` cap). Dev-only path (ESLint), + # but audit blocks CI regardless of scope. Patch is backward-compatible. + brace-expansion: '>=5.0.6' + # @supabase/supabase-js -> @supabase/realtime-js depends on ws; + # versions <8.20.1 are vulnerable to GHSA-58qx-3vcg-4xpx (uninitialized + # memory disclosure on crafted HTTP upgrade headers). Runtime path — + # affects live WebSocket connections. Patch is backward-compatible within ws 8.x. + ws: '>=8.20.1' From 11342dceec04966f69ccb84b4029782e07f2258c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tha=C3=ADs=20Rodeiro?= Date: Tue, 2 Jun 2026 14:14:49 -0300 Subject: [PATCH 2/2] Pin brace-expansion and ws overrides to exact versions --- examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml | 4 ++-- examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml b/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml index 3d5b77d..486f51b 100644 --- a/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml +++ b/examples/vercel-quickdeploy-nextjs/pnpm-lock.yaml @@ -6,8 +6,8 @@ settings: overrides: postcss: '>=8.5.10' - brace-expansion: '>=5.0.6' - ws: '>=8.20.1' + brace-expansion: 5.0.6 + ws: 8.20.1 importers: diff --git a/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml b/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml index 426ee21..2e8eb8a 100644 --- a/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml +++ b/examples/vercel-quickdeploy-nextjs/pnpm-workspace.yaml @@ -136,9 +136,9 @@ overrides: # versions <5.0.6 are vulnerable to GHSA-jxxr-4gwj-5jf2 (large numeric # range DoS defeating the documented `max` cap). Dev-only path (ESLint), # but audit blocks CI regardless of scope. Patch is backward-compatible. - brace-expansion: '>=5.0.6' + brace-expansion: '5.0.6' # @supabase/supabase-js -> @supabase/realtime-js depends on ws; # versions <8.20.1 are vulnerable to GHSA-58qx-3vcg-4xpx (uninitialized # memory disclosure on crafted HTTP upgrade headers). Runtime path — # affects live WebSocket connections. Patch is backward-compatible within ws 8.x. - ws: '>=8.20.1' + ws: '8.20.1'