From 3678de6c8eee359f29666578be49e450e7f5e9e2 Mon Sep 17 00:00:00 2001
From: SRE Agent <sre-agent@thoughtspot.com>
Date: Tue, 23 Jun 2026 07:00:35 +0000
Subject: [PATCH] fix: upgrade ts-deepmerge to v8 to resolve CVE-2026-12644
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps ts-deepmerge from 6.2.1 to 8.0.0 to address a critical
vulnerability reported under CVE-2026-12644. All versions prior to
v8 are flagged by the Meterian CVE check.

- package.json: ^6.0.2 → ^8.0.0
- pnpm-lock.yaml: 6.2.1 → 8.0.0 (sha512 hash updated)
---
 package.json   | 2 +-
 pnpm-lock.yaml | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index e6aa9ce2..b0d8a7b8 100644
--- a/package.json
+++ b/package.json
@@ -72,7 +72,7 @@
         "eventemitter3": "^4.0.7",
         "lodash": "^4.18.1",
         "mixpanel-browser": "2.47.0",
-        "ts-deepmerge": "^6.0.2",
+        "ts-deepmerge": "^8.0.0",
         "tslib": "^2.5.3",
         "use-deep-compare-effect": "^1.8.1",
         "yaml": "^2.5.1"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6a4e4f0c..4e0f7d7b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -18,8 +18,8 @@ dependencies:
     specifier: 2.47.0
     version: 2.47.0
   ts-deepmerge:
-    specifier: ^6.0.2
-    version: 6.2.1
+    specifier: ^8.0.0
+    version: 8.0.0
   tslib:
     specifier: ^2.5.3
     version: 2.8.1
@@ -9841,8 +9841,8 @@ packages:
       typescript: 4.9.5
     dev: true
 
-  /ts-deepmerge@6.2.1:
-    resolution: {integrity: sha512-8CYSLazCyj0DJDpPIxOFzJG46r93uh6EynYjuey+bxcLltBeqZL7DMfaE5ZPzZNFlav7wx+2TDa/mBl8gkTYzw==}
+  /ts-deepmerge@8.0.0:
+    resolution: {integrity: sha512-133O+10nJmVI8w5xeVZPEv5PIrv7iaUae07wv1aH8XJH95Ur6YIhWAPhPyP1YPlbPS9fCVcNIZTu7m8urRVF0A==}
     engines: {node: '>=14.13.1'}
     dev: false