Skip to content

chore(deps): update dependency mammoth to v1.11.0 [security] #8714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency mammoth to v1.11.0 [security] #8714

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Oct 17, 2025

This PR contains the following updates:

Package Change Age Confidence
mammoth 1.9.1 -> 1.11.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-11849

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

Release Notes

mwilliamson/mammoth.js (mammoth)

v1.11.0

Compare Source

v1.10.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested review from cte, jr and mrubens as code owners October 17, 2025 21:01
@roomote Roomote
Copy link

roomote bot commented Oct 17, 2025
edited
Loading

Review Update

This PR has been updated since the last review and now includes substantial changes beyond the mammoth security update.

Issues Found

  • PR mixes security update with unrelated feature changes (new reviewer page, docs-extractor refactoring, Task.ts changes, CHANGELOG updates, locale updates). Consider separating into distinct PRs for easier review and validation.

Security Update

✅ The mammoth dependency update from 1.9.1 to 1.11.0 correctly addresses CVE-2025-11849 (Directory Traversal vulnerability).

Additional Changes

The PR now includes:

  • New /reviewer page and carousel component for the website
  • Extensive refactoring of docs-extractor mode rules
  • Updates to .roomodes configuration
  • CHANGELOG entry for version 3.28.18
  • Multiple README locale updates
  • Task.ts timeout changes
  • Subprocessors page updates

These additions should be reviewed separately from the security fix.

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Oct 17, 2025
@renovate renovate bot force-pushed the renovate/npm-mammoth-vulnerability branch from 8d46845 to f1d157d Compare October 21, 2025 10:07
roomote[bot]
roomote bot reviewed Oct 21, 2025
View reviewed changes
pnpm-lock.yaml
mammoth:
specifier: ^1.9.1
version: 1.9.1
version: 1.11.0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is labeled as a security update for the mammoth dependency, but includes substantial unrelated changes (new reviewer page, docs-extractor refactoring, Task.ts behavioral changes, CHANGELOG updates, locale updates). Mixing security updates with feature changes makes it harder to review and validate the security fix. Consider separating these into distinct PRs: one for the security update only, and separate PRs for the feature additions.

roomote[bot]
roomote bot reviewed Oct 21, 2025
View reviewed changes
Copy link

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. This PR mixes security updates with unrelated feature changes, which should be separated for clearer review and validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roomote roomote[bot] roomote[bot] approved these changes

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels.

Projects

Roo Code Roadmap
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hannesrudolph