Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 10 · patch: 5) [src/pricing-service]#663

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/pricing-service/6-1783348445
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 10 · patch: 5) [src/pricing-service]#663
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/pricing-service/6-1783348445

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • src/pricing-service (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
handlebars 4.7.8 4.7.9 patch Transitive 2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
simple-git 3.16.0 3.36.0 minor Transitive 2 CRITICAL, 2 HIGH
axios 1.13.6 1.18.1 minor Direct 11 HIGH, 11 MEDIUM, 1 LOW
undici 6.21.1 6.27.0 minor Transitive 7 HIGH, 7 MEDIUM, 4 LOW
minimatch 5.1.6 5.1.9 patch Transitive 6 HIGH
basic-ftp 5.2.0 5.3.1 minor Transitive 4 HIGH
picomatch 4.0.3 4.0.5 patch Transitive 2 HIGH, 2 MEDIUM
effect 3.12.11 3.21.4 minor Transitive 2 HIGH
fast-uri 3.0.6 3.1.3 minor Transitive 2 HIGH
glob 10.4.5 10.5.0 minor Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
ws 8.18.0 8.21.0 minor Transitive 1 HIGH, 1 MEDIUM
aws-cdk-lib 2.240.0 2.261.0 minor Direct 1 HIGH
brace-expansion 5.0.3 5.0.7 patch Transitive 3 MEDIUM
js-yaml 3.14.1 3.14.2 patch Transitive 3 MEDIUM

