Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 9 · patch: 6) [api-docs/event-catalog]#666

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/event-catalog/0-1783348444
Open

fix(deps): vuln minor upgrades — 15 packages (minor: 9 · patch: 6) [api-docs/event-catalog]#666
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/event-catalog/0-1783348444

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • api-docs/event-catalog (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
fast-xml-parser 4.5.3 4.5.7 patch Transitive 2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
form-data 4.0.0 4.0.6 patch Transitive 2 CRITICAL, 1 HIGH
protobufjs 7.4.0 7.6.5 minor Transitive 1 CRITICAL, 5 HIGH, 5 MEDIUM
shell-quote 1.8.2 1.8.4 patch Transitive 1 CRITICAL
axios 1.7.9 1.18.1 minor Transitive 17 HIGH, 11 MEDIUM, 1 LOW
tar 7.4.3 7.5.19 minor Transitive 12 HIGH, 1 MEDIUM
minimatch 9.0.5 9.0.9 patch Transitive 6 HIGH
h3 1.15.1 1.15.11 patch Transitive 4 HIGH, 3 MEDIUM
devalue 5.1.1 5.8.1 minor Transitive 4 HIGH, 2 MEDIUM, 3 LOW
flatted 3.3.3 3.4.2 minor Transitive 4 HIGH
vite 6.2.0 6.4.3 minor Transitive 3 HIGH, 14 MEDIUM, 4 LOW
picomatch 4.0.2 4.0.5 patch Transitive 2 HIGH, 2 MEDIUM
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
dompurify 3.2.4 3.4.11 minor Transitive 16 MEDIUM, 3 LOW
mermaid 11.4.1 11.16.0 minor Transitive 8 MEDIUM

Security Details

🚨 Critical & High Severity (69 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.5.3 5.3.5 -
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.5.3 - -
form-data CVE-2025-7783 CRITICAL - 4.0.0 - -
form-data GHSA-fjxv-7rqg-78g4 CRITICAL form-data uses unsafe random function in form-data for choosing boundary 4.0.0 2.5.4 -
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.4.0 8.0.1 -
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.2 1.8.4 -
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.7.9 1.15.2 -
axios CVE-2026-25639 HIGH Axios affected by Denial of Service via proto Key in mergeConfig 1.7.9 - -
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.7.9 1.15.1 -
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.7.9 1.16.0 -
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.7.9 1.16.0 -
axios CVE-2025-58754 HIGH Axios is vulnerable to DoS attack through lack of data size check 1.7.9 - -
axios CVE-2025-27152 HIGH Possible SSRF and Credential Leakage via Absolute URL in axios Requests 1.7.9 - -
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.7.9 1.16.0 -
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.7.9 1.15.2 -
axios GHSA-43fc-jf86-j433 HIGH Axios is Vulnerable to Denial of Service via proto Key in mergeConfig 1.7.9 1.13.5 -
axios GHSA-jr5f-v2jv-69x6 HIGH axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL 1.7.9 1.8.2 -
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.7.9 1.15.1 -
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.7.9 1.16.0 -
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.7.9 1.15.1 -
axios GHSA-4hjh-wcwx-xvwj HIGH Axios is vulnerable to DoS attack through lack of data size check 1.7.9 1.12.0 -
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.7.9 1.16.0 -
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.7.9 1.16.0 -
devalue CVE-2026-22775 HIGH devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse 5.1.1 - -
devalue GHSA-g2pg-6438-jwpf HIGH devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse 5.1.1 5.6.2 -
devalue CVE-2025-57820 HIGH Svelte devalue vulnerable to prototype pollution 5.1.1 - -
devalue GHSA-vj54-72f3-p5jv HIGH devalue prototype pollution vulnerability 5.1.1 5.3.2 -
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.5.3 4.5.4 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.5.3 5.5.6 -
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.5.3 - -
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.5.3 - -
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.3 3.4.2 -
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.3 - -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.3 3.4.0 -
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.3 - -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.0 2.5.6 -
h3 GHSA-22cc-p3c6-wpvm HIGH h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields 1.15.1 2.0.1-rc.15 -
h3 CVE-2026-23527 HIGH Request Smuggling (TE.TE) in h3 v1 1.15.1 - -
h3 CVE-2026-33128 HIGH h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields 1.15.1 - -
h3 GHSA-mp2g-9vg9-f4cg HIGH h3 v1 has Request Smuggling (TE.TE) issue 1.15.1 1.15.5 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 10.2.3 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 - -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 10.2.1 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.2 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.2 4.0.4 -
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.4.0 7.5.6 -
protobufjs GHSA-wcpc-wj8m-hjx6 HIGH protobufjs: Denial of service through unbounded Any expansion during JSON conversion 7.4.0 7.6.1 -
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.4.0 7.5.6 -
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.4.0 7.5.6 -
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.4.0 7.5.6 -
tar CVE-2026-29786 HIGH node-tar: Hardlink Path Traversal via Drive-Relative Linkpath 7.4.3 - -
tar GHSA-34x7-hfp2-rc4v HIGH node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal 7.4.3 7.5.7 -
tar CVE-2026-23745 HIGH node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization 7.4.3 - -
tar GHSA-83g3-92jg-28cx HIGH Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction 7.4.3 7.5.8 -
tar CVE-2026-31802 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.4.3 - -
tar GHSA-9ppj-qmqm-q256 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.4.3 7.5.11 -
tar CVE-2026-24842 HIGH node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal 7.4.3 - -
tar GHSA-8qq5-rm4j-mr97 HIGH node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization 7.4.3 7.5.3 -
tar CVE-2026-23950 HIGH node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS 7.4.3 - -
tar GHSA-r6q2-hw4h-h46w HIGH Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS 7.4.3 7.5.4 -
tar CVE-2026-26960 HIGH node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction 7.4.3 - -
tar GHSA-qffp-2rhf-9h96 HIGH tar has Hardlink Path Traversal via Drive-Relative Linkpath 7.4.3 7.5.10 -
vite CVE-2025-31125 high This package is related to CVE CVE-2025-31125 which was detected by cisa.gov as actively being exploited in the wild 6.2.0 - -
vite GHSA-p9ff-h696-f583 HIGH Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket 6.2.0 8.0.5 -
vite GHSA-fx2h-pf6j-xcff HIGH vite: server.fs.deny bypass on Windows alternate paths 6.2.0 8.0.16 -
ℹ️ Other Vulnerabilities (81)

