Security: bump vulnerable dependencies (Dependabot Tiers 1-3)

RubyGems (bundle update --conservative jwt devise faraday): - jwt 3.1.2 → 3.2.0 (CVE-2026-45736: empty-key HMAC bypass) - devise 5.0.3 → 5.0.4 (CVE-2026-40295: open redirect via referrer) - faraday 2.14.1 → 2.14.2 (CVE-2026-33637: protocol-relative URI) npm direct deps (yarn upgrade): - @eid-easy/eideasy-widget 2.171.0 → 2.174.0, pulling browser-client 2.135.0 → 2.140.0 which updates axios 1.8.2 → 1.16.1 (clears all 14 axios CVEs incl. prototype pollution, SSRF, DoS, header injection) - rollbar 2.26.4 → 2.26.5 (CVE-2025-62517: prototype pollution) - webpack-dev-server 5.2.3 → 5.2.4 (CVE-2026-6402: cross-origin src) - postcss ^8.4.31 → ^8.5.10, resolved to 8.5.15 (CVE-2026-41305: XSS) npm transitive (yarn resolutions + postcss direct-dep bump): cross-spawn → 7.0.6, flatted → 3.4.2, glob → 10.5.0, immutable → 4.3.8, js-yaml → 4.1.1, lodash → 4.18.1, markdown-it → 14.1.1, micromatch → 4.0.8, nanoid → 3.3.12, picomatch → 2.3.2, postcss → 8.5.15, svgo → 3.3.3 Remaining open alerts (multi-major transitive, build-tool DoS only, near-zero production impact): minimatch (3.x/9.x), semver (6.x/7.x), yaml (1.x/2.x), brace-expansion (1.x/2.x), serialize-javascript (6→7 major), ws (7.x), Vue 2 (eideasy-widget 2.x, needs 3.x migration). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 month ago · 1edc41c981
parent 5433aa4dc3
commit 1edc41c981
3 changed files with 526 additions and 599 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -161,7 +161,7 @@ GEM
      irb (~> 1.10)
      reline (>= 0.3.8)
    declarative (0.0.20)
-    devise (5.0.3)
+    devise (5.0.4)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 7.0)
@ -195,7 +195,7 @@ GEM
      railties (>= 6.1.0)
    faker (3.6.1)
      i18n (>= 1.8.11, < 2)
-    faraday (2.14.1)
+    faraday (2.14.2)
      faraday-net_http (>= 2.0, < 3.5)
      json
      logger
@ -277,7 +277,7 @@ GEM
      reline (>= 0.4.2)
    jmespath (1.6.2)
    json (2.19.3)
-    jwt (3.1.2)
+    jwt (3.2.0)
      base64
    language_server-protocol (3.17.0.5)
    launchy (3.1.1)
--- a/package.json
+++ b/package.json
@ -48,7 +48,7 @@
    "daisyui": "^3.9.4",
    "driver.js": "^1.3.5",
    "mini-css-extract-plugin": "^2.10.0",
-    "postcss": "^8.4.31",
+    "postcss": "^8.5.10",
    "postcss-import": "^15.1.0",
    "postcss-loader": "^7.3.0",
    "qr-creator": "^1.0.0",
@ -85,6 +85,20 @@
  "browserslist": [
    "last 5 years"
  ],
+  "resolutions": {
+    "cross-spawn": "7.0.6",
+    "flatted": "3.4.2",
+    "glob": "10.5.0",
+    "immutable": "4.3.8",
+    "js-yaml": "4.1.1",
+    "lodash": "4.18.1",
+    "markdown-it": "14.1.1",
+    "micromatch": "4.0.8",
+    "nanoid": "3.3.12",
+    "picomatch": "2.3.2",
+    "postcss": "8.5.15",
+    "svgo": "3.3.3"
+  },
  "devDependencies": {
    "@babel/eslint-parser": "^7.21.8",
    "babel-eslint": "^10.1.0",
--- a/yarn.lock
+++ b/yarn.lock