Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 4 · patch: 11) #116

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781563206
Closed

fix(deps): vuln minor upgrades — 15 packages (minor: 4 · patch: 11) #116
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781563206

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
tar 7.5.7 7.5.16 patch Transitive 6 HIGH, 1 MEDIUM
minimatch 9.0.5 9.0.9 patch Transitive 6 HIGH
@xmldom/xmldom 0.8.11 0.8.13 patch Transitive 5 HIGH
flatted 3.3.3 3.4.2 minor Transitive 4 HIGH
picomatch 4.0.3 4.0.4 patch Transitive 2 HIGH, 2 MEDIUM
semver 5.7.1 5.7.2 patch Transitive 2 HIGH
ws 8.20.0 8.21.0 minor Transitive 1 HIGH, 1 MEDIUM
@babel/plugin-transform-modules-systemjs 7.29.0 7.29.7 patch Transitive 1 HIGH
form-data 4.0.4 4.0.6 patch Transitive 1 HIGH
ajv 6.12.6 6.15.0 minor Transitive 2 MEDIUM
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
micromatch 4.0.5 4.0.8 patch Transitive 2 MEDIUM
js-yaml 4.1.1 4.2.0 minor Transitive 1 MEDIUM
@babel/core 7.29.0 7.29.7 patch Transitive 1 LOW
@tootallnate/once 2.0.0 2.0.1 patch Transitive 2 LOW

Security Details

🚨 Critical & High Severity (28 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
@babel/plugin-transform-modules-systemjs GHSA-fv7c-fp4j-7gwp HIGH @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input 7.29.0 7.29.4
@xmldom/xmldom GHSA-f6ww-3ggp-fr8h HIGH xmldom has XML injection through unvalidated DocumentType serialization 0.8.11 0.8.13
@xmldom/xmldom GHSA-wh4c-j3r5-mjhp HIGH xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion 0.8.11 0.8.12
@xmldom/xmldom GHSA-x6wf-f3px-wcqx HIGH xmldom has XML node injection through unvalidated processing instruction serialization 0.8.11 0.8.13
@xmldom/xmldom GHSA-2v35-w6hq-6mfw HIGH xmldom: Uncontrolled recursion in XML serialization leads to DoS 0.8.11 0.8.13
@xmldom/xmldom GHSA-j759-j44w-7fr8 HIGH xmldom has XML node injection through unvalidated comment serialization 0.8.11 0.8.13
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.3 3.4.2
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.3 -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.3 3.4.0
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.3 -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.4 2.5.6
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 10.2.3
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 10.2.3
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 10.2.1
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 4.0.4
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 -
semver CVE-2022-25883 HIGH - 5.7.1 -
semver GHSA-c2qf-rxjj-qqgw HIGH semver vulnerable to Regular Expression Denial of Service 5.7.1 7.5.2
tar CVE-2026-26960 HIGH node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction 7.5.7 -
tar GHSA-83g3-92jg-28cx HIGH Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction 7.5.7 7.5.8
tar CVE-2026-29786 HIGH node-tar: Hardlink Path Traversal via Drive-Relative Linkpath 7.5.7 -
tar GHSA-qffp-2rhf-9h96 HIGH tar has Hardlink Path Traversal via Drive-Relative Linkpath 7.5.7 7.5.10
tar CVE-2026-31802 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.5.7 -
tar GHSA-9ppj-qmqm-q256 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.5.7 7.5.11
ws GHSA-96hv-2xvq-fx4p HIGH ws: Memory exhaustion DoS from tiny fragments and data chunks 8.20.0 5.2.5
ℹ️ Other Vulnerabilities (16)
Package CVE Severity Summary Unsafe Version Fixed In
ajv CVE-2025-69873 MODERATE - 6.12.6 -
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 6.12.6 8.18.0
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 4.1.1 4.2.0
micromatch CVE-2024-4067 MODERATE - 4.0.5 -
micromatch GHSA-952p-6rrq-rcjv MODERATE Regular Expression Denial of Service (ReDoS) in micromatch 4.0.5 4.0.8
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 4.0.4
tar GHSA-vmf3-w455-68vh MODERATE node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) 7.5.7 7.5.16
ws GHSA-58qx-3vcg-4xpx MODERATE ws: Uninitialized memory disclosure 8.20.0 8.20.1
@babel/core GHSA-4x5r-pxfx-6jf8 LOW @babel/core: Arbitrary File Read via sourceMappingURL Comment 7.29.0 8.0.0-rc.6
@tootallnate/once GHSA-vpq2-c234-7xj6 LOW @tootallnate/once vulnerable to Incorrect Control Flow Scoping 2.0.0 3.0.1
@tootallnate/once CVE-2026-3449 LOW - 2.0.0 -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2
brace-expansion CVE-2025-5889 LOW - 1.1.11 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant