From 3feb4e55516606deeed7f9378f53cd80c93ce301 Mon Sep 17 00:00:00 2001 From: shubhamparikh2704 Date: Thu, 9 Oct 2025 12:19:11 +0530 Subject: [PATCH] fix: update dagre-d3-es patch hash to prevent prototype pollution --- patches/dagre-d3-es@7.0.11.patch | 27 ++++----------------------- pnpm-lock.yaml | 6 +++--- 2 files changed, 7 insertions(+), 26 deletions(-) diff --git a/patches/dagre-d3-es@7.0.11.patch b/patches/dagre-d3-es@7.0.11.patch index 2bdcf07da..3339aeb87 100644 --- a/patches/dagre-d3-es@7.0.11.patch +++ b/patches/dagre-d3-es@7.0.11.patch @@ -1,8 +1,8 @@ diff --git a/src/dagre/position/bk.js b/src/dagre/position/bk.js -index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..3f4e140dfd9f8f3f365300f04c087bc648868345 100644 +index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..72beff8b3830f1e3241455400f68843888b60a06 100644 --- a/src/dagre/position/bk.js +++ b/src/dagre/position/bk.js -@@ -129,13 +129,35 @@ function findOtherInnerSegmentNode(g, v) { +@@ -129,6 +129,16 @@ function findOtherInnerSegmentNode(g, v) { } } @@ -13,40 +13,21 @@ index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..3f4e140dfd9f8f3f365300f04c087bc6 + */ +function isSafeKey(key) { + // Reject prototype pollution vectors -+ var isSafe = key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; -+ if (!isSafe) { -+ console.log('[dagre-d3-es SECURITY] Blocked prototype pollution attempt with key:', key); -+ } -+ return isSafe; ++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; +} + function addConflict(conflicts, v, w) { -+ console.log('[dagre-d3-es] addConflict called with v:', v, 'w:', w); -+ if (v > w) { var tmp = v; - v = w; +@@ -136,6 +146,11 @@ function addConflict(conflicts, v, w) { w = tmp; } + // Validate keys to prevent prototype pollution + if (!isSafeKey(v) || !isSafeKey(w)) { -+ console.log('[dagre-d3-es SECURITY] addConflict blocked for keys v:', v, 'w:', w); + return; + } + var conflictsV = conflicts[v]; if (!conflictsV) { conflicts[v] = conflictsV = {}; -@@ -149,6 +171,11 @@ function hasConflict(conflicts, v, w) { - v = w; - w = tmp; - } -+ // Validate keys to prevent prototype pollution -+ if (!isSafeKey(v) || !isSafeKey(w)) { -+ console.log('[dagre-d3-es SECURITY] hasConflict blocked for keys v:', v, 'w:', w); -+ return false; -+ } - return !!conflicts[v] && Object.prototype.hasOwnProperty.call(conflicts[v], w); - } - diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index d96af6d33..fc0eed50c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,7 +6,7 @@ settings: patchedDependencies: dagre-d3-es@7.0.11: - hash: 86dd75cdc907d2e31dd8935b6b90eb5d86fa1cdb918a417f1adbc052d1e6cebe + hash: 9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188 path: patches/dagre-d3-es@7.0.11.patch roughjs: hash: 3543d47108cb41b68ec6a671c0e1f9d0cfe2ce524fea5b0992511ae84c3c6b64 @@ -255,7 +255,7 @@ importers: version: 0.12.3 dagre-d3-es: specifier: 7.0.11 - version: 7.0.11(patch_hash=86dd75cdc907d2e31dd8935b6b90eb5d86fa1cdb918a417f1adbc052d1e6cebe) + version: 7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188) dayjs: specifier: ^1.11.18 version: 1.11.18 @@ -15164,7 +15164,7 @@ snapshots: d3-transition: 3.0.1(d3-selection@3.0.0) d3-zoom: 3.0.0 - dagre-d3-es@7.0.11(patch_hash=86dd75cdc907d2e31dd8935b6b90eb5d86fa1cdb918a417f1adbc052d1e6cebe): + dagre-d3-es@7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188): dependencies: d3: 7.9.0 lodash-es: 4.17.21