Skip to content

Commit 73c7b77

Browse files
brendan-kellamclaude
brendan-kellam
and
claude
authored
chore(web): bump @aws-sdk/credential-providers to ^3.1036.0 (CVE-2026-41650) (#1148)
* chore(web): bump @aws-sdk/credential-providers to ^3.1036.0 to patch CVE-2026-41650 Fixes SOU-982 Bumps `@aws-sdk/credential-providers` from `^3.1023.0` to `^3.1036.0`, which transitively pulls in `@aws-sdk/xml-builder@3.972.19` and `fast-xml-parser@5.7.1`, resolving CVE-2026-41650 (GHSA-gh4j-gqv2-49f6). CVE-2026-41650 describes missing escaping of `-->` and `]]>` sequences in `XMLBuilder`'s comment and CDATA serialization. The AWS SDK only uses `XMLParser` (not `XMLBuilder`), so the vulnerable code path is not reachable in this tree — this bump is an SCA-alert cleanup. Preferred over a yarn resolution override so we follow AWS SDK's own dependency ranges instead of bypassing them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: add CHANGELOG entry for fast-xml-parser fix Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * changelog --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 9abe2d4 commit 73c7b77

3 files changed

Lines changed: 579 additions & 515 deletions

File tree

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1313
### Fixed
1414
- Fixed a missing error boundary in `getFileSourceForRepo` introduced in v4.16.14: the function was extracted outside `sew()` but still re-threw unrecognised git exceptions, causing fatal Next.js task-runner errors. All error paths now return a `ServiceError`. Also tightened the error message for unresolved git refs (e.g. an unfetched `head_sha`) to distinguish them from syntactically invalid refs. [#1145](https://github.com/sourcebot-dev/sourcebot/pull/1145)
1515
- Bumped transitive `uuid` dependency to `^14.0.0`. [#1147](https://github.com/sourcebot-dev/sourcebot/pull/1147)
16+
- Bumped `@aws-sdk/credential-providers` to `^3.1036.0`. [#1148](https://github.com/sourcebot-dev/sourcebot/pull/1148)
1617

1718
## [4.16.14] - 2026-04-21
1819

packages/web/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
"@ai-sdk/react": "^3.0.169",
2727
"@ai-sdk/xai": "^3.0.83",
2828
"@auth/prisma-adapter": "^2.11.1",
29-
"@aws-sdk/credential-providers": "^3.1023.0",
29+
"@aws-sdk/credential-providers": "^3.1036.0",
3030
"@codemirror/commands": "^6.6.0",
3131
"@codemirror/lang-cpp": "^6.0.2",
3232
"@codemirror/lang-css": "^6.3.0",

0 commit comments

Comments
 (0)