|
3 | 3 | "useWorkspaces": true, |
4 | 4 | "strictPeerDependencies": false, |
5 | 5 | "globalPeerDependencyRules": { |
6 | | - "ignoreMissing": ["@babel/core", "@types/node", "@typescript-eslint/parser"] |
| 6 | + "ignoreMissing": [ |
| 7 | + "@babel/core", |
| 8 | + "@types/node", |
| 9 | + "@typescript-eslint/parser" |
| 10 | + ] |
7 | 11 | }, |
8 | 12 | "globalOverrides": { |
9 | 13 | "cross-spawn": "^7.0.5", // https://github.com/advisories/GHSA-3xgq-45jj-v275 npm-run-all>cross-spawn |
|
20 | 24 | "axios": "^1.13.5", // https://github.com/advisories/GHSA-43fc-jf86-j433 |
21 | 25 | "serialize-javascript": "^7.0.3", // https://github.com/advisories/GHSA-5c6j-r48x-rmvq mocha>serialize-javascript (related to CVE-2020-7660) |
22 | 26 | "sequelize": ">=6.37.8", // https://github.com/advisories/GHSA-6457-6jrx-69cr azurite>sequelize |
23 | | - "underscore": ">=1.13.8" // https://github.com/advisories/GHSA-qpx9-hpmf-5gmw json-schema-faker>jsonpath>underscore |
| 27 | + "underscore": ">=1.13.8", // https://github.com/advisories/GHSA-qpx9-hpmf-5gmw json-schema-faker>jsonpath>underscore |
| 28 | + "path-to-regexp@<0.1.13": "~0.1.13", // https://github.com/advisories/GHSA-37ch-88jc-xwx2 express>path-to-regexp |
| 29 | + "lodash": ">=4.18.0" // https://github.com/advisories/GHSA-r5fr-rjxr-66jc lodash _.template code injection |
24 | 30 | }, |
25 | 31 | // A list of temporary advisories excluded from the High and Critical list. |
26 | 32 | // Warning this should only be used as a temporary measure to avoid build failures |
|
37 | 43 | "CVE-2025-58754", // https://github.com/advisories/GHSA-4hjh-wcwx-xvwj azurite>@azure/ms-rest-js>axios |
38 | 44 | "CVE-2026-26996", // https://github.com/advisories/GHSA-3ppc-4f35-3m26 mocha>glob>minimatch |
39 | 45 | "CVE-2025-59288", // https://github.com/advisories/GHSA-7mvr-c777-76hp @itwin/oidc-signin-tool>@playwright/test>playwright (playwright is dev only dep, requires active MitM to exploit) |
40 | | - "CVE-2026-1615" // https://github.com/advisories/GHSA-87r5-mp6g-5w5j presentation/common>json-schema-faker>jsonpath |
| 46 | + "CVE-2026-1615", // https://github.com/advisories/GHSA-87r5-mp6g-5w5j presentation/common>json-schema-faker>jsonpath |
| 47 | + // Fixes for following CVEs only available in newer Electron versions which are not supported by iTwin.js 4.x. Non of the CVEs should be exploitable in library itself. |
| 48 | + "CVE-2026-34774", // https://github.com/advisories/GHSA-532v-xpq5-8h95 electron (offscreen child window UAF, not used) |
| 49 | + "CVE-2026-34771", // https://github.com/advisories/GHSA-8337-3p73-46f4 electron (fullscreen/pointer-lock/keyboard-lock permission UAF, not used) |
| 50 | + "CVE-2026-34770", // https://github.com/advisories/GHSA-jjp3-mq3x-295m electron (PowerMonitor UAF, not used) |
| 51 | + "CVE-2026-34769" // https://github.com/advisories/GHSA-9wfr-w7mm-pc7f electron (commandLineSwitches injection, webPreferences are hardcoded) |
41 | 52 | ] |
42 | 53 | } |
43 | 54 | } |
|
0 commit comments