npm - cosmos-docusaurus-theme - Versions diffs - 2.1.2 → 2.1.4 - Mend

cosmos-docusaurus-theme 2.1.2 → 2.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/CHANGELOG.md +24 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,30 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 ---
+## [2.1.4] — 2026-03-17
+### Security
+- **Dockerfile**: add `apk upgrade --no-cache` (fixes zlib CVE-2026-22184 CRITICAL)
+- **demo**: add overrides for `cross-spawn`, `glob`, `minimatch`, `tar`
+  (actual installed versions are patched; overrides force resolution to fixed versions)
+- **`.trivyignore`**: suppress Trivy false positives where nested `package.json`
+  version specs are read instead of actual installed (overridden) versions
+- **publish.yml**: pass `trivyignore` path to `trivy-action`
+---
+## [2.1.3] — 2026-03-17
+### Security
+- **Dockerfile**: base image `node:20.19-alpine3.21` → `node:20.20.1-alpine3.23`
+  (fixes CVE-2025-15467 CRITICAL + 4 HIGH in `libcrypto3`/`libssl3`)
+- **demo**: force `serialize-javascript ^7.0.4` via `overrides`
+  (fixes HIGH in webpack transitive chain — Docusaurus 3.9 ships vulnerable version)
+---
 ## [2.1.2] — 2026-03-17
 ### Fixed

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cosmos-docusaurus-theme",
-  "version": "2.1.2",
+  "version": "2.1.4",
   "description": "A clean, dark-first Docusaurus theme aligned with the Rackscope Void/Slate design system — CSS-only, IBM Plex Mono + Outfit typography, brand indigo",
   "keywords": [
     "docusaurus",