Skip to content

fix(deps): update dependency liquidjs to v10.25.0 [security]#862

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-liquidjs-vulnerability
Mar 10, 2026
Merged

fix(deps): update dependency liquidjs to v10.25.0 [security]#862
renovate[bot] merged 1 commit intomainfrom
renovate/npm-liquidjs-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 10, 2026

This PR contains the following updates:

Package Change Age Confidence
liquidjs 10.24.010.25.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-30952

Impact

The layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables when dynamicPartials: true is enabled). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable.

Patches

The issue is fixed via #​855 and published version 10.25.0 on npm.

Workarounds

Change the files in build time

In build time, through Shell script or Webpack string-replace-loader, change the file content of correxponding file (depending on your package type, for CommonJS it's dist/liquid.node.js) under dist/,

  if (fs.fallback !== undefined) {
    const filepath = fs.fallback(file)
-   if (filepath !== undefined) yield filepath
+   if (filepath !== undefined) {
+     for (const dir of dirs) {
+       if (!enforceRoot || this.contains(dir, filepath)) {
+         yield filepath
+         break
+       }
+     }
    }
  }

Overriding by fs LiquidJS option

Adding a fs option to override the default fs implementation:

const { statSync, readFileSync, promises: { stat, readFile } } = require('fs')
const { resolve, extname, dirname, sep } = require('path')

const fs = {
    exists: async (fp) => { try { await stat(fp); return true; } catch { return false } },
    existsSync: (fp) => { try { statSync(fp); return true } catch { return false } },
    resolve: (root, file, ext) => resolve(root, file + (extname(file) ? '' : ext)),
    contains: (root, file) => {
        const r = resolve(root)
        return file.startsWith(r.endsWith(sep) ? r : r + sep)
    },
    readFile: (fp) => readFile(fp, 'utf8'),
    readFileSync: (fp) => readFileSync(fp, 'utf8'),
    fallback: () => undefined,
    dirname,
    sep
};

const engine = new Liquid({ fs })

References

Discussions: https://github.com/harttle/liquidjs/pull/851
Code fix: https://github.com/harttle/liquidjs/pull/855

Release Notes

harttle/liquidjs (liquidjs)

v10.25.0

Compare Source

Bug Fixes
Features

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot merged commit b84c2d6 into main Mar 10, 2026
3 checks passed
@renovate renovate bot deleted the renovate/npm-liquidjs-vulnerability branch March 10, 2026 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automerge dependencies minor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants