From 1961946cb674c69ee7b39cdee6bd9087477e31ab Mon Sep 17 00:00:00 2001
From: Mike Singleton <mike@iteratehq.com>
Date: Fri, 20 Mar 2026 15:27:14 -0400
Subject: [PATCH 1/3] fix: resolve CVE-2026-33036 fast-xml-parser numeric
 entity expansion DoS

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json |  3 ++-
 yarn.lock    | 37 ++++++++++++++++++++++---------------
 2 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/package.json b/package.json
index c92831b..4fcc498 100644
--- a/package.json
+++ b/package.json
@@ -86,7 +86,8 @@
     "glob": "^10.5.0",
     "qs": "^6.14.0",
     "tar": "^7.5.11",
-    "minimatch": "^9.0.7"
+    "minimatch": "^9.0.7",
+    "fast-xml-parser": "^5.5.6"
   },
   "peerDependencies": {
     "react": ">=18.0.0",
diff --git a/yarn.lock b/yarn.lock
index bf9e233..81c17b0 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6145,25 +6145,25 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fast-xml-builder@npm:^1.1.1":
-  version: 1.1.1
-  resolution: "fast-xml-builder@npm:1.1.1"
+"fast-xml-builder@npm:^1.1.4":
+  version: 1.1.4
+  resolution: "fast-xml-builder@npm:1.1.4"
   dependencies:
     path-expression-matcher: ^1.1.3
-  checksum: 98c3adc2ab22e3bc4737b2c329d3e6c2be12be496701441e04683b01c1daaad95f32cc2ee412d9286d64983ca5f5c683de267d26d773f1070289001d312153bd
+  checksum: 90b019ed6f52cb30342a58d4bf8726a7723b4110cb9c0fd3fa2031e87506e8b18740fd349472926c9e2925d22ca6637b6d46a20eda537473cf63366970db4d7b
   languageName: node
   linkType: hard
 
-"fast-xml-parser@npm:^5.3.6":
-  version: 5.5.2
-  resolution: "fast-xml-parser@npm:5.5.2"
+"fast-xml-parser@npm:^5.5.6":
+  version: 5.5.8
+  resolution: "fast-xml-parser@npm:5.5.8"
   dependencies:
-    fast-xml-builder: ^1.1.1
-    path-expression-matcher: ^1.1.3
-    strnum: ^2.1.2
+    fast-xml-builder: ^1.1.4
+    path-expression-matcher: ^1.2.0
+    strnum: ^2.2.0
   bin:
     fxparser: src/cli/cli.js
-  checksum: c83a95be89bf3be1374c84213bd83f77eabba77c45f65c010b3515378a2786d7322828cd1c4a8c73dd5323a5d3ac6f65a5ec76aa747ca373254bbced631fbcb0
+  checksum: 58261aaaeb355a325dc1b27ae28e6f8da55e9f8e0560dd752c8a39a4adbaebe560cbbfe924efb44ebf991dbdff76ae6f80a4900d1d03fd720509cb323263bf13
   languageName: node
   linkType: hard
 
@@ -9863,6 +9863,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"path-expression-matcher@npm:^1.2.0":
+  version: 1.2.0
+  resolution: "path-expression-matcher@npm:1.2.0"
+  checksum: 2811aab3269c288893aef09e5127124d3c434bfc7e1352fea6b7dd81ed20260001b072ff60bdcaaa393d50a4333725290dbad47bb612d95f5448e499b4ac887f
+  languageName: node
+  linkType: hard
+
 "path-key@npm:^3.0.0, path-key@npm:^3.1.0":
   version: 3.1.1
   resolution: "path-key@npm:3.1.1"
@@ -11517,10 +11524,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"strnum@npm:^2.1.2":
-  version: 2.2.0
-  resolution: "strnum@npm:2.2.0"
-  checksum: cf9fda01ab16e1295db16a8f62b852fd92f3ed9ef940b4326a0053e3e658e7b35de82c2cac6ad946dcf6b6044d4d804845baae4659f7afcb4cdc3dcf2870d152
+"strnum@npm:^2.2.0":
+  version: 2.2.1
+  resolution: "strnum@npm:2.2.1"
+  checksum: 23173b1b849859b9aca0288dde36d16095b07d81995de2e2fe29ae070f2e7b4933049f2e211ba03e48152a9281108ba7d4db826a3878f099bff52a3b81f5e273
   languageName: node
   linkType: hard
 

From 64fc8a2482e431235dc16bc50e4f2d792b5c2678 Mon Sep 17 00:00:00 2001
From: Mike Singleton <mike@iteratehq.com>
Date: Fri, 20 Mar 2026 15:28:24 -0400
Subject: [PATCH 2/3] fix: resolve CVE-2026-1528 undici WebSocket frame length
 overflow DoS

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json | 3 ++-
 yarn.lock    | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 4fcc498..ee9b03f 100644
--- a/package.json
+++ b/package.json
@@ -87,7 +87,8 @@
     "qs": "^6.14.0",
     "tar": "^7.5.11",
     "minimatch": "^9.0.7",
-    "fast-xml-parser": "^5.5.6"
+    "fast-xml-parser": "^5.5.6",
+    "undici": "^6.24.0"
   },
   "peerDependencies": {
     "react": ">=18.0.0",
diff --git a/yarn.lock b/yarn.lock
index 81c17b0..e0a44c0 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -11901,10 +11901,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"undici@npm:6.23.0":
-  version: 6.23.0
-  resolution: "undici@npm:6.23.0"
-  checksum: f0953920330375e76d1614381af07da9d7c21ad3244d0785b3f7bd4072635c20a1f432ef3a129baa3e4a92278ce32e9ea2ca8b5f0e0554a5739222af332c08fe
+"undici@npm:^6.24.0":
+  version: 6.24.1
+  resolution: "undici@npm:6.24.1"
+  checksum: 0baa81ede2b0deb9002692c4d614cdffb2c8c27bb41e4ce7380f95b4468ebb6fd9745b7a6da32b0cdf05b1554bd5e5a47a80babb0e5ca9d59401efe372d975ed
   languageName: node
   linkType: hard
 

From 8019c8f06128577eb3b13da8fa81293ec2a83dbe Mon Sep 17 00:00:00 2001
From: Mike Singleton <mike@iteratehq.com>
Date: Fri, 20 Mar 2026 15:29:27 -0400
Subject: [PATCH 3/3] fix: resolve CVE-2026-33210 json gem format string
 injection

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 examples/SimpleExample/Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/SimpleExample/Gemfile.lock b/examples/SimpleExample/Gemfile.lock
index 767ff2b..84352d2 100644
--- a/examples/SimpleExample/Gemfile.lock
+++ b/examples/SimpleExample/Gemfile.lock
@@ -86,7 +86,7 @@ GEM
       mutex_m
     i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    json (2.18.1)
+    json (2.19.2)
     logger (1.7.0)
     minitest (6.0.1)
       prism (~> 1.5)