Skip to content

fix(deps): bump svgo to 4.0.1 to fix DoS via entity expansion#19651

Merged
chargome merged 3 commits intodevelopfrom
fix/dependabot-alert-1132
Mar 5, 2026
Merged

fix(deps): bump svgo to 4.0.1 to fix DoS via entity expansion#19651
chargome merged 3 commits intodevelopfrom
fix/dependabot-alert-1132

Conversation

@chargome
Copy link
Member

@chargome chargome commented Mar 5, 2026

Fixes Dependabot alert #1132 (CVE-2026-29074).

cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Missing sax@^1.5.0 lockfile resolution defeats security fix
    • Added yarn resolution to force all sax dependencies to use version 1.5.0, consolidating previously split entries and ensuring the CVE-2026-29074 security fix is applied across all packages.

Create PR

Or push these changes by commenting:

@cursor push 1ab325b2c4
Preview (1ab325b2c4) 
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -156,7 +156,8 @@
     "wide-align/string-width": "4.2.3",
     "cliui/wrap-ansi": "7.0.0",
     "sucrase": "getsentry/sucrase#es2020-polyfills",
-    "**/express/path-to-regexp": "0.1.12"
+    "**/express/path-to-regexp": "0.1.12",
+    "sax": "^1.5.0"
   },
   "version": "0.0.0",
   "name": "sentry-javascript"

diff --git a/yarn.lock b/yarn.lock
--- a/yarn.lock
+++ b/yarn.lock
@@ -26629,16 +26629,11 @@
     immutable "^4.0.0"
     source-map-js ">=0.6.2 <2.0.0"
 
-sax@^1.2.4, sax@^1.4.1:
-  version "1.4.4"
-  resolved "https://registry.yarnpkg.com/sax/-/sax-1.4.4.tgz#f29c2bba80ce5b86f4343b4c2be9f2b96627cf8b"
-  integrity sha512-1n3r/tGXO6b6VXMdFT54SHzT9ytu9yr7TaELowdYpMqY/Ao7EnlQGmAQ1+RatX7Tkkdm6hONI2owqNx2aZj5Sw==
+sax@^1.2.4, sax@^1.5.0, sax@~1.2.4:
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/sax/-/sax-1.5.0.tgz#b5549b671069b7aa392df55ec7574cf411179eb8"
+  integrity sha512-21IYA3Q5cQf089Z6tgaUTr7lDAyzoTPx5HRtbhsME8Udispad8dC/+sziTNugOEx54ilvatQ9YCzl4KQLPcRHA==
 
-sax@~1.2.4:
-  version "1.2.4"
-  resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.4.tgz#2816234e2378bddc4e5354fab5caa895df7100d9"
-  integrity sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==
-
 saxes@^6.0.0:
   version "6.0.0"
   resolved "https://registry.yarnpkg.com/saxes/-/saxes-6.0.0.tgz#fe5b4a4768df4f14a201b1ba6a65c1f3d9988cc5"
@@ -28096,7 +28091,6 @@
 
 sucrase@^3.27.0, sucrase@^3.35.0, sucrase@getsentry/sucrase#es2020-polyfills:
   version "3.36.0"
-  uid fd682f6129e507c00bb4e6319cc5d6b767e36061
   resolved "https://codeload.github.com/getsentry/sucrase/tar.gz/fd682f6129e507c00bb4e6319cc5d6b767e36061"
   dependencies:
     "@jridgewell/gen-mapping" "^0.3.2"
This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.

sentry[bot]
sentry bot reviewed Mar 5, 2026
View reviewed changes
@chargome chargome self-assigned this Mar 5, 2026
@chargome chargome marked this pull request as draft March 5, 2026 11:56
@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026
edited
Loading

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.63 kB - -
@sentry/browser - with treeshaking flags 24.13 kB - -
@sentry/browser (incl. Tracing) 42.43 kB - -
@sentry/browser (incl. Tracing, Profiling) 47.09 kB - -
@sentry/browser (incl. Tracing, Replay) 81.25 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 70.87 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 85.95 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 98.21 kB - -
@sentry/browser (incl. Feedback) 42.44 kB - -
@sentry/browser (incl. sendFeedback) 30.3 kB - -
@sentry/browser (incl. FeedbackAsync) 35.35 kB - -
@sentry/browser (incl. Metrics) 26.8 kB - -
@sentry/browser (incl. Logs) 26.94 kB - -
@sentry/browser (incl. Metrics & Logs) 27.61 kB - -
@sentry/react 27.38 kB - -
@sentry/react (incl. Tracing) 44.77 kB - -
@sentry/vue 30.08 kB - -
@sentry/vue (incl. Tracing) 44.3 kB - -
@sentry/svelte 25.66 kB - -
CDN Bundle 28.17 kB - -
CDN Bundle (incl. Tracing) 43.26 kB - -
CDN Bundle (incl. Logs, Metrics) 29.01 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 44.1 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 68.09 kB - -
CDN Bundle (incl. Tracing, Replay) 80.14 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 81 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 85.65 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.53 kB - -
CDN Bundle - uncompressed 82.35 kB - -
CDN Bundle (incl. Tracing) - uncompressed 128.07 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 85.19 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 130.9 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 208.85 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 244.95 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 247.77 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 257.86 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 260.67 kB - -
@sentry/nextjs (client) 47.18 kB - -
@sentry/sveltekit (client) 42.89 kB - -
@sentry/node-core 52.25 kB +0.02% +8 B 🔺
@sentry/node 174.71 kB +0.01% +4 B 🔺
@sentry/node - without tracing 97.4 kB +0.02% +12 B 🔺
@sentry/aws-serverless 113.2 kB +0.01% +8 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 8,838 - 8,720 +1%
GET With Sentry 1,641 19% 1,590 +3%
GET With Sentry (error only) 5,982 68% 5,921 +1%
POST Baseline 1,180 - 1,169 +1%
POST With Sentry 568 48% 557 +2%
POST With Sentry (error only) 1,047 89% 1,031 +2%
MYSQL Baseline 3,238 - 3,222 +0%
MYSQL With Sentry 397 12% 363 +9%
MYSQL With Sentry (error only) 2,604 80% 2,641 -1%

View base workflow run

@chargome chargome marked this pull request as ready for review March 5, 2026 17:40
@chargome chargome mentioned this pull request Mar 5, 2026
Closed
@chargome chargome requested review from a team, Lms24, andreiborza and mydea and removed request for a team and mydea March 5, 2026 17:42
@chargome chargome enabled auto-merge (squash) March 5, 2026 17:42
@chargome chargome merged commit c3fa288 into develop Mar 5, 2026
223 of 225 checks passed
@chargome chargome deleted the fix/dependabot-alert-1132 branch March 5, 2026 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

@Lms24 Lms24 Lms24 approved these changes

@andreiborza andreiborza Awaiting requested review from andreiborza

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chargome @Lms24