fix: resolve CVE-2025-9288 and CVE-2025-9287 in sha.js and cipher-base

[subrata71]

Description

EE Shadow PR: https://github.com/appsmithorg/appsmith-ee/pull/8226

Fixes CVE-2025-9288
Fixes CVE-2025-9287

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/18306326151
Commit: 7516636
Cypress dashboard.
Tags: @tag.All
Spec:

---

Tue, 07 Oct 2025 13:45:02 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Updated client-side dependencies and locked specific versions to improve app stability and compatibility.
  • Added resolution overrides to ensure consistent builds across environments and reduce dependency-related issues.
  • These updates are behind the scenes and do not change the user interface or workflows.
  • No impact on exported APIs; functionality remains unchanged for end-users.

[coderabbitai]

Walkthrough

Dependencies sha.js and cipher-base were added to app/client/package.json, and their versions were pinned via the resolutions field. No code or public API signatures were modified.

Changes

Cohort / File(s)	Summary
Client dependencies app/client/package.json	Added dependencies: sha.js, cipher-base. Added resolution overrides to lock versions for sha.js and cipher-base. No exported/public entity changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

New hashes hum in the client’s core,
Cipher doors locked to specific lore.
Two deps docked, versions held fast,
Resolved and pinned to outlast the past.
Ship it quiet—no APIs roar.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description includes the required section headers but does not list the affected dependencies or provide motivation and context for the CVE fixes, nor does it format the “Fixes” lines according to the template’s requirement for issue numbers or URLs. The Description section only references an EE shadow PR link and the CVE identifiers without explanations of why these changes are important or what dependencies are updated. The “Fixes” lines reference CVE identifiers rather than using the prescribed format. Although the Automation and Communication sections exist, the overall content does not meet the template’s detailed guidance.	Please update the Description section to include clear motivation and context for the CVE fixes, explicitly list the updated dependencies (sha.js and cipher-base), and format the “Fixes” entries with valid issue numbers or full URLs as per the template. Ensure any relevant documentation links (Notion, Figma, etc.) are added. Also verify that the /ok-to-test tag attributes and Cypress test results block use the exact formatting from the template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly and concisely summarizes the primary change by referencing the specific CVEs and the affected packages sha.js and cipher-base. It follows the conventional commit style with a short, single-sentence format that accurately reflects the code modifications. Therefore, the title meets the repository guidelines.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dependabot-cves

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}