joggrdocs · zrosenbauer · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026
diff --git a/.changeset/fix-security-vulnerabilities.md b/.changeset/fix-security-vulnerabilities.md
@@ -0,0 +1,5 @@
+---
+"@kidd-cli/cli": patch
+---
+
+Fix security vulnerabilities in dependencies: upgrade liquidjs to >=10.25.7 (DoS via circular block reference), add pnpm overrides for tar (path traversal), vite (fs.deny bypass, file read, path traversal), postcss (XSS), fast-xml-parser (injection), and uuid (buffer bounds check)
diff --git a/package.json b/package.json
@@ -50,6 +50,7 @@
     "rimraf": "^6.1.3",
     "ts-pattern": "catalog:",
     "turbo": "^2.9.6",
+    "vite": "^8.0.10",
     "vitest": "catalog:",
     "yaml": "catalog:"
   },
@@ -61,7 +62,13 @@
   "pnpm": {
     "overrides": {
       "@rspack/core": "2.0.0-beta.3",
-      "@rspack/binding": "2.0.0-beta.3"
+      "@rspack/binding": "2.0.0-beta.3",
+      "tar": "^7.5.13",
+      "vite": "^8.0.10",
+      "postcss": "^8.5.10",
+      "liquidjs": "^10.25.7",
+      "fast-xml-parser": "^5.7.1",
+      "uuid": "^14.0.0"
     }
   }
 }