What's new
chore: patch 9 HIGH-severity npm CVE alerts (#289)
The weekly Docker Scout scan surfaced 9 HIGH alerts in transitive npm deps. All have fixed versions upstream; pinned via package.json overrides.
| Package | Bumped to | CVEs |
|---|---|---|
@xmldom/xmldom
| 0.8.13 | CVE-2026-41672, 41673, 41674, 41675 |
devalue
| 5.8.1 | CVE-2026-42570 |
kysely
| 0.28.17 | CVE-2026-44635 |
fast-uri
| 3.1.2 | CVE-2026-6321, 6322 |
fast-xml-builder
| 1.1.7 | CVE-2026-44665 |
chore: prune npm overrides that are no longer load-bearing (#290)
Internal cleanup. Removed 5 stale overrides (defu, fast-xml-parser, node-forge, rollup, svgo) whose constraints are now satisfied naturally by the transitive dep graph. Verified by removing each and confirming the resolved version and tree shape are identical.
No behavior change — only package.json housekeeping.
Note on remaining Docker Scout alerts
The remaining HIGH alerts in the image are not addressable via npm and will be picked up separately:
git-lfsGo stdlib (5 CVEs) — needs the git-lfs binary in the Dockerfile bumped to a build that uses Go ≥1.25.10- Debian
gnutls28(4 CVEs) — upstream shows "not fixed" yet - Debian
nghttp2(1 CVE) — base image rebuild will pick it up on nextbun:debianbump