fix: update dagre-d3-es patch hash to prevent prototype pollution

fix: add patch for dagre-d3-es to prevent prototype pollution
2025-10-10 09:39:38 +02:00 · 2025-10-09 12:19:11 +05:30 · 2025-10-09 12:06:37 +05:30
3 changed files with 40 additions and 3 deletions
--- a/package.json
+++ b/package.json
@@ -136,7 +136,8 @@
  },
  "pnpm": {
    "patchedDependencies": {
-      "roughjs": "patches/roughjs.patch"
+      "roughjs": "patches/roughjs.patch",
+      "dagre-d3-es@7.0.11": "patches/dagre-d3-es@7.0.11.patch"
    },
    "onlyBuiltDependencies": [
      "canvas",
--- a/patches/dagre-d3-es@7.0.11.patch
+++ b/patches/dagre-d3-es@7.0.11.patch
@@ -0,0 +1,33 @@
+diff --git a/src/dagre/position/bk.js b/src/dagre/position/bk.js
+index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..72beff8b3830f1e3241455400f68843888b60a06 100644
+--- a/src/dagre/position/bk.js
+++ b/src/dagre/position/bk.js
+@@ -129,6 +129,16 @@ function findOtherInnerSegmentNode(g, v) {
+   }
+ }
+ 
+/**
+ * Check if a key is safe to use as an object property to prevent prototype pollution
+ * @param {*} key - The key to check
+ * @returns {boolean} - True if the key is safe, false otherwise
+ */
+function isSafeKey(key) {
+  // Reject prototype pollution vectors
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
+
+ function addConflict(conflicts, v, w) {
+   if (v > w) {
+     var tmp = v;
+@@ -136,6 +146,11 @@ function addConflict(conflicts, v, w) {
+     w = tmp;
+   }
+ 
+  // Validate keys to prevent prototype pollution
+  if (!isSafeKey(v) || !isSafeKey(w)) {
+    return;
+  }
+
+   var conflictsV = conflicts[v];
+   if (!conflictsV) {
+     conflicts[v] = conflictsV = {};
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -5,6 +5,9 @@ settings:
  excludeLinksFromLockfile: false

 patchedDependencies:
+  dagre-d3-es@7.0.11:
+    hash: 9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188
+    path: patches/dagre-d3-es@7.0.11.patch
  roughjs:
    hash: 3543d47108cb41b68ec6a671c0e1f9d0cfe2ce524fea5b0992511ae84c3c6b64
    path: patches/roughjs.patch
@@ -252,7 +255,7 @@ importers:
        version: 0.12.3
      dagre-d3-es:
        specifier: 7.0.11
-        version: 7.0.11
+        version: 7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188)
      dayjs:
        specifier: ^1.11.18
        version: 1.11.18
@@ -15161,7 +15164,7 @@ snapshots:
      d3-transition: 3.0.1(d3-selection@3.0.0)
      d3-zoom: 3.0.0

-  dagre-d3-es@7.0.11:
+  dagre-d3-es@7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188):
    dependencies:
      d3: 7.9.0
      lodash-es: 4.17.21
Author	SHA1	Message	Date
shubhamparikh2704	3feb4e5551	fix: update dagre-d3-es patch hash to prevent prototype pollution	2025-10-09 12:19:11 +05:30
shubhamparikh2704	b945696721	fix: add patch for dagre-d3-es to prevent prototype pollution	2025-10-09 12:06:37 +05:30