Skip to content

chore: update dependencies to fix CVEs#1904

Merged
radu-gheorghe merged 1 commit intomasterfrom
fix/cve-dependency-updates
Apr 29, 2026
Merged

chore: update dependencies to fix CVEs#1904
radu-gheorghe merged 1 commit intomasterfrom
fix/cve-dependency-updates

Conversation

@odosk
Copy link
Copy Markdown
Contributor

@odosk odosk commented Apr 28, 2026
edited
Loading

⚠️ This PR was created by an AI assistant (Claude). Please review all changes carefully before merging.

Summary

Updates dependency version constraints to address known CVEs:

  • Bumps jekyll minimum version to >= 4.3.3 in Gemfile (CVE-2026-35611)
  • Bumps html-proofer minimum version to >= 5.0.8 in Gemfile (CVE-2026-35611)
  • Pins marked CDN to version 15.0.12 in ecommerce-user-preferences/webapp/templates/index.html (CVE-2026-41680)
  • DOMPurify CDN was already pinned to 3.1.6 — no change needed (CVE-2026-41238, CVE-2026-41239 — confirmed safe)

Changed Files

Gemfile

examples/ecommerce-user-preferences/webapp/templates/index.html

  • marked CDN: unpinned marked/marked.min.jsmarked@15.0.12/marked.min.js (addresses CVE-2026-41680)
  • DOMPurify@3.1.6 was already pinned and is already used correctly — app.js calls DOMPurify.sanitize() on all marked.parse() output before assigning to innerHTML. No change was needed.

CVEs Addressed

⚠️ Review Notes

  • The marked CDN was previously unpinned (floating latest), which is a supply-chain risk. It is now pinned to 15.0.12.
  • DOMPurify was already pinned at 3.1.6 on master and is actively used in app.js to sanitize all HTML before insertion — confirmed safe.
  • Gemfile version constraints use >= (lower bounds), not exact pins. Any compatible newer version will be resolved by Bundler. Verify this is acceptable for your CI/CD policy.

Verification

  • Run bundle install and verify no conflicts with updated gem constraints
  • Run the link-checker workflow to confirm html-proofer still works
  • Verify the ecommerce-user-preferences app renders markdown correctly with pinned marked 15.0.12
  • Confirm CDN URLs resolve correctly: https://cdn.jsdelivr.net/npm/marked@15.0.12/marked.min.js

🤖 Generated with Claude Code

@odosk @claude
chore: update dependencies to fix CVEs (CVE-2026-35611, CVE-2026-41680,
279f675 
CVE-2026-41238, CVE-2026-41239)

- Bump jekyll minimum version to >= 4.3.3 (CVE-2026-35611)
- Bump html-proofer minimum version to >= 5.0.8 (CVE-2026-35611)
- Pin marked CDN to version 15.0.12 (CVE-2026-41680)
- DOMPurify CDN already pinned to 3.1.6 (CVE-2026-41238, CVE-2026-41239)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@odosk odosk temporarily deployed to Vespa Cloud CD April 28, 2026 12:35 — with GitHub Actions Inactive
@odosk odosk marked this pull request as draft April 28, 2026 12:59
@odosk odosk requested a review from radu-gheorghe April 29, 2026 08:53
@odosk odosk marked this pull request as ready for review April 29, 2026 08:54
radu-gheorghe
radu-gheorghe approved these changes Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@radu-gheorghe radu-gheorghe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@radu-gheorghe radu-gheorghe merged commit ebf867a into master Apr 29, 2026
9 checks passed
@radu-gheorghe radu-gheorghe deleted the fix/cve-dependency-updates branch April 29, 2026 09:02
@odosk odosk mentioned this pull request Apr 30, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radu-gheorghe radu-gheorghe radu-gheorghe approved these changes

Assignees

@radu-gheorghe radu-gheorghe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odosk @radu-gheorghe