chore(release): Update version to v1.4.395

Merge pull request #1972 from ksylvan/kayvan/more-dependabot-fixes
More node package updates: remove cn, fix string and request vulnerabilities
2026-01-26 06:38:16 -05:00 · 2026-01-25 23:18:34 +00:00 · 2026-01-25 15:16:14 -08:00 · 2026-01-25 15:12:45 -08:00 · 2026-01-25 15:07:41 -08:00 · 2026-01-25 22:49:06 +00:00
7 changed files with 687 additions and 1499 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,23 @@
 # Changelog

+## v1.4.395 (2026-01-25)
+
+### PR [#1972](https://github.com/danielmiessler/Fabric/pull/1972) by [ksylvan](https://github.com/ksylvan): More node package updates: remove cn, fix string and request vulnerabilities
+
+- Removed cn (Chuck Norris jokes) package to resolve security vulnerabilities
+- Fixed 5 Dependabot alerts including ReDoS vulnerabilities in string package and SSRF/Remote Memory Exposure issues in request package
+- Enhanced security posture by eliminating vulnerable dependencies with no available patches
+
+## v1.4.394 (2026-01-25)
+
+### PR [#1971](https://github.com/danielmiessler/Fabric/pull/1971) by [ksylvan](https://github.com/ksylvan): Security fix high medium low priority dependabot alerts for npm dependencies
+
+- Fixed medium severity esbuild vulnerability that allowed websites to send requests to development server and read responses
+- Updated esbuild from vulnerable version 0.21.5 to secure version 0.27.2
+- Fixed low severity @eslint/plugin-kit ReDoS vulnerability through ConfigCommentParser
+- Updated @eslint/plugin-kit from vulnerable version 0.2.8 to secure version 0.5.1
+- Verified all builds and tests pass successfully after security updates
+
 ## v1.4.393 (2026-01-25)

 ### PR [#1969](https://github.com/danielmiessler/Fabric/pull/1969) by [ksylvan](https://github.com/ksylvan): Critical and High Impact NPM dependabot issues fixed
--- a/cmd/fabric/version.go
+++ b/cmd/fabric/version.go
@@ -1,3 +1,3 @@
 package main

-var version = "v1.4.393"
+var version = "v1.4.395"
--- a/cmd/generate_changelog/changelog.db
+++ b/cmd/generate_changelog/changelog.db
--- a/nix/pkgs/fabric/version.nix
+++ b/nix/pkgs/fabric/version.nix
@@ -1 +1 @@
-"1.4.393"
+"1.4.395"
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@@ -59,12 +59,13 @@
    "mime": ">=1.4.1",
    "hoek": ">=4.2.1",
    "cookie": ">=0.7.0",
-    "tough-cookie": ">=4.1.3"
+    "tough-cookie": ">=4.1.3",
+    "esbuild": ">=0.25.0",
+    "@eslint/plugin-kit": ">=0.3.4"
  },
  "dependencies": {
    "@floating-ui/dom": "^1.7.0",
    "clsx": "^2.1.1",
-    "cn": "^0.1.1",
    "date-fns": "^4.1.0",
    "highlight.js": "^11.11.1",
    "marked": "^15.0.12",
@@ -94,7 +95,9 @@
      "tough-cookie@<4.1.3": ">=4.1.3",
      "nanoid@<3.3.8": ">=3.3.8",
      "form-data@<2.5.4": ">=2.5.4",
-      "glob@>=10.2.0 <10.5.0": ">=10.5.0"
+      "glob@>=10.2.0 <10.5.0": ">=10.5.0",
+      "esbuild@<=0.24.2": ">=0.25.0",
+      "@eslint/plugin-kit@<0.3.4": ">=0.3.4"
    },
    "onlyBuiltDependencies": [
      "esbuild",
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
Author	SHA1	Message	Date
github-actions[bot]	92818294cf	chore(release): Update version to v1.4.395	2026-01-25 23:18:34 +00:00
Kayvan Sylvan	1af12c5d98	Merge pull request #1972 from ksylvan/kayvan/more-dependabot-fixes More node package updates: remove cn, fix string and request vulnerabilities	2026-01-25 15:16:14 -08:00
Kayvan Sylvan	f80663c771	chore: incoming 1972 changelog entry	2026-01-25 15:12:45 -08:00
Kayvan Sylvan	5d93f126d4	security: remove cn package to fix string and request vulnerabilities Removes the cn (Chuck Norris jokes) package which was pulling in vulnerable versions of string and request packages with no patches available. This resolves 5 Dependabot alerts: - Alert #52: string package (HIGH) - ReDoS - Alert #35: string package (HIGH) - ReDoS - Alert #61: request package (MEDIUM) - SSRF - Alert #44: request package (MEDIUM) - SSRF - Alert #38: request package (MEDIUM) - Remote Memory Exposure Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-25 15:07:41 -08:00
github-actions[bot]	4d60f24517	chore(release): Update version to v1.4.394	2026-01-25 22:49:06 +00:00
Kayvan Sylvan	c902e34f0f	Merge pull request #1971 from ksylvan/kayvan/dependabot-security-fixes Security fix high medium low priority dependabot alerts for npm dependencies	2026-01-25 14:46:46 -08:00
Kayvan Sylvan	b41bd17caf	chore: incoming 1971 changelog entry	2026-01-25 14:44:08 -08:00
Kayvan Sylvan	876f2ab82e	Merge branch 'main' into kayvan/dependabot-security-fixes	2026-01-25 14:38:47 -08:00
Kayvan Sylvan	5220f89706	security: fix low severity @eslint/plugin-kit ReDoS vulnerability Fix Dependabot alert #94 (LOW): - @eslint/plugin-kit vulnerability: Regular Expression Denial of Service through ConfigCommentParser - Updated from 0.2.8 (vulnerable) to 0.5.1 via pnpm/npm overrides Build verified successful. All tests pass. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-25 14:36:47 -08:00
Kayvan Sylvan	f151646838	security: fix medium severity esbuild vulnerability Fix Dependabot alert #76 (MEDIUM): - esbuild vulnerability: allows any website to send requests to development server and read responses - Updated from 0.21.5 (vulnerable) to 0.27.2 via pnpm/npm overrides Build verified successful. All tests pass. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-25 14:26:27 -08:00