Security Details

🚨 Critical & High Severity (53 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
handlebars GHSA-2w6w-674q-4c4q CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 4.7.9 -
handlebars CVE-2026-33937 CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 - -
simple-git CVE-2026-28292 CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 - -
simple-git GHSA-r275-fr43-pm7q CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 3.32.3 -
aws-cdk-lib GHSA-999r-qq7v-r334 HIGH aws-cdk-lib: OS Command Injection in NodejsFunction Bundling 2.240.0 2.246.0 -
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.13.6 1.16.0 -
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.13.6 1.15.1 -
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.13.6 1.15.1 -
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.13.6 1.16.0 -
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.13.6 1.15.2 -
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.13.6 1.16.0 -
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.13.6 1.15.2 -
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.13.6 1.16.0 -
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.13.6 1.16.0 -
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.13.6 1.15.1 -
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.13.6 1.16.0 -
basic-ftp GHSA-rpmf-866q-6p89 HIGH basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering 5.2.0 5.3.1 -
basic-ftp GHSA-rp42-5vxx-qpwr HIGH basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() 5.2.0 5.3.0 -
basic-ftp GHSA-chqc-8p9q-pq6q HIGH basic-ftp has FTP Command Injection via CRLF 5.2.0 5.2.1 -
basic-ftp GHSA-6v7q-wjvx-w8wg HIGH basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands 5.2.0 5.2.2 -
effect GHSA-38f7-945m-qr2g HIGH Effect AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.12.11 3.20.0 -
effect CVE-2026-32887 HIGH Effect Bug: AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.12.11 - -
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.0.6 3.1.2 -
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.0.6 3.1.1 -
glob CVE-2025-64756 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 - -
glob GHSA-5j98-mcp5-4vw2 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 11.1.0 -
handlebars CVE-2026-33941 HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 - -
handlebars GHSA-9cx6-37pm-9jff HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 4.7.9 -
handlebars CVE-2026-33939 HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 - -
handlebars GHSA-xhpv-hc6g-r9c6 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 4.7.9 -
handlebars GHSA-xjpj-3mr7-gcpf HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 4.7.9 -
handlebars CVE-2026-33940 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 - -
handlebars GHSA-3mfm-83xf-c92r HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 4.7.9 -
handlebars CVE-2026-33938 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 - -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 5.1.6 - -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 5.1.6 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 5.1.6 10.2.1 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 5.1.6 10.2.3 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 5.1.6 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 5.1.6 10.2.3 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 4.0.4 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 - -
simple-git GHSA-hffm-xvc3-vprc HIGH simple-git is vulnerable to Remote Code Execution 3.16.0 3.36.0 -
simple-git GHSA-jcxm-m3jx-f287 HIGH simple-git Affected by Command Execution via Option-Parsing Bypass 3.16.0 3.32.0 -
undici CVE-2026-1526 HIGH - 6.21.1 - -
undici GHSA-f269-vfmq-vjvj HIGH Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client 6.21.1 6.24.0 -
undici GHSA-vxpw-j846-p89q HIGH undici WebSocket client vulnerable to denial of service via fragment count bypass 6.21.1 6.27.0 -
undici GHSA-vrm6-8vpv-qv8q HIGH Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression 6.21.1 6.24.0 -
undici CVE-2026-2229 HIGH - 6.21.1 - -
undici GHSA-v9p9-hfj2-hcw8 HIGH Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation 6.21.1 6.24.0 -
undici CVE-2026-1528 HIGH - 6.21.1 - -
ws GHSA-96hv-2xvq-fx4p HIGH ws: Memory exhaustion DoS from tiny fragments and data chunks 8.18.0 5.2.5 -
ℹ️ Other Vulnerabilities (39)
Package CVE Severity Summary Unsafe Version Fixed In Case
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.13.6 1.16.0 -
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.13.6 1.15.1 -
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.13.6 1.15.1 -
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.13.6 1.15.1 -
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.13.6 1.15.1 -
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.13.6 1.15.0 -
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.13.6 1.15.1 -
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.13.6 1.15.1 -
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.13.6 1.15.2 -
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.13.6 1.15.0 -
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.13.6 1.15.1 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 5.0.5 -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 - -
brace-expansion GHSA-jxxr-4gwj-5jf2 MODERATE brace-expansion: Large numeric range defeats documented max DoS protection 5.0.3 5.0.6 -
handlebars CVE-2026-33916 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 - -
handlebars GHSA-7rx3-28cr-v5wh MODERATE Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry 4.7.8 4.7.9 -
handlebars GHSA-2qvq-rjwj-gvw9 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 4.7.9 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 3.14.1 4.2.0 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 - -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23 -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0 -
lodash CVE-2025-13465 MODERATE - 4.17.21 - -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 4.0.4 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 - -
undici GHSA-g9mf-h72j-4rw9 MODERATE Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion 6.21.1 7.18.2 -
undici GHSA-2mjp-6q6p-2qxm MODERATE Undici has an HTTP Request/Response Smuggling issue 6.21.1 6.24.0 -
undici CVE-2026-1525 MODERATE - 6.21.1 - -
undici GHSA-p88m-4jfj-68fv MODERATE undici vulnerable to HTTP header injection via Set-Cookie percent-decoding 6.21.1 6.27.0 -
undici CVE-2026-22036 MODERATE Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion 6.21.1 - -
undici CVE-2026-1527 MODERATE - 6.21.1 - -
undici GHSA-4992-7rv2-5pvq MODERATE Undici has CRLF Injection in undici via upgrade option 6.21.1 6.24.0 -
ws GHSA-58qx-3vcg-4xpx MODERATE ws: Uninitialized memory disclosure 8.18.0 8.20.1 -
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.13.6 1.15.1 -
handlebars GHSA-442j-39wm-28r2 LOW Handlebars.js has a Property Access Validation Bypass in container.lookup 4.7.8 4.7.9 -
undici GHSA-35p6-xmwp-9g52 LOW undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse 6.21.1 6.27.0 -
undici GHSA-g8m3-5g58-fq7m LOW undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching 6.21.1 6.27.0 -
undici CVE-2025-47279 LOW undici Denial of Service attack via bad certificate data 6.21.1 - -
undici GHSA-cxrh-j4jr-qwg3 LOW undici Denial of Service attack via bad certificate data 6.21.1 5.29.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants