Version in base suite: 3.2.7~ds-1

Base version: node-flatted_3.2.7~ds-1
Target version: node-flatted_3.2.7~ds-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-flatted/node-flatted_3.2.7~ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-flatted/node-flatted_3.2.7~ds-1+deb13u1.dsc

 changelog                    |    8 ++++++++
 patches/CVE-2026-33228.patch |   17 +++++++++++++++++
 patches/series               |    1 +
 3 files changed, 26 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp3okr9h6p/node-flatted_3.2.7~ds-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp3okr9h6p/node-flatted_3.2.7~ds-1+deb13u1.dsc: no acceptable signature found
diff -Nru node-flatted-3.2.7~ds/debian/changelog node-flatted-3.2.7~ds/debian/changelog
--- node-flatted-3.2.7~ds/debian/changelog	2022-11-01 14:36:53.000000000 +0000
+++ node-flatted-3.2.7~ds/debian/changelog	2026-03-22 06:13:05.000000000 +0000
@@ -1,3 +1,11 @@
+node-flatted (3.2.7~ds-1+deb13u1) trixie; urgency=medium
+
+  * Team upload
+  * Add patch for CVE-2026-33228 (prototype pollution in parse)
+    (Closes: #1131462)
+
+ -- Yadd <yadd@debian.org>  Sun, 22 Mar 2026 07:13:05 +0100
+
 node-flatted (3.2.7~ds-1) unstable; urgency=medium
 
   * Team upload
diff -Nru node-flatted-3.2.7~ds/debian/patches/CVE-2026-33228.patch node-flatted-3.2.7~ds/debian/patches/CVE-2026-33228.patch
--- node-flatted-3.2.7~ds/debian/patches/CVE-2026-33228.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-flatted-3.2.7~ds/debian/patches/CVE-2026-33228.patch	2026-03-22 06:13:05.000000000 +0000
@@ -0,0 +1,17 @@
+Description: Fix prototype pollution in parse() (CVE-2026-33228)
+ Coerce index value to number before using as array key to prevent
+ __proto__ from leaking Array.prototype.
+Origin: upstream, https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802
+Bug-Debian: https://bugs.debian.org/1131462
+
+--- a/esm/index.js
++++ b/esm/index.js
+@@ -25,7 +25,7 @@
+     const k = ke[y];
+     const value = output[k];
+     if (value instanceof Primitive) {
+-      const tmp = input[value];
++      const tmp = input[+value];
+       if (typeof tmp === object && !parsed.has(tmp)) {
+         parsed.add(tmp);
+         output[k] = ignore;
diff -Nru node-flatted-3.2.7~ds/debian/patches/series node-flatted-3.2.7~ds/debian/patches/series
--- node-flatted-3.2.7~ds/debian/patches/series	2021-11-16 22:27:45.000000000 +0000
+++ node-flatted-3.2.7~ds/debian/patches/series	2026-03-22 06:13:05.000000000 +0000
@@ -1,3 +1,4 @@
 2001_privacy.patch
 2002_drop-babel-typeof.patch
 2003_rollup-babel.patch
+CVE-2026-33228.patch