fix(QTDI-3091): CVE 2026-07 - npm security updates#1244
Open
undx wants to merge 6 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates multiple frontend npm dependency constraints and lockfiles to address listed CVEs (js-yaml, http-proxy-middleware, form-data, shell-quote, launch-editor, webpack-dev-server, @babel/core) across the documentation site and the two webapps.
Changes:
- Bump
js-yamlto4.2.0in the documentation frontend template/lockfile. - Update
webpack-dev-serverpatch version and add/adjustoverridesto pull in newer patched transitive packages (Babel, form-data, shell-quote, launch-editor, etc.). - Regenerate
package-lock.jsonfiles to reflect the updated dependency graph.
Reviewed changes
Copilot reviewed 5 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| documentation/src/main/frontend/package-template.json | Updates js-yaml override version. |
| documentation/src/main/frontend/package-lock.json | Updates locked js-yaml to match template and refreshes metadata. |
| component-tools-webapp/src/main/frontend/package.json | Adjusts deps/devDeps and expands overrides for security fixes. |
| component-tools-webapp/src/main/frontend/package-template.json | Mirrors package.json dependency/override updates for templating. |
| component-tools-webapp/src/main/frontend/package-lock.json | Refreshes lockfile after dependency/override changes (Babel, form-data, http-proxy-middleware, etc.). |
| component-starter-server/src/main/frontend/package.json | Adjusts devDeps and expands overrides for security fixes. |
| component-starter-server/src/main/frontend/package-template.json | Mirrors package.json dependency/override updates for templating. |
| component-starter-server/src/main/frontend/package-lock.json | Refreshes lockfile after dependency/override changes (Babel, form-data, http-proxy-middleware, etc.). |
Files not reviewed (3)
- component-starter-server/src/main/frontend/package-lock.json: Generated file
- component-tools-webapp/src/main/frontend/package-lock.json: Generated file
- documentation/src/main/frontend/package-lock.json: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 10 changed files in this pull request and generated 2 comments.
Files not reviewed (3)
- component-starter-server/src/main/frontend/package-lock.json: Generated file
- component-tools-webapp/src/main/frontend/package-lock.json: Generated file
- documentation/src/main/frontend/package-lock.json: Generated file
|
0 New Issues
0 Fixed Issues
0 Accepted Issues
No data about coverage (0.00% Estimated after merge)
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 10 changed files in this pull request and generated 3 comments.
Files not reviewed (3)
- component-starter-server/src/main/frontend/package-lock.json: Generated file
- component-tools-webapp/src/main/frontend/package-lock.json: Generated file
- documentation/src/main/frontend/package-lock.json: Generated file
Comment on lines
48
to
+60
| devServer.app.use(bodyParser.urlencoded({ extended: true })); | ||
| devServer.app.use(bodyParser.json()); | ||
| // Use the `unshift` method if you want to run a middleware before all other middlewares | ||
| // or when you are migrating from the `onBeforeSetupMiddleware` option | ||
| middlewares.unshift({ | ||
| name: "project-configuration", | ||
| path: "/api/v1/application/index", | ||
| middleware: getApplication, | ||
| }); | ||
|
|
||
| middlewares.unshift({ | ||
| name: "project-configuration", | ||
| path: "/api/v1/application/detail/:detailId", | ||
| middleware: getApplicationDetail, | ||
| }); | ||
| devServer.app.get("/api/v1/application/index", getApplication); | ||
| devServer.app.get("/api/v1/application/detail/:detailId", getApplicationDetail); | ||
|
|
||
| devServer.app.use( | ||
| createProxyMiddleware({ | ||
| pathFilter: "/api", | ||
| target: process.env.API_URL || "http://localhost:10101", | ||
| changeOrigin: true, | ||
| secure: false, | ||
| }) |
Comment on lines
31
to
39
| "devDependencies": { | ||
| "@talend/scripts-config-react-webpack": "^16.8.0", | ||
| "@talend/scripts-core": "^16.5.1", | ||
| "atob": "^2.1.2", | ||
| "body-parser": "^1.18.3", | ||
| "cross-env": "^7.0.3", | ||
| "form-data": ">=4.0.4", | ||
| "webpack": "5.105.4", | ||
| "webpack-dev-server": "5.2.4" | ||
| "webpack-dev-server": "^5.2.5" | ||
| }, |
Comment on lines
31
to
39
| "devDependencies": { | ||
| "@talend/scripts-config-react-webpack": "^16.8.0", | ||
| "@talend/scripts-core": "^16.5.1", | ||
| "atob": "^2.1.2", | ||
| "body-parser": "^1.18.3", | ||
| "cross-env": "^7.0.3", | ||
| "form-data": ">=4.0.4", | ||
| "webpack": "5.105.4", | ||
| "webpack-dev-server": "5.2.4" | ||
| "webpack-dev-server": "^5.2.5" | ||
| }, |
Contributor
|
LLM Sonet thinks that we need to make changes in this PR: |
ozhelezniak-talend
approved these changes
Jun 23, 2026
ozhelezniak-talend
left a comment
ozhelezniak-talend
left a comment
Contributor
There was a problem hiding this comment.
LGTM
But we need to validate the change, that code still works
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requirements
Why this PR is needed?
CVE-2026-53550 Js-Yaml 3.14.2
CVE-2026-55602 HTTP-Proxy-Middleware 2.0.9
CVE-2026-12143 Form-Data 4.0.5
CVE-2026-9277 shell-quote quote() does not escape newlines in object .op values
CVE-2026-53632 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
CVE-2026-9595 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
CVE-2026-49356 @babel/core: Arbitrary File Read via sourceMappingURL Comment
What does this PR adds (design/code thoughts)?
AI generated code
https://internal.qlik.dev/general/ways-of-working/code-reviews/#guidelines-for-ai-generated-code