From f246eb86041f1a0fb57236dbdb316296e0c51092 Mon Sep 17 00:00:00 2001 From: "dobby-yivi-agent[bot]" <275734547+dobby-yivi-agent[bot]@users.noreply.github.com> Date: Wed, 1 Jul 2026 22:12:37 +0000 Subject: [PATCH 1/3] fix(deps): bump vite override to 6.4.3 and pin dompurify >=3.4.11 Resolves the vite (GHSA-fx2h-pf6j-xcff high, GHSA-v6wh-96g9-6wx3 moderate) and dompurify (8 advisories, GHSA-cmwh-pvxp-8882 et al.) CVEs from issue #115. Both were confirmed still present on main. npm audit now reports 0 vulnerabilities and the VitePress build succeeds. Co-Authored-By: Claude Opus 4.8 --- package-lock.json | 12 ++++++------ package.json | 3 ++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index a463284..50c4418 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2668,9 +2668,9 @@ "license": "MIT" }, "node_modules/dompurify": { - "version": "3.4.2", - "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.2.tgz", - "integrity": "sha512-lHeS9SA/IKeIFFyYciHBr2n0v1VMPlSj843HdLOwjb2OxNwdq9Xykxqhk+FE42MzAdHvInbAolSE4mhahPpjXA==", + "version": "3.4.11", + "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.11.tgz", + "integrity": "sha512-zhlUV12GsaRzMsf9q5M254YhA4+VuF0fG+QFqu6aYpoGlKtz+w8//jBcGVYBgQkR5GHjUomejY84AV+/uPbWdw==", "license": "(MPL-2.0 OR Apache-2.0)", "optionalDependencies": { "@types/trusted-types": "^2.0.7" @@ -3785,9 +3785,9 @@ } }, "node_modules/vite": { - "version": "6.4.2", - "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz", - "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==", + "version": "6.4.3", + "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.3.tgz", + "integrity": "sha512-NTKlcQjlAK7MlQoyb6LgaqHc8sso/pVyUJYWMws3jg21uTJw/LddqIFPcPqP6PzpgbIcZyKI85sFE4HBrQDA8A==", "license": "MIT", "dependencies": { "esbuild": "^0.25.0", diff --git a/package.json b/package.json index 7e19134..acfca41 100644 --- a/package.json +++ b/package.json @@ -17,6 +17,7 @@ }, "overrides": { "esbuild": "^0.25.0", - "vite": "^6.4.2" + "vite": "^6.4.3", + "dompurify": ">=3.4.11" } } From a4522fe9581f48bbddce5e1336733ff16ef370f2 Mon Sep 17 00:00:00 2001 From: "dobby-yivi-agent[bot]" <275734547+dobby-yivi-agent[bot]@users.noreply.github.com> Date: Wed, 1 Jul 2026 22:12:48 +0000 Subject: [PATCH 2/3] chore(deps): bump mermaid to 11.16.0 Patch bump from the outdated list in issue #115. Build succeeds and mermaid diagrams still render. Co-Authored-By: Claude Opus 4.8 --- package-lock.json | 28 ++++++++++++++-------------- package.json | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/package-lock.json b/package-lock.json index 50c4418..b432ac5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "name": "postguard-docs", "version": "1.0.0", "dependencies": { - "mermaid": "^11.15.0", + "mermaid": "^11.16.0", "vitepress-plugin-mermaid": "^2.0.17" }, "devDependencies": { @@ -872,12 +872,12 @@ "optional": true }, "node_modules/@mermaid-js/parser": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.1.tgz", - "integrity": "sha512-VuHdsYMK1bT6X2JbcAaWAhugTRvRBRyuZgd+c22swUeI9g/ntaxF7CY7dYarhZovofCbUNO0G7JesfmNtjYOCw==", + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.2.0.tgz", + "integrity": "sha512-oYPyv8A4As1yH5Bx+04iQEQxXuIQDe0GKCNSRgao6z8AM9jixXIfP0vsppRLvGf+nKIOb9/LdpWA4YuJiVvESA==", "license": "MIT", "dependencies": { - "@chevrotain/types": "~11.1.1" + "@chevrotain/types": "~11.1.2" } }, "node_modules/@privacybydesign/yivi-client": { @@ -3037,26 +3037,26 @@ } }, "node_modules/mermaid": { - "version": "11.15.0", - "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.15.0.tgz", - "integrity": "sha512-pTMbcf3rWdtLiYGpmoTjHEpeY8seiy6sR+9nD7LOs8KfUbHE4lOUAprTRqRAcWSQ6MQpdX+YEsxShtGsINtPtw==", + "version": "11.16.0", + "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.16.0.tgz", + "integrity": "sha512-Zvm3kbstgdpvIJPPItlL7fppIZ3kibvc1oZIGxdvk9t6UFz6flv+Jw7FtRGKwfcI8OckmH04LqG6LlS6X4B1pA==", "license": "MIT", "dependencies": { - "@braintree/sanitize-url": "^7.1.1", + "@braintree/sanitize-url": "^7.1.2", "@iconify/utils": "^3.0.2", - "@mermaid-js/parser": "^1.1.1", + "@mermaid-js/parser": "^1.2.0", "@types/d3": "^7.4.3", "@upsetjs/venn.js": "^2.0.0", - "cytoscape": "^3.33.1", + "cytoscape": "^3.33.3", "cytoscape-cose-bilkent": "^4.1.0", "cytoscape-fcose": "^2.2.0", "d3": "^7.9.0", "d3-sankey": "^0.12.3", "dagre-d3-es": "7.0.14", - "dayjs": "^1.11.19", - "dompurify": "^3.3.1", + "dayjs": "^1.11.20", + "dompurify": "^3.3.3", "es-toolkit": "^1.45.1", - "katex": "^0.16.25", + "katex": "^0.16.45", "khroma": "^2.1.0", "marked": "^16.3.0", "roughjs": "^4.6.6", diff --git a/package.json b/package.json index acfca41..5cbd43d 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,7 @@ "vitepress": "^1.6.4" }, "dependencies": { - "mermaid": "^11.15.0", + "mermaid": "^11.16.0", "vitepress-plugin-mermaid": "^2.0.17" }, "overrides": { From 32d2db61130c57d99720e800f4324fe60d05d67e Mon Sep 17 00:00:00 2001 From: "dobby-yivi-agent[bot]" <275734547+dobby-yivi-agent[bot]@users.noreply.github.com> Date: Wed, 1 Jul 2026 22:12:57 +0000 Subject: [PATCH 3/3] chore(deps): bump @e4a/pg-js to 2.1.0 (major) @e4a/pg-js is a devDependency that only pins the documented SDK version; it is not imported by the VitePress build (no code imports it, only markdown snippets reference it). The docs already describe 2.0.0+ API behavior (sdk/js-decryption.md, sdk/js-email-helpers.md), so this aligns the pinned version with the documented API. Build succeeds, 0 vulns. Co-Authored-By: Claude Opus 4.8 --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index b432ac5..3044110 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12,7 +12,7 @@ "vitepress-plugin-mermaid": "^2.0.17" }, "devDependencies": { - "@e4a/pg-js": "^1.10.0", + "@e4a/pg-js": "^2.1.0", "vitepress": "^1.6.4" } }, @@ -376,9 +376,9 @@ } }, "node_modules/@e4a/pg-js": { - "version": "1.10.0", - "resolved": "https://registry.npmjs.org/@e4a/pg-js/-/pg-js-1.10.0.tgz", - "integrity": "sha512-grC1snIzsM2+VEL/oFRWz4+c2IRaLFR5duV8XUKso92S97r3e8z2IEZHXblS4uNtJEtOlbA+UA/1UWEHi0mimg==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@e4a/pg-js/-/pg-js-2.1.0.tgz", + "integrity": "sha512-FQ9TcrkrodsYTjn3WoP/mySeCGwtt1pydAWJpYmTvl+gpd7zAJHL7h3yuQrFLSFSSlHLhh+3iNGUhP9zT/2e5w==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index 5cbd43d..0ab4dbd 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "docs:preview": "vitepress preview docs" }, "devDependencies": { - "@e4a/pg-js": "^1.10.0", + "@e4a/pg-js": "^2.1.0", "vitepress": "^1.6.4" }, "dependencies": {