From 7c8b6cb909b6ef819f447236a25a7f6d81d19416 Mon Sep 17 00:00:00 2001 From: Michael Herzog Date: Thu, 28 May 2026 17:10:45 +0200 Subject: [PATCH 1/3] Update changelog.js Switch from `execSync()` to `execFileSync()` to resolve security issue. --- utils/changelog.js | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/utils/changelog.js b/utils/changelog.js index 1ab06252e31d0f..554f997e4f585f 100644 --- a/utils/changelog.js +++ b/utils/changelog.js @@ -1,4 +1,4 @@ -import { execSync } from 'child_process'; +import { execFileSync } from 'child_process'; // Path-based categories (used as fallback for non-JS files) // Ordered from most specific to least specific @@ -46,11 +46,11 @@ const skipAuthors = new Set( [ 'dependabot', 'app/renovate', 'renovate[bot]' ] ) // Categories that map to sections const sectionCategories = [ 'Docs', 'Manual', 'Examples', 'Devtools', 'Editor', 'Tests', 'Utils', 'Build' ]; -function exec( command ) { +function exec( file, args ) { try { - return execSync( command, { encoding: 'utf8', maxBuffer: 50 * 1024 * 1024 } ).trim(); + return execFileSync( file, args, { encoding: 'utf8', maxBuffer: 50 * 1024 * 1024, stdio: [ 'ignore', 'pipe', 'ignore' ] } ).trim(); } catch ( error ) { @@ -63,7 +63,7 @@ function exec( command ) { function getCommitsBetweenTags( fromTag, toTag ) { // Get commits between tags (exclusive fromTag, inclusive toTag), oldest first, excluding merge commits - const log = exec( `git log ${fromTag}..${toTag} --no-merges --reverse --format="%H|%s|%an"` ); + const log = exec( 'git', [ 'log', `${fromTag}..${toTag}`, '--no-merges', '--reverse', '--format=%H|%s|%an' ] ); if ( ! log ) return []; @@ -78,21 +78,21 @@ function getCommitsBetweenTags( fromTag, toTag ) { function getChangedFiles( hash ) { - const files = exec( `git diff-tree --no-commit-id --name-only -r ${hash}` ); + const files = exec( 'git', [ 'diff-tree', '--no-commit-id', '--name-only', '-r', hash ] ); return files ? files.split( '\n' ).filter( Boolean ) : []; } function getCoAuthorsFromPR( prNumber ) { - const result = exec( `gh pr view ${prNumber} --json commits --jq '[.commits[].authors[].login] | unique | .[]' 2>/dev/null` ); + const result = exec( 'gh', [ 'pr', 'view', prNumber, '--json', 'commits', '--jq', '[.commits[].authors[].login] | unique | .[]' ] ); return result ? result.split( '\n' ).filter( Boolean ) : []; } function getCoAuthorsFromCommit( hash ) { - const body = exec( `git log -1 --format="%b" ${hash}` ); + const body = exec( 'git', [ 'log', '-1', '--format=%b', hash ] ); const regex = /Co-authored-by:\s*([^<]+)\s*<[^>]+>/gi; return [ ...body.matchAll( regex ) ].map( m => normalizeAuthor( m[ 1 ].trim() ) ); @@ -108,7 +108,7 @@ function extractPRNumber( subject ) { function getPRInfo( prNumber ) { - const result = exec( `gh pr view ${prNumber} --json author,title,files --jq '{author: .author.login, title: .title, files: [.files[].path]}' 2>/dev/null` ); + const result = exec( 'gh', [ 'pr', 'view', prNumber, '--json', 'author,title,files', '--jq', '{author: .author.login, title: .title, files: [.files[].path]}' ] ); try { @@ -354,7 +354,7 @@ function addToGroup( groups, key, value ) { function validateEnvironment( tag ) { - if ( ! exec( 'gh --version 2>/dev/null' ) ) { + if ( ! exec( 'gh', [ '--version' ] ) ) { console.error( 'GitHub CLI (gh) is required but not installed.' ); console.error( 'Install from: https://cli.github.com/' ); @@ -371,7 +371,7 @@ function validateEnvironment( tag ) { } // Verify the tag exists - const resolved = exec( `git rev-parse --verify ${tag}` ); + const resolved = exec( 'git', [ 'rev-parse', '--verify', tag ] ); if ( ! resolved ) { @@ -384,7 +384,7 @@ function validateEnvironment( tag ) { const version = parseInt( tag.replace( 'r', '' ) ); const previousTag = `r${version - 1}`; - const previousResolved = exec( `git rev-parse --verify ${previousTag}` ); + const previousResolved = exec( 'git', [ 'rev-parse', '--verify', previousTag ] ); if ( ! previousResolved ) { From bea0fa775817a8b1a25656ce0396e67580557f02 Mon Sep 17 00:00:00 2001 From: Michael Herzog Date: Thu, 28 May 2026 17:14:48 +0200 Subject: [PATCH 2/3] Update package-lock.json Integrate `npm audit fix`. --- package-lock.json | 45 +++------------------------------------------ 1 file changed, 3 insertions(+), 42 deletions(-) diff --git a/package-lock.json b/package-lock.json index 109911e1f5146e..ea78fd8bc1ad8c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -596,9 +596,6 @@ "arm" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -613,9 +610,6 @@ "arm" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -630,9 +624,6 @@ "arm64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -647,9 +638,6 @@ "arm64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -664,9 +652,6 @@ "loong64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -681,9 +666,6 @@ "loong64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -698,9 +680,6 @@ "ppc64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -715,9 +694,6 @@ "ppc64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -732,9 +708,6 @@ "riscv64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -749,9 +722,6 @@ "riscv64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -766,9 +736,6 @@ "s390x" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -783,9 +750,6 @@ "x64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -800,9 +764,6 @@ "x64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -3357,9 +3318,9 @@ "license": "ISC" }, "node_modules/ws": { - "version": "8.20.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz", - "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==", + "version": "8.21.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz", + "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==", "dev": true, "license": "MIT", "engines": { From 1b35c219758d383e4a5eb09f02759814c5cc99c2 Mon Sep 17 00:00:00 2001 From: Sean Curtis Date: Thu, 28 May 2026 10:18:32 -0700 Subject: [PATCH 3/3] Allow ObjectLoader to use custom loading managers in sync'd image loads (#33669) --- src/loaders/ObjectLoader.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/loaders/ObjectLoader.js b/src/loaders/ObjectLoader.js index f0ad35d2bb6bd9..318df4e55bea06 100644 --- a/src/loaders/ObjectLoader.js +++ b/src/loaders/ObjectLoader.js @@ -459,6 +459,8 @@ class ObjectLoader extends Loader { function loadImage( url ) { + url = scope.manager.resolveURL( url ); + scope.manager.itemStart( url ); return loader.load( url, function () {