diff --git a/bqplot-js.patch b/bqplot-js.patch
new file mode 100644
index 0000000..cdc26ea
--- /dev/null
+++ b/bqplot-js.patch
@@ -0,0 +1,23 @@
+diff -ur a/js/package.json b/js/package.json
+--- a/js/package.json	2025-05-21 19:20:26.000000000 +0200
++++ b/js/package.json	2025-08-21 18:56:06.584707667 +0200
+@@ -35,7 +35,7 @@
+   "devDependencies": {
+     "@jupyter-widgets/base-manager": "^1.0.0",
+     "@jupyter-widgets/controls": "^5",
+-    "@jupyterlab/builder": "^3.0.0",
++    "@jupyterlab/builder": "^4.0.0",
+     "@types/chai": "^4.1.7",
+     "@types/d3": "^5.7.2",
+     "@types/expect.js": "^0.3.29",
+@@ -103,5 +103,9 @@
+     "css/",
+     "lib/",
+     "shaders/"
+-  ]
++  ],
++  "resolutions": {
++    "cipher-base": "1.0.6",
++    "sha.js": "2.4.12"
++  }
+ }
diff --git a/create_node_modules.sh b/create_node_modules.sh
index e0d4569..87e4be4 100644
--- a/create_node_modules.sh
+++ b/create_node_modules.sh
@@ -2,10 +2,10 @@
 #
 # Script to create node_modules.tar.xz
 # needs bower, webpack and webpack-cli installed
+# apply bqplot-js.patch before running this script
 
 pushd js
-sed -i '/builder/ s/\^3/\^4/' package.json
 jlpm install
 jlpm run build
 popd
-tar cJf node_modules.tar.xz js/node_modules
+tar cJf node_modules.tar.xz js/node_modules js/yarn.lock
diff --git a/node_modules.tar.xz b/node_modules.tar.xz
index 55ec682..8621823 100644
--- a/node_modules.tar.xz
+++ b/node_modules.tar.xz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e5f77e199dd5799ed55bb83c7355fefd48e9cc2ea4990a9758f523a083b1d11c
-size 30182476
+oid sha256:ca8e23c5ee5d8fac9526fde8498486d9f30612eb05f3e54523bbb5e48709fff7
+size 30420132
diff --git a/python-bqplot.changes b/python-bqplot.changes
index eb80a18..0d9e21d 100644
--- a/python-bqplot.changes
+++ b/python-bqplot.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug 21 17:00:29 UTC 2025 - Ben Greiner <code@bnavigator.de>
+
+- Add bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288
+  * We need to keep most of the js lock (yarn.lock) because 0.12
+    is still not fully updatable with jupyterlab 4. This will
+    hopefully change with 0.13, which is at rc stage
+
 -------------------------------------------------------------------
 Sun Jul 20 16:19:08 UTC 2025 - Ben Greiner <code@bnavigator.de>
 
diff --git a/python-bqplot.spec b/python-bqplot.spec
index ff07402..dc08d3e 100644
--- a/python-bqplot.spec
+++ b/python-bqplot.spec
@@ -31,6 +31,8 @@ Source0:        https://github.com/bqplot/bqplot/archive/refs/tags/%{pyver}.tar.
 Source1:        node_modules.tar.xz
 # Script to vendor node_modules sources
 Source2:        create_node_modules.sh
+# PATCH-FIX-OPENSUSE bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288
+Patch0:         bqplot-js.patch
 BuildRequires:  %{python_module jupyter-packaging}
 BuildRequires:  %{python_module jupyterlab}
 BuildRequires:  %{python_module pip}
@@ -95,8 +97,6 @@ This package provides the jupyterlab extension.
 
 %prep
 %autosetup -p1 -n bqplot-%{pyver} -a1
-# sync with create_node_modules.sh
-sed -i '/builder/ s/\^3/\^4/' js/package.json
 rm bqplot/install.py
 
 %build
@@ -104,7 +104,6 @@ pushd js
 export PATH="${PATH}:node_modules/.bin"
 jlpm run build
 popd
-echo "IM HERE"
 %pyproject_wheel
 
 %install