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Package CVE Severity Summary Unsafe Version Fixed In Case
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.7.9 1.15.1 -
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.7.9 1.15.1 -
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.7.9 1.15.0 -
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.7.9 1.15.1 -
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.7.9 1.15.1 -
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.7.9 1.15.2 -
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.7.9 1.15.0 -
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.7.9 1.15.1 -
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.7.9 1.16.0 -
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.7.9 1.15.1 -
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.7.9 1.15.1 -
devalue GHSA-cfw5-2vxh-hr84 MODERATE devalue has prototype pollution in devalue.parse and devalue.unflatten 5.1.1 5.6.4 -
devalue CVE-2026-30226 MODERATE devalue has prototype pollution in devalue.parse and devalue.unflatten 5.1.1 - -
dompurify GHSA-hpcv-96wg-7vj8 MODERATE DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound instanceof checks 3.2.4 3.4.6 -
dompurify CVE-2025-15599 MODERATE - 3.2.4 - -
dompurify GHSA-v9jr-rg53-9pgp MODERATE DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback 3.2.4 3.4.0 -
dompurify GHSA-h8r8-wccr-v5f2 MODERATE DOMPurify is vulnerable to mutation-XSS via Re-Contextualization 3.2.4 3.3.2 -
dompurify GHSA-v2wj-7wpq-c8vv MODERATE DOMPurify contains a Cross-site Scripting vulnerability 3.2.4 3.3.2 -
dompurify GHSA-crv5-9vww-q3g8 MODERATE DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode 3.2.4 3.4.0 -
dompurify GHSA-76mc-f452-cxcm MODERATE DOMPurify: Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULT_ALLOWED_TAGS / DEFAULT_ALLOWED_ATTR 3.2.4 3.4.7 -
dompurify GHSA-r47g-fvhr-h676 MODERATE DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM 3.2.4 3.4.6 -
dompurify GHSA-cj63-jhhr-wcxv MODERATE DOMPurify USE_PROFILES prototype pollution allows event handlers 3.2.4 3.3.2 -
dompurify CVE-2026-0540 MODERATE - 3.2.4 - -
dompurify GHSA-cjmm-f4jc-qw8r MODERATE DOMPurify ADD_ATTR predicate skips URI validation 3.2.4 3.3.2 -
dompurify GHSA-cmwh-pvxp-8882 MODERATE DOMPurify: Permanent ALLOWED_ATTR pollution via setConfig() bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch) 3.2.4 3.4.11 -
dompurify GHSA-rp9w-3fw7-7cwq MODERATE DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside .content 3.2.4 3.4.7 - dompurify GHSA-v8jm-5vwx-cfxm MODERATE DOMPurify contains a Cross-site Scripting vulnerability 3.2.4 3.2.7 - dompurify GHSA-h7mw-gpvr-xq4m MODERATE DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) 3.2.4 3.4.0 - dompurify GHSA-39q2-94rc-95cp MODERATE DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation 3.2.4 3.4.0 - fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.5.3 - - fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.5.3 4.5.5 - fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.5.3 5.7.0 - h3 GHSA-4hxc-9384-m385 MODERATE h3: SSE Event Injection via Unsanitized Carriage Return (\r) in EventStream Data and Comment Fields (Bypass of CVE Fix) 1.15.1 2.0.1-rc.17 - h3 GHSA-wr4h-v87w-p3r7 MODERATE h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read 1.15.1 2.0.1-rc.15 - h3 GHSA-72gr-qfp7-vwhw MODERATE h3: Double Decoding in serveStatic Bypasses resolveDotSegments Path Traversal Protection via %252e%252e 1.15.1 1.15.9 - lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0 - lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23 - lodash CVE-2025-13465 MODERATE - 4.17.21 - - mermaid GHSA-ghcm-xqfw-q4vr MODERATE Mermaid: Improper sanitization of classDef in state diagrams leads to HTML injection 11.4.1 11.15.0 - mermaid GHSA-87f9-hvmw-gh4p MODERATE Mermaid: Improper sanitization of configuration leads to CSS injection 11.4.1 11.15.0 - mermaid GHSA-xcj9-5m2h-648r MODERATE Mermaid: Improper sanitization of classDefs in diagrams leads to CSS injection 11.4.1 11.15.0 - mermaid CVE-2025-54881 MODERATE Mermaid improperly sanitizes of sequence diagram labels leading to XSS 11.4.1 - - mermaid GHSA-8gwm-58g9-j8pw MODERATE Mermaid does not properly sanitize architecture diagram iconText leading to XSS 11.4.1 11.10.0 - mermaid CVE-2025-54880 MODERATE Mermaid does not properly sanitize architecture diagram iconText leading to XSS 11.4.1 - - mermaid GHSA-7rqq-prvp-x9jh MODERATE Mermaid improperly sanitizes sequence diagram labels leading to XSS 11.4.1 11.10.0 - mermaid GHSA-6m6c-36f7-fhxh MODERATE Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS 11.4.1 11.15.0 - picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.2 - - picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.2 4.0.4 - protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.4.0 7.5.8 - protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.4.0 7.5.6 - protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.4.0 7.5.6 - protobufjs GHSA-f38q-mgvj-vph7 MODERATE protobufjs : Schema-derived names can shadow runtime-significant properties 7.4.0 7.6.3 - protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.4.0 7.5.6 - tar GHSA-vmf3-w455-68vh MODERATE node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) 7.4.3 7.5.16 - vite CVE-2025-62522 MODERATE vite allows server.fs.deny bypass via backslash on Windows 6.2.0 - - vite GHSA-4w7w-66w2-5vf9 MODERATE Vite Vulnerable to Path Traversal in Optimized Deps .map Handling 6.2.0 8.0.5 - vite CVE-2025-32395 MODERATE Vite has an server.fs.deny bypass with an invalid request-target 6.2.0 - - vite GHSA-x574-m823-4x7w MODERATE Vite bypasses server.fs.deny when using ?raw?? 6.2.0 6.2.3 - vite CVE-2025-30208 MODERATE Vite bypasses server.fs.deny when using ?raw?? 6.2.0 - - vite CVE-2025-31125 MODERATE Vite has a server.fs.deny bypassed for inline and raw with ?import query 6.2.0 - - vite GHSA-859w-5945-r5v3 MODERATE Vite's server.fs.deny bypassed with /. for files under project root 6.2.0 6.3.4 - vite GHSA-356w-63v5-8wf4 MODERATE Vite has an server.fs.deny bypass with an invalid request-target 6.2.0 6.2.6 - vite GHSA-4r4m-qw57-chr8 MODERATE Vite has a server.fs.deny bypassed for inline and raw with ?import query 6.2.0 6.2.4 - vite GHSA-93m4-6634-74q7 MODERATE vite allows server.fs.deny bypass via backslash on Windows 6.2.0 7.1.11 - vite CVE-2025-46565 MODERATE Vite's server.fs.deny bypassed with /. for files under project root 6.2.0 - - vite GHSA-v6wh-96g9-6wx3 MODERATE launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows 6.2.0 8.0.16 - vite GHSA-xcj6-pq6g-qj4x MODERATE Vite allows server.fs.deny to be bypassed with .svg or relative paths 6.2.0 6.2.5 - vite CVE-2025-31486 MODERATE Vite allows server.fs.deny to be bypassed with .svg or relative paths 6.2.0 - - axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.7.9 1.15.1 - devalue GHSA-mwv9-gp5h-frr4 LOW Sveltejs devalue's devalue.parse and devalue.unflatten emit objects with __proto__ own properties 5.1.1 5.6.4 - devalue GHSA-33hq-fvwr-56pm LOW devalue affected by CPU and memory amplification from sparse arrays 5.1.1 5.6.3 - devalue GHSA-8qm3-746x-r74r LOW devalue unevaled code can create objects with polluted prototypes when evaled 5.1.1 5.6.3 - dompurify GHSA-x4vx-rjvf-j5p4 LOW DOMPurify: IN_PLACE mode trusts attacker-controlled nodeName on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects 3.2.4 - - dompurify GHSA-gvmj-g25r-r7wr LOW DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside content when using DOM output modes 3.2.4 3.4.8 - dompurify GHSA-vxr8-fq34-vvx9 LOW DOMPurify: Trusted Types policy survives clearConfig() and can poison later RETURN_TRUSTED_TYPE output 3.2.4 3.4.9 - fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.5.3 - - fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.5.3 5.3.8 - vite CVE-2025-58752 LOW Vite's server.fs settings were not applied to HTML files 6.2.0 - - vite GHSA-jqfw-vq24-v9c3 LOW Vite's server.fs settings were not applied to HTML files 6.2.0 7.1.5 - vite CVE-2025-58751 LOW Vite middleware may serve files starting with the same name with the public directory 6.2.0 - - vite GHSA-g4jq-h2w9-997c LOW Vite middleware may serve files starting with the same name with the public directory 6.2.0 7.1.5 -

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants