From 8ee3d483948cdffbbaa2583fe397b7f59e8a2593 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Sat, 9 May 2026 21:28:34 +0000 Subject: [PATCH 1/2] fix: add postcss resolutions override to address CVE-2026-41305 Co-authored-by: Brendan Kellam --- package.json | 3 ++- yarn.lock | 15 ++------------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index 63eae0429..91ba59a8d 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,7 @@ "smol-toml@npm:^1.6.0": "^1.6.1", "teeny-request@npm:^10.0.0": "^10.1.2", "uuid": "^14.0.0", - "fast-uri@npm:^3.0.1": "^3.1.2" + "fast-uri@npm:^3.0.1": "^3.1.2", + "postcss@npm:8.4.31": "^8.5.10" } } diff --git a/yarn.lock b/yarn.lock index 0f7a4f949..bcc5c73f7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -17188,7 +17188,7 @@ __metadata: languageName: node linkType: hard -"nanoid@npm:^3.3.11, nanoid@npm:^3.3.6": +"nanoid@npm:^3.3.11": version: 3.3.11 resolution: "nanoid@npm:3.3.11" bin: @@ -18392,17 +18392,6 @@ __metadata: languageName: node linkType: hard -"postcss@npm:8.4.31": - version: 8.4.31 - resolution: "postcss@npm:8.4.31" - dependencies: - nanoid: "npm:^3.3.6" - picocolors: "npm:^1.0.0" - source-map-js: "npm:^1.0.2" - checksum: 10c0/748b82e6e5fc34034dcf2ae88ea3d11fd09f69b6c50ecdd3b4a875cfc7cdca435c958b211e2cb52355422ab6fccb7d8f2f2923161d7a1b281029e4a913d59acf - languageName: node - linkType: hard - "postcss@npm:^8.4.47, postcss@npm:^8.5.10, postcss@npm:^8.5.8": version: 8.5.12 resolution: "postcss@npm:8.5.12" @@ -20595,7 +20584,7 @@ __metadata: languageName: node linkType: hard -"source-map-js@npm:^1.0.2, source-map-js@npm:^1.2.1": +"source-map-js@npm:^1.2.1": version: 1.2.1 resolution: "source-map-js@npm:1.2.1" checksum: 10c0/7bda1fc4c197e3c6ff17de1b8b2c20e60af81b63a52cb32ec5a5d67a20a7d42651e2cb34ebe93833c5a2a084377e17455854fee3e21e7925c64a51b6a52b0faf From 9dc429616685e6d64b91b8bb3937aaf7b7bcfd36 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Sat, 9 May 2026 21:29:29 +0000 Subject: [PATCH 2/2] docs: add CHANGELOG entry for CVE-2026-41305 fix Co-authored-by: Brendan Kellam --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 081d4c8d6..c1682bbc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixed blame gutter commit navigation to use the file path as it existed at the attributing commit, so clicking a blame line whose commit predates a rename resolves to the correct historical path. [#1178](https://github.com/sourcebot-dev/sourcebot/pull/1178) - Bumped transitive `fast-uri` dependency to `^3.1.2`. [#1181](https://github.com/sourcebot-dev/sourcebot/pull/1181) - Upgraded `simple-git` to `3.36.0` to address CVE-2026-6951. [#1183](https://github.com/sourcebot-dev/sourcebot/pull/1183) +- Added `postcss` resolutions override to force all instances to `^8.5.10` to address CVE-2026-41305. [#1191](https://github.com/sourcebot-dev/sourcebot/pull/1191) ### Changed - Reduced the log verbosity of the worker by changing various log messages from info to debug. [#1179](https://github.com/sourcebot-dev/sourcebot/pull/1179)