Skip to content

fix: upgrade liquidjs 10.25.2 → 10.25.5 (security)#21860

Merged
rephus merged 1 commit intomainfrom
snyk-fix-5318e02eef9d513a999f8313b5bfb0b9
Apr 10, 2026
Merged

fix: upgrade liquidjs 10.25.2 → 10.25.5 (security)#21860
rephus merged 1 commit intomainfrom
snyk-fix-5318e02eef9d513a999f8313b5bfb0b9

Conversation

@owlas
Copy link
Copy Markdown
Collaborator

@owlas owlas commented Apr 8, 2026

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

  • packages/common/package.json
⚠️ Warning 
Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue
medium severity Improperly Implemented Security Check for Standard
SNYK-JS-LIQUIDJS-15930991
medium severity Directory Traversal
SNYK-JS-LIQUIDJS-15930992

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 8, 2026
edited
Loading

🧪 Test Selection

✅ Tests that will run

Test Description
Preview Environment Deploys a preview environment for testing
Frontend E2E Tests Runs Cypress app tests
Backend API Tests Runs Vitest API tests
CLI Tests Runs CLI integration and dbt version tests

⏭️ Tests skipped (no relevant file changes detected)

Test How to trigger manually
Timezone Tests Add test-timezone to PR description

Tip: Add test-all to your PR description to run all tests.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 8, 2026

Your preview environment pr-21860 has been deployed with errors.

@rephus rephus mentioned this pull request Apr 10, 2026
Closed
@rephus rephus changed the title [Snyk] Security upgrade liquidjs from 10.25.2 to 10.25.5 fix: upgrade liquidjs 10.25.2 → 10.25.5 (security) Apr 10, 2026
@rephus @claude
fix: upgrade liquidjs 10.25.2 → 10.25.5 (security)
ba1f5e0 
Fixes SNYK-JS-LIQUIDJS-15953364 (high, symlink following) and one
additional vuln fixed in 10.25.4 (sort/sort_natural filter bypass).

Changelog 10.25.2 → 10.25.5:
- 10.25.3: use realpath for fs.contains (symlink CVE fix),
  precise memoryLimit for string replace
- 10.25.4: sort/sort_natural filters bypass ownPropertyOnly fix
- 10.25.5: enforce root containment for renderFile/parseFile lookups,
  null date returns empty, rounding negative away from zero fix

No API changes, no breaking behavior. Patch-level bumps only.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@rephus rephus force-pushed the snyk-fix-5318e02eef9d513a999f8313b5bfb0b9 branch from c24c94c to ba1f5e0 Compare April 10, 2026 06:35
@rephus
Copy link
Copy Markdown
Collaborator

rephus commented Apr 10, 2026

Vulnerability Fix Analysis

Lockfile

✅ Regenerated and pushed (rebased onto current main)

Dependency Changes

Package Old Version New Version Risk Notes
liquidjs 10.25.2 10.25.5 🟢 No risk Patch bumps only, security + bug fixes

Breaking Changes Analysis

liquidjs (10.25.2 → 10.25.5)

  • Changelog: harttle/liquidjs@v10.25.2...v10.25.5
  • Breaking changes: None
  • Key commits:
    • 529dd67 fix: use realpath for fs.contains — symlink CVE fix (SNYK-JS-LIQUIDJS-15953364)
    • e743da0 fix: sort/sort_natural filters bypass ownPropertyOnly — second security fix
    • f41c1fc fix: enforce root containment for renderFile/parseFile lookups — path traversal hardening
    • 4f9a499 fix: null date should return empty
    • 1cdf10b fix: rounding negative away from zero when half
    • abc058b fix: precise memoryLimit for string replace
  • Our usage: Liquid class + TokenKind in packages/common/src/templating/liquidSql.ts and template.ts. No renderFile/parseFile/sort_natural usage visible — purely in-memory template rendering.
  • Impact: None. All fixes are defensive hardening or edge-case corrections that don't affect our usage pattern.

Recommendation

Safe to merge. Three patch bumps (10.25.3/4/5), all security + bug fixes, no API changes. Lockfile shows single liquidjs@10.25.5 with no stale references.

🤖 Generated with Claude Code

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 10, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedliquidjs@​10.25.2 ⏵ 10.25.596100 +2010093100

View full report

@rephus rephus merged commit bb9cdfd into main Apr 10, 2026
10 of 11 checks passed
@rephus rephus deleted the snyk-fix-5318e02eef9d513a999f8313b5bfb0b9 branch April 10, 2026 06:41
@rephus rephus mentioned this pull request Apr 10, 2026
Closed
lightdash-bot pushed a commit that referenced this pull request Apr 10, 2026
@semantic-release-bot
chore(release): 0.2746.1
d0d792a 
## [0.2746.1](0.2746.0...0.2746.1) (2026-04-10)

### Bug Fixes

* upgrade liquidjs 10.25.2 → 10.25.5 (security) ([#21860](#21860)) ([bb9cdfd](bb9cdfd))
@lightdash-bot
Copy link
Copy Markdown
Collaborator

lightdash-bot commented Apr 10, 2026

🎉 This PR is included in version 0.2746.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@owlas owlas

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@owlas @rephus @lightdash-bot