fix(security): resolve CVE-2026-1615 (jsonpath/bfj) and CVE-2024-11831 (serialize-javascript) (!1100) · Merge requests · PostgresAI / DBLab Engine

Summary

Fixes 2 of 6 open UI npm security vulnerabilities tracked in #680 (closed).

Changes

bfj@<9.1.3 → >=9.1.3 — bfj@9.1.3 removes its jsonpath transitive dependency. This eliminates the jsonpath arbitrary code execution / XSS vector (CVE-2026-1615, 🔴 Critical).
serialize-javascript@<6.0.2 → >=6.0.2 — Fixes XSS via insufficient escaping of special HTML characters in serialized output (CVE-2024-11831, 🟡 Medium).

Verified: after pnpm install, jsonpath is no longer present in pnpm-lock.yaml.

Node.js note: bfj@9.x requires Node ≥ 18. The workspace engines field still says >=16, but in practice all developers should be on Node 18+ in 2026. CI should be verified.

Remaining CVEs (tracked in #680 (closed))

CVE	Package	Status
CVE-2025-50537	`eslint-8.57.1`	Needs 8→9 migration (separate MR)
CVE-2025-14505	`elliptic-6.6.1`	No upstream fix available (6.6.1 is latest)
CVE-2025-30360	`webpack-dev-server-4.15.2`	No 4.x patch; 5.x incompatible with react-scripts
CVE-2025-30359	`webpack-dev-server-4.15.2`	Same as above (dev-only risk)

Testing

Run pnpm install in ui/ — should complete without errors
Run pnpm start:ce — app should start normally
Mend scanner should auto-close GitHub issues #285 (closed) and #229 (closed) on next scan

fix(security): resolve CVE-2026-1615 (jsonpath/bfj) and CVE-2024-11831 (serialize-javascript)

Summary

Changes

Remaining CVEs (tracked in #680 (closed))

Testing

Merge request reports