Skip to content

fix: update diff, dompurify, yaml, and solid-js for security patches#8468

Merged
jeanduplessis merged 4 commits into
mainfrom
security/pr5-diff-dompurify-yaml-solidjs
Apr 7, 2026
Merged

fix: update diff, dompurify, yaml, and solid-js for security patches#8468
jeanduplessis merged 4 commits into
mainfrom
security/pr5-diff-dompurify-yaml-solidjs

Conversation

@jeanduplessis

@jeanduplessis jeanduplessis commented Apr 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Updates diff catalog from 8.0.2 to 8.0.4 and kilo-vscode from ^7.0.0 to 8.0.4 (major bump but API-compatible)
  • Updates dompurify from 3.3.1 to 3.3.3 in catalog and packages/ui
  • Updates yaml from 2.8.2 to 2.8.3 in kilo-vscode
  • Updates solid-js catalog from 1.9.10 to 1.9.12 (fixes seroval transitively — 1.9.11+ uses seroval ~1.5.0 which is safe)

All are low-risk patch/minor bumps. The diff 7→8 major bump in kilo-vscode is the only notable change but the API is compatible.

Advisories Fixed

Advisory Severity Package Description
GHSA-73rr-hh4g-fpgx Low diff DoS in parsePatch/applyPatch
GHSA-h8r8-wccr-v5f2 Moderate dompurify Mutation-XSS via re-contextualization
GHSA-v2wj-7wpq-c8vv Moderate dompurify XSS
GHSA-cjmm-f4jc-qw8r Moderate dompurify ADD_ATTR URI validation bypass
GHSA-cj63-jhhr-wcxv Moderate dompurify USE_PROFILES prototype pollution
GHSA-48c2-rrv3-qjmp Moderate yaml Stack overflow via nested collections
GHSA-66fc-rw6m-c2q6 High seroval (via solid-js) DoS via Array serialization
GHSA-hx9m-jf43-8ffr High seroval (via solid-js) DoS via RegExp serialization
GHSA-3rxj-6cgf-8cfw High seroval (via solid-js) RCE via JSON deserialization
GHSA-hj76-42vx-jwp4 High seroval (via solid-js) Prototype pollution
GHSA-3j22-8qj3-26mx High seroval (via solid-js) DoS via deeply nested objects

kilo-code-bot[bot]
kilo-code-bot Bot reviewed Apr 7, 2026
View reviewed changes
Comment thread package.json
Comment thread package.json
@kilo-code-bot

kilo-code-bot Bot commented Apr 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

No new issues found in the incremental diff. The previously reported package.json dependency findings are resolved.

Fix these issues in Kilo Cloud

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
packages/kilo-vscode/src/agent-manager/GitOps.ts 206 Removing the background fetch from aheadBehind() makes sidebar and Agent Manager behind counts stale until the user manually refreshes remote refs.
Files Reviewed (2 files)
  • bun.lock - 0 issues
  • package.json - 0 issues

Reviewed by gpt-5.4-20260305 · 144,751 tokens

jeanduplessis and others added 3 commits April 7, 2026 10:57
@jeanduplessis
fix: update diff, dompurify, yaml, and solid-js for security patches
1a5c73c 
- diff: catalog 8.0.2 → 8.0.4, kilo-vscode ^7.0.0 → 8.0.4
  (DoS in parsePatch/applyPatch: GHSA-73rr-hh4g-fpgx)
- dompurify: catalog + packages/ui 3.3.1 → 3.3.3
  (mutation-XSS, XSS, URI bypass: GHSA-h8r8-wccr-v5f2, GHSA-v2wj-7wpq-c8vv,
  GHSA-cjmm-f4jc-qw8r, GHSA-cj63-jhhr-wcxv)
- yaml: kilo-vscode 2.8.2 → 2.8.3
  (stack overflow via nested collections: GHSA-48c2-rrv3-qjmp)
- solid-js: catalog 1.9.10 → 1.9.12
  (fixes seroval transitively: DoS, RCE, prototype pollution)
@github-actions @jeanduplessis
chore: update kilo-vscode visual regression baselines
59be76c
@jeanduplessis
fix: resolve remaining dompurify and seroval vulnerabilities
35b409c 
- Add dompurify override (3.3.3) to force mermaid's transitive dep away from 3.3.1
- Switch kilo-gateway solid-js from pinned 1.9.10 to catalog (1.9.12) to eliminate seroval@1.3.2
@jeanduplessis jeanduplessis force-pushed the security/pr5-diff-dompurify-yaml-solidjs branch from e3c6ae9 to 35b409c Compare April 7, 2026 09:09
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Apr 7, 2026
View reviewed changes
Comment thread package.json
@jeanduplessis jeanduplessis merged commit 66bdbde into main Apr 7, 2026
13 checks passed
@jeanduplessis jeanduplessis deleted the security/pr5-diff-dompurify-yaml-solidjs branch April 7, 2026 09:27
@kilo-code-bot kilo-code-bot Bot mentioned this pull request Apr 9, 2026
Closed
jliounis pushed a commit to jliounis/kilocode that referenced this pull request May 18, 2026
@jeanduplessis
Merge pull request Kilo-Org#8468 from Kilo-Org/security/pr5-diff-domp…
d827bee 
…urify-yaml-solidjs

fix: update diff, dompurify, yaml, and solid-js for security patches
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@marius-kilocode marius-kilocode marius-kilocode left review comments

@johnnyeric johnnyeric johnnyeric approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jeanduplessis @johnnyeric @marius-kilocode