Skip to content

security: bump next to 14.2.35 + glob override (Dependabot TICKET-20260325)#3

Open
marcusgear-devgru wants to merge 2 commits intomainfrom
security/docs-site-next-14.2.35
Open

security: bump next to 14.2.35 + glob override (Dependabot TICKET-20260325)#3
marcusgear-devgru wants to merge 2 commits intomainfrom
security/docs-site-next-14.2.35

Conversation

@marcusgear-devgru
Copy link
Copy Markdown
Contributor

@marcusgear-devgru marcusgear-devgru commented Mar 25, 2026

Security: Dependabot Vulnerability Remediation

Ticket: TICKET-20260325-DTP-DEPENDABOT-VULN-AUDIT

What this fixes

# Severity Package Manifest Fix
1 🔴 CRITICAL next marketplace-web 14.2.21 → 14.2.35 (Authorization Bypass in Middleware)
7 🟠 HIGH next marketplace-web bumped (DoS with Server Components)
8 🟠 HIGH next marketplace-web bumped (DoS - Incomplete Fix Follow-Up)
13 🟠 HIGH glob mission-control overrides >=10.5.0 (resolves to 13.0.6 via @next/eslint-plugin-next)
2–6, 9, 11–12, 16–17, 22, 24–25 🟡 MEDIUM next various bumped via 14.2.35
6, 2 🟢 LOW next marketplace-web bumped

Deferred (with rationale)

  • HIGH #10, #15, #23: Next.js RSC DoS requires upgrade to ≥15.0.8. This is a major breaking change. All affected apps are pre-launch internal/staging only. Deferred to v0.2 sprint. Documented in SECURITY-STATUS-20260325.md.

False Positives

  • #18, #19 (esbuild): Dependabot flags esbuild ≤0.24.2 but resolved version in lock files is 0.27.4 ≥ 0.25.0. False positive — no action needed.

Verification

After merge: gh api repos/devgrutechnologies/onxza/dependabot/alerts --jq '[.[] | select(.state=="open" and (.security_advisory.severity=="critical" or .security_advisory.severity=="high"))]' should return only the deferred HIGH items (RSC DoS, #10/#15/#23).

cc @aaron

ONXZA DevGru added 2 commits March 24, 2026 22:01
security: bump next to 14.2.35 + glob override to address Dependabot …
4e3fb3e 
…alerts

Fixes:
- marketplace-web: next 14.2.21 -> 14.2.35 (critical: auth bypass CVE, high: DoS x2)
- docs-site: next ^14.2.0 pinned to 14.2.35 (addresses medium alerts)
- mission-control: add overrides.glob >=10.5.0 (high: glob CLI cmd injection via @next/eslint-plugin-next transitive dep; resolves to 13.0.6)

Deferred (documented in SECURITY-STATUS-20260325.md):
- Next.js 15.x requirement for RSC DoS (HIGH #10, #15, #23): major breaking change, deferred to v0.2 sprint

esbuild alerts #18/#19 confirmed false positives: resolved version 0.27.4 >= 0.25.0 required

Ticket: TICKET-20260325-DTP-DEPENDABOT-VULN-AUDIT
docs: add SECURITY-STATUS-20260325.md — Dependabot triage report
9e0cb50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marcusgear-devgru