From 198d9f8363bbc7e345d3066d21fd712a68d091a2 Mon Sep 17 00:00:00 2001
From: Roshil Ka Patel <roshilkapatel2000@gmail.com>
Date: Sun, 22 Mar 2026 13:58:43 -0300
Subject: [PATCH] fix: CVE-2026-27699 update basic-ftp to 5.2.0

Override basic-ftp transitive dependency (via @pm2/agent -> proxy-agent
-> pac-proxy-agent -> get-uri -> basic-ftp) from 5.0.5 to 5.2.0 to
resolve CVE-2026-27699 which affects versions < 5.2.0.

Closes #6088
---
 package-lock.json | 7 ++++---
 package.json      | 3 ++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 031b11999..6744a4f52 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -348,9 +348,10 @@
       "dev": true
     },
     "node_modules/basic-ftp": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.0.5.tgz",
-      "integrity": "sha512-4Bcg1P8xhUuqcii/S0Z9wiHIrQVPMermM1any+MX5GeGD7faD3/msQUDGLol9wOcz4/jbg/WJnGqoJF6LiBdtg==",
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.2.0.tgz",
+      "integrity": "sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==",
+      "license": "MIT",
       "engines": {
         "node": ">=10.0.0"
       }
diff --git a/package.json b/package.json
index 5d698165e..78093edab 100644
--- a/package.json
+++ b/package.json
@@ -199,7 +199,8 @@
     "js-yaml": "4.1.1"
   },
   "overrides": {
-    "debug": "4.4.3"
+    "debug": "4.4.3",
+    "basic-ftp": "5.2.0"
   },
   "optionalDependencies": {
     "pm2-sysmonit": "^1.2.8"