From 842fb2d6e3988ccfa09f0fdccffe8fa3cdc6504e Mon Sep 17 00:00:00 2001 From: Arsen Shkrumelyak Date: Sat, 23 Mar 2024 12:51:43 +0000 Subject: [PATCH 1/3] Fix: CVE-2023-26140 This commit fixes a potential XSS vulnerability in the `@udecode/plate-excalidraw` package by updating the `@excalidraw/excalidraw` dependency to version `0.16.0`. Security Advisory: https://github.com/advisories/GHSA-v7v8-gjv7-ffmr Snyk Report: https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658 --- packages/excalidraw/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/excalidraw/package.json b/packages/excalidraw/package.json index bf5935e963..ee621fd7d6 100644 --- a/packages/excalidraw/package.json +++ b/packages/excalidraw/package.json @@ -39,7 +39,7 @@ "typecheck": "yarn p:typecheck" }, "dependencies": { - "@excalidraw/excalidraw": "0.12.0" + "@excalidraw/excalidraw": "0.16.0" }, "devDependencies": { "@udecode/plate-common": "workspace:^" From d77aa79cc2a94f75a3b1c2e642c39f7584c36ccd Mon Sep 17 00:00:00 2001 From: Arsen Shkrumelyak Date: Sat, 23 Mar 2024 13:06:18 +0000 Subject: [PATCH 2/3] Add changeset --- .changeset/eighty-monkeys-poke.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/eighty-monkeys-poke.md diff --git a/.changeset/eighty-monkeys-poke.md b/.changeset/eighty-monkeys-poke.md new file mode 100644 index 0000000000..15d31a6da3 --- /dev/null +++ b/.changeset/eighty-monkeys-poke.md @@ -0,0 +1,5 @@ +--- +"@udecode/plate-excalidraw": minor +--- + +Fix: CVE-2023-26140 From a5e40bd5361173aa53c3f2ad6ae2c0f5d3228d7b Mon Sep 17 00:00:00 2001 From: Joe Anderson Date: Sat, 23 Mar 2024 13:13:29 +0000 Subject: [PATCH 3/3] Update yarn.lock --- yarn.lock | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/yarn.lock b/yarn.lock index 8f0d7831ad..78b3fae829 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2012,15 +2012,13 @@ __metadata: languageName: node linkType: hard -"@excalidraw/excalidraw@npm:0.12.0": - version: 0.12.0 - resolution: "@excalidraw/excalidraw@npm:0.12.0" - dependencies: - dotenv: "npm:10.0.0" +"@excalidraw/excalidraw@npm:0.16.0": + version: 0.16.0 + resolution: "@excalidraw/excalidraw@npm:0.16.0" peerDependencies: - react: ^17.0.2 - react-dom: ^17.0.2 - checksum: 10c0/d4c456ed97ef64c64467ca1501022e66f34cadddab20809fa2ae860d60d255b9108a0f9ceacac31a04c7bbb319ad399110b1331f8ca895438adb606e985b2dfd + react: ^17.0.2 || ^18.2.0 + react-dom: ^17.0.2 || ^18.2.0 + checksum: 10c0/59411d5c1b7516eb17b471f8395704df0ec7f4d67337de5bb2dffc785839d26251e86b3078769f6ead4e95c14e79a26e71ddd3369b9808e24bdd469249f1a031 languageName: node linkType: hard @@ -6601,7 +6599,7 @@ __metadata: version: 0.0.0-use.local resolution: "@udecode/plate-excalidraw@workspace:packages/excalidraw" dependencies: - "@excalidraw/excalidraw": "npm:0.12.0" + "@excalidraw/excalidraw": "npm:0.16.0" "@udecode/plate-common": "workspace:^" peerDependencies: "@udecode/plate-common": ">=31.0.0" @@ -9947,13 +9945,6 @@ __metadata: languageName: node linkType: hard -"dotenv@npm:10.0.0": - version: 10.0.0 - resolution: "dotenv@npm:10.0.0" - checksum: 10c0/2d8d4ba64bfaff7931402aa5e8cbb8eba0acbc99fe9ae442300199af021079eafa7171ce90e150821a5cb3d74f0057721fbe7ec201a6044b68c8a7615f8c123f - languageName: node - linkType: hard - "dotenv@npm:16.0.3": version: 16.0.3 resolution: "dotenv@npm:16.0.3"