This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+12 more
Affected surfaces
ReleasePort's take
Moderate signalThe release fixes multiple security advisories in dependencies and updates vulnerable packages to patched versions.
Why it matters: Security advisories GHSA-58qx-3vcg-4xpx and several CVEs are addressed; operators should upgrade dependencies immediately after the @nhost/[email protected] publish on 2026β05β26.
Summary
AI summaryUpdates π Bug Fixes, dashboard, and deps across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Fix ws advisory GHSA-58qx-3vcg-4xpx in dependencies Fix ws advisory GHSA-58qx-3vcg-4xpx in dependencies Source: llm_adapter@2026-05-26 Confidence: high |
β |
| Security | High |
Update various packages to address multiple CVEs Update various packages to address multiple CVEs Source: llm_adapter@2026-05-26 Confidence: high |
β |
| Security | High |
Update vulnerable dependencies to patched versions Update vulnerable dependencies to patched versions Source: llm_adapter@2026-05-26 Confidence: high |
β |
| Dependency | Medium |
Deduplicate lockfiles and tighten directβdependency version ranges Deduplicate lockfiles and tighten directβdependency version ranges Source: llm_adapter@2026-05-26 Confidence: high |
β |
| Bugfix | Medium |
Prevent onSubmit from firing on cancel in create/edit table forms Prevent onSubmit from firing on cancel in create/edit table forms Source: llm_adapter@2026-05-26 Confidence: high |
β |
| Bugfix | Medium |
Correct date/time picker and cell rendering issues Correct date/time picker and cell rendering issues Source: llm_adapter@2026-05-26 Confidence: high |
β |
| Refactor | Low |
Remove irrelevant role public header from Apollo Client configuration Remove irrelevant role public header from Apollo Client configuration Source: llm_adapter@2026-05-26 Confidence: high |
β |
| Other | Low |
Add script to remove tsconfig.tsbuildinfo during builds Add script to remove tsconfig.tsbuildinfo during builds Source: llm_adapter@2026-05-26 Confidence: low |
β |
Full changelog
[@nhost/[email protected]] - 2026-05-26
π Bug Fixes
- (deps) Fix ws advisory (GHSA-58qx-3vcg-4xpx) (#4307)
- (dashboard) Do not call onSubmit on cancel in create/edit table forms (#4296)
- (dashboard) Migrate overview and storage page icons (#4281)
- (dashboard) Align serverless function HTTP method colors with schema diagram (#4322)
- (dashboard) Resolve incorrect date/time picker & cell rendering w⦠(#4310)
- (dashboard) Hide remote schema permissions table until enabled state loads (#4318)
- (dashboard) Migrate authentication page icons (#4283)
- (dashboard) Migrate remote-schemas page icons (#4284)
- (dashboard) Migrate database page icons (#4285)
- (dashboard) Migrate services page icons (#4286)
- (dashboard) Migrate AI page icons (#4287)
- (dashboard) Migrate metrics page icons (#4289)
- (dashboard) Migrate git page icons (#4291)
- (dashboard) Remove irrelevant role public header from Apollo Client (#4351)
βοΈ Miscellaneous Tasks
- (dashboard) Add script to remove tsconfig.tsbuildinfo (#4325)
- (ci) Follow-up skill improvements (#4332)
Chore
- (deps) Update various packages due to CVEs (#4328)
- (deps) Update vulnerable dependencies (#4338)
- (deps) Dedupe lockfiles and tighten direct-dep ranges to resolved versions (#4344)
Security Fixes
- deps: GHSA-58qx-3vcg-4xpx β fix ws advisory
- deps: Update vulnerable dependencies due to CVEs (#4328, #4338)
- deps: Dedupe lockfiles and tighten directβdep ranges to resolved versions (#4344)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Beta — feedback welcome: [email protected]