Summary

Resolves three security vulnerabilities identified by Dependabot:

• CVE-2025-9287 (Critical): cipher-base missing type checks, leading to hash rewind and passing on crafted data

  • Upgraded from 1.0.4 → 1.0.7 via yarn resolution
  • Closes https://github.com/getditto/react-ditto/security/dependabot/179

• CVE-2025-9288 (Critical): sha.js missing type checks leading to hash rewind and passing on crafted data

  • Upgraded from 2.4.11 → 2.4.12 via yarn resolution
  • Closes https://github.com/getditto/react-ditto/security/dependabot/180

• CVE-2025-64756 (High): glob CLI command injection via -c/--cmd executes matches with shell:true (affects glob >= 11.0.0, < 11.1.0)

  • Pinned glob to 7.2.3 via yarn resolution to prevent vulnerable 11.0.0 from ever being installed
  • Downgraded rimraf from 6.1.2 → 3.0.2 for compatibility with glob 7.x
  • Closes https://github.com/getditto/react-ditto/security/dependabot/191

Changes

• Added yarn resolutions for cipher-base (^1.0.5), sha.js (^2.4.12), and glob (^7.2.3)
• Downgraded rimraf devDependency from 6.1.2 → 3.0.2 to maintain compatibility with glob 7.x
  • Rimraf 6.x requires glob 11+ or 13+, which are incompatible with Karma 6.4.4
  • Rimraf 3.x uses glob 7.x, which is compatible with all our dependencies

Test Plan

• Verified yarn install completes successfully
• Ran yarn build - build completed successfully
• Ran yarn test - all 49 tests passed
• Ran yarn docs:generate - documentation generated successfully
• Verified yarn why cipher-base shows version 1.0.7
• Verified yarn why sha.js shows version 2.4.12
• Verified yarn why glob shows version 7.2.3 (safe from CVE-2025-64756)