From e4330076faa4b1e2c2106c7eb788c7a9b52c3914 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Wed, 29 Apr 2026 13:52:00 +0000
Subject: [PATCH] fix(deps): upgrade pbkdf2 to 3.1.3 to fix predictable number
 generation CVEs

Upgrade pbkdf2 from 3.1.2 to ^3.1.3 to address:
- CVE-2026-1863 (Predictable Number Generation, CVSS 9.1)
- CVE-2026-1864 (Predictable Number Generation, CVSS 9.1)

Changes:
- Updated direct dependency from pinned 3.1.2 to ^3.1.3
- Added **/pbkdf2 resolution to ensure all transitive paths are upgraded
- Updated yarn.lock to resolve pbkdf2 to 3.1.3

Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
---
 package.json | 5 +++--
 yarn.lock    | 8 ++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/package.json b/package.json
index 49edefcd942..6f253f4f21d 100644
--- a/package.json
+++ b/package.json
@@ -149,7 +149,8 @@
     "metro/image-size": "^1.2.1",
     "content-hash/**/base-x": "3.0.11",
     "multihashes/**/base-x": "3.0.11",
-    "@keystonehq/ur-decoder/**/base-x": "3.0.11"
+    "@keystonehq/ur-decoder/**/base-x": "3.0.11",
+    "**/pbkdf2": "^3.1.3"
   },
   "dependencies": {
     "@config-plugins/detox": "^9.0.0",
@@ -317,7 +318,7 @@
     "multihashes": "0.4.14",
     "number-to-bn": "1.7.0",
     "path": "0.12.7",
-    "pbkdf2": "3.1.2",
+    "pbkdf2": "^3.1.3",
     "pify": "6.1.0",
     "portfinder": "^1.0.32",
     "prop-types": "15.7.2",
diff --git a/yarn.lock b/yarn.lock
index 134f392c3e3..07d25166f98 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -23590,10 +23590,10 @@ pbkdf2@3.0.8:
   dependencies:
     create-hmac "^1.1.2"
 
-pbkdf2@3.1.2, pbkdf2@^3.0.17, pbkdf2@^3.0.3:
-  version "3.1.2"
-  resolved "https://registry.yarnpkg.com/pbkdf2/-/pbkdf2-3.1.2.tgz#dd822aa0887580e52f1a039dc3eda108efae3075"
-  integrity sha512-iuh7L6jA7JEGu2WxDwtQP1ddOpaJNC4KlDEFfdQajSGgGPNi4OyDc2R7QnbY2bR9QjBVGwgvTdNJZoE7RaxUMA==
+pbkdf2@^3.0.17, pbkdf2@^3.0.3, pbkdf2@^3.1.3:
+  version "3.1.3"
+  resolved "https://registry.npmjs.org/pbkdf2/-/pbkdf2-3.1.3.tgz#8be674d591d65658113424592a95d1517318dd4b"
+  integrity sha512-wfRLBZ0feWRhCIkoMB6ete7czJcnNnqRpcoWQBLqatqXXmelSRqfdDK4F3u9T2s2cXas/hQJcryI/4lAL+XTlA==
   dependencies:
     create-hash "^1.1.2"
     create-hmac "^1.1.4"