fix(deps): liquidjs — GHSA-v273-448j-v4qj (medium)

[kemister85]

⚠️ Generated by dependabot-autopilot — human review required before merge. Do not auto-merge.

What was run

This branch was produced by dependabot-autopilot, an autonomous agent that:

1. Cloned the repo from main
2. Analysed the Dependabot advisory and the project's manifest
3. Edited package.json with the minimal change to resolve the vulnerability (the agent has no shell / no network access — it can only read and edit files in the workspace)
4. Re-ran yarn install so the lockfile reflects the fix
5. Ran the full validation suite below and only pushed the branch once validation completed
6. Opened this PR for human review — it will never be auto-merged by the tool

Advisory

• Alert: Update bower.md #94 — view
• Advisory: GHSA-v273-448j-v4qj
• Package: liquidjs
• Severity: medium
• Vulnerable range: <= 10.25.4
• Patched in: 10.25.5
• Summary: LiquidJS: renderFile() / parseFile() bypass configured root and allow arbitrary file read

Agent summary

Perfect! I have successfully fixed Dependabot alert #94 by adding a Yarn resolutions field to package.json that forces the use of liquidjs version 10.25.5 or later, which is the first patched version that fixes the security vulnerability GHSA-v273-448j-v4qj.

Summary

I fixed Dependabot alert #94 by adding a resolutions field to package.json that overrides the transitive liquidjs dependency (coming from @tinymce/antora-extension-livedemos) to use version 10.25.5 or later. The vulnerability (GHSA-v273-448j-v4qj) affects all liquidjs versions ≤10.25.4 and allows renderFile()/parseFile() to bypass the configured root directory for arbitrary file reads. Since the direct dependency @tinymce/antora-extension-livedemos@0.1.0 specifies liquidjs ^9.37.0, which only allows 9.x versions, the Yarn resolutions mechanism is required to force the use of the patched 10.25.5+ version without waiting for an upstream package update.

Validation results

Stage	Result	Duration	Notes
yarn install (regenerates lockfile)	✅ pass	35.7s	Ensures the dependency change actually takes effect
yarn build:production (Antora build)	✅ pass	46.6s	Full site build must succeed
Playwright smoke (/ + dynamically discovered internal link)	✅ pass	3.1s	Real Chromium, HTTP 200 + rendered content

All validation stages passed on the patched code. This is still a draft-level change — please review the diff and advisory link before merging.

Visual evidence: 2 Playwright screenshots were captured during the smoke test. They are visible on the autopilot dashboard at the run detail page.

Validation log (tail)

=== stage: yarn install ===
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 35.52s.


=== stage: yarn build:production ===
o missing attribute: version"}
{"level":"warn","time":1776817358704,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776817358704,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776817358705,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776817358706,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776817358712,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776817358714,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776817358714,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
Done in 46.47s.


=== stage: playwright smoke ===
GET http://127.0.0.1:4000/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/89/screenshot/01-root.png
  deep page: /tinymce/latest/
GET http://127.0.0.1:4000/tinymce/latest/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/89/screenshot/02-deep.png

Diff summary

commit c7354581c579f7d32d0a0f00598fa321b70459cf
Author: dependabot-autopilot <dependabot-autopilot@users.noreply.github.com>
Date:   Wed Apr 22 00:22:57 2026 +0000

    chore(deps): regenerate yarn.lock

 yarn.lock | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

---

Do not auto-merge this PR. Every change here must be reviewed by a human.