fix(security): bump linkify-it to 5.0.1 (GHSA-22p9-wv53-3rq4)#4348
Open
kilo-code-bot[bot] wants to merge 1 commit into
Open
fix(security): bump linkify-it to 5.0.1 (GHSA-22p9-wv53-3rq4)#4348kilo-code-bot[bot] wants to merge 1 commit into
kilo-code-bot[bot] wants to merge 1 commit into
Conversation
CVE-2026-48801: linkify-it <=5.0.0 has O(N²) scan-loop complexity that can cause client-side DoS when processing large user-authored messages. - Bump linkify-it 5.0.0 → 5.0.1 in apps/web/package.json - Update pnpm-lock.yaml with patched package resolution - Add MAX_LINKIFY_LENGTH guard in MessageBubble.tsx as defence-in-depth
Contributor
Author
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Executive SummaryReviewed the linkify-it 5.0.1 bump and the new Files Reviewed (3 files)
Reviewed by claude-sonnet-5-20260630 · Input: 24 · Output: 8.8K · Cached: 514.6K Review guidance: REVIEW.md from base branch |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates CVE-2026-48801 / GHSA-22p9-wv53-3rq4:
linkify-it≤5.0.0 contains an O(N²) scan-loop inLinkifyIt#matchthat causes quadratic slowdown on long inputs.Changes:
linkify-itfrom5.0.0→5.0.1inapps/web/package.jsonpnpm-lock.yamlwith the patched package resolution and integrity hashMAX_LINKIFY_LENGTH = 50_000input-length guard inMessageBubble.tsxbefore passing user content tolinkify.match()as a defence-in-depth measureThe affected call site (
MessageBubble.tsx:32) is a'use client'component, so the server-side DoS scenario does not apply. The residual risk is a stored client-side DoS where an authenticated attacker sends an oversized message that stalls other users' browsers.Kilo Security Finding: https://app.kilo.ai/security-agent/findings?findingId=907ef9e0-b634-4bd2-ac0e-128859ae7d40
Verification
Visual Changes
N/A
Reviewer Notes
The lockfile was updated manually (surgical edit) because
pnpm install --no-frozen-lockfileruns out of memory in the sandbox environment. The integrity hash forlinkify-it@5.0.1was fetched from the npm registry (npm info linkify-it@5.0.1 dist.integrity). CI should re-verify this on install.