Skip to content

Commit ca47772

Browse files
GytisCepkCopilot
andauthored
Fix CVEs issues in release/4.11.x branch (#9190)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 9c8b394 commit ca47772

12 files changed

Lines changed: 1685 additions & 1483 deletions

File tree

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"changes": [
3+
{
4+
"packageName": "@itwin/ecschema-editing",
5+
"comment": "",
6+
"type": "none"
7+
}
8+
],
9+
"packageName": "@itwin/ecschema-editing"
10+
}
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"changes": [
3+
{
4+
"packageName": "@itwin/ecschema-locaters",
5+
"comment": "",
6+
"type": "none"
7+
}
8+
],
9+
"packageName": "@itwin/ecschema-locaters"
10+
}
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"changes": [
3+
{
4+
"packageName": "@itwin/ecschema-metadata",
5+
"comment": "",
6+
"type": "none"
7+
}
8+
],
9+
"packageName": "@itwin/ecschema-metadata"
10+
}
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"changes": [
3+
{
4+
"packageName": "@itwin/ecschema2ts",
5+
"comment": "",
6+
"type": "none"
7+
}
8+
],
9+
"packageName": "@itwin/ecschema2ts"
10+
}

common/config/eslint/eslint.config.base.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,11 @@ module.exports = [
2323
"@typescript-eslint/no-non-null-assertion": "off"
2424
}
2525
},
26+
{
27+
files: ["**/*.ts"],
28+
rules: {
29+
"@typescript-eslint/await-thenable": "warn",
30+
"@typescript-eslint/no-deprecated": "warn",
31+
}
32+
},
2633
]

common/config/rush/pnpm-config.json

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,11 @@
33
"useWorkspaces": true,
44
"strictPeerDependencies": false,
55
"globalPeerDependencyRules": {
6-
"ignoreMissing": ["@babel/core", "@types/node", "@typescript-eslint/parser"]
6+
"ignoreMissing": [
7+
"@babel/core",
8+
"@types/node",
9+
"@typescript-eslint/parser"
10+
]
711
},
812
"globalOverrides": {
913
"cross-spawn": "^7.0.5", // https://github.com/advisories/GHSA-3xgq-45jj-v275 npm-run-all>cross-spawn
@@ -20,7 +24,9 @@
2024
"axios": "^1.13.5", // https://github.com/advisories/GHSA-43fc-jf86-j433
2125
"serialize-javascript": "^7.0.3", // https://github.com/advisories/GHSA-5c6j-r48x-rmvq mocha>serialize-javascript (related to CVE-2020-7660)
2226
"sequelize": ">=6.37.8", // https://github.com/advisories/GHSA-6457-6jrx-69cr azurite>sequelize
23-
"underscore": ">=1.13.8" // https://github.com/advisories/GHSA-qpx9-hpmf-5gmw json-schema-faker>jsonpath>underscore
27+
"underscore": ">=1.13.8", // https://github.com/advisories/GHSA-qpx9-hpmf-5gmw json-schema-faker>jsonpath>underscore
28+
"path-to-regexp@<0.1.13": "~0.1.13", // https://github.com/advisories/GHSA-37ch-88jc-xwx2 express>path-to-regexp
29+
"lodash": ">=4.18.0" // https://github.com/advisories/GHSA-r5fr-rjxr-66jc lodash _.template code injection
2430
},
2531
// A list of temporary advisories excluded from the High and Critical list.
2632
// Warning this should only be used as a temporary measure to avoid build failures
@@ -37,7 +43,12 @@
3743
"CVE-2025-58754", // https://github.com/advisories/GHSA-4hjh-wcwx-xvwj azurite>@azure/ms-rest-js>axios
3844
"CVE-2026-26996", // https://github.com/advisories/GHSA-3ppc-4f35-3m26 mocha>glob>minimatch
3945
"CVE-2025-59288", // https://github.com/advisories/GHSA-7mvr-c777-76hp @itwin/oidc-signin-tool>@playwright/test>playwright (playwright is dev only dep, requires active MitM to exploit)
40-
"CVE-2026-1615" // https://github.com/advisories/GHSA-87r5-mp6g-5w5j presentation/common>json-schema-faker>jsonpath
46+
"CVE-2026-1615", // https://github.com/advisories/GHSA-87r5-mp6g-5w5j presentation/common>json-schema-faker>jsonpath
47+
// Fixes for following CVEs only available in newer Electron versions which are not supported by iTwin.js 4.x. Non of the CVEs should be exploitable in library itself.
48+
"CVE-2026-34774", // https://github.com/advisories/GHSA-532v-xpq5-8h95 electron (offscreen child window UAF, not used)
49+
"CVE-2026-34771", // https://github.com/advisories/GHSA-8337-3p73-46f4 electron (fullscreen/pointer-lock/keyboard-lock permission UAF, not used)
50+
"CVE-2026-34770", // https://github.com/advisories/GHSA-jjp3-mq3x-295m electron (PowerMonitor UAF, not used)
51+
"CVE-2026-34769" // https://github.com/advisories/GHSA-9wfr-w7mm-pc7f electron (commandLineSwitches injection, webPreferences are hardcoded)
4152
]
4253
}
4354
}

0 commit comments

Comments
 (0)