Skip to content

Fix security vulnerabilities in qs and uuid dependencies#5110

Merged
cortinico merged 1 commit into
mainfrom
fix/security-vulnerabilities-qs-uuid
Jun 3, 2026
Merged

Fix security vulnerabilities in qs and uuid dependencies#5110
cortinico merged 1 commit into
mainfrom
fix/security-vulnerabilities-qs-uuid

Conversation

@cortinico

@cortinico cortinico commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Add yarn resolutions to force minimum safe versions for two vulnerable transitive dependencies:

Details

Both are transitive dependencies that cannot be updated through normal version range constraints:

  • qs is pulled in by express (~6.14.0) and body-parser (~6.15.1). The resolution forces all instances to 6.15.2.
  • uuid is pulled in by sockjs (^8.3.2). The resolution forces it to 11.1.1.

Test Plan

  • yarn install completes without errors
  • Verified yarn.lock resolves qs to 6.15.2 and uuid to 11.1.1

@cortinico
Fix security vulnerabilities in qs and uuid dependencies
1e345ee 
Add yarn resolutions to force minimum safe versions:
- qs: ^6.15.2 (fixes CVE-2026-8723 / GHSA-q8mj-m7cp-5q26)
- uuid: ^11.1.1 (fixes CVE-2026-41907 / GHSA-w5hq-g745-h8pq)

Both are transitive dependencies (qs via express/body-parser, uuid via sockjs)
that cannot be updated through normal version range constraints.
@vercel

vercel Bot commented Jun 3, 2026

Copy link
Copy Markdown

Your Vercel team React Foundation is not permitted to deploy from this git repository. Contact an administrator to add github organization facebook as a Protected Git Scope in React Foundation on Vercel. Once added, commit again to see your changes.

Learn more: https://vercel.com/docs/security/protected-git-scopes

@meta-cla meta-cla Bot added the CLA Signed label Jun 3, 2026
@netlify

netlify Bot commented Jun 3, 2026

Copy link
Copy Markdown

Deploy Preview for react-native ready!

Name Link
🔨 Latest commit 1e345ee
🔍 Latest deploy log https://app.netlify.com/projects/react-native/deploys/6a203d3c9df3cb0008d24492
😎 Deploy Preview https://deploy-preview-5110--react-native.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@cortinico cortinico requested a review from Simek June 3, 2026 14:43
@cortinico

cortinico commented Jun 3, 2026

Copy link
Copy Markdown
Contributor Author

@Simek can you do a pass on this one? This should solve 2 security advisory I received for the website repo.

Simek
Simek approved these changes Jun 3, 2026
View reviewed changes

@Simek Simek left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

@cortinico cortinico merged commit a6a9e8b into main Jun 3, 2026
9 of 10 checks passed
@cortinico cortinico deleted the fix/security-vulnerabilities-qs-uuid branch June 3, 2026 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Simek Simek Simek approved these changes

Assignees

No one assigned

Labels

CLA Signed p: Facebook Partner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cortinico @Simek