Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 10 · patch: 5) [src/loyalty-point-service]#667

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/loyalty-point-service/4-1783348445
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 10 · patch: 5) [src/loyalty-point-service]#667
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/loyalty-point-service/4-1783348445

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • src/loyalty-point-service (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
handlebars 4.7.8 4.7.9 patch Transitive 2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
fast-xml-parser 4.4.1 4.5.7 minor Transitive 2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
simple-git 3.16.0 3.36.0 minor Transitive 2 CRITICAL, 2 HIGH
axios 1.13.6 1.18.1 minor Direct 11 HIGH, 11 MEDIUM, 1 LOW
undici 6.23.0 6.27.0 minor Transitive 7 HIGH, 5 MEDIUM, 2 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
basic-ftp 5.2.0 5.3.1 minor Transitive 4 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
effect 3.19.19 3.21.4 minor Transitive 2 HIGH
fast-uri 3.0.6 3.1.3 minor Transitive 2 HIGH
lodash 4.17.23 4.18.1 minor Transitive 1 HIGH, 1 MEDIUM
ws 8.19.0 8.21.0 minor Transitive 1 HIGH, 1 MEDIUM
aws-cdk-lib 2.241.0 2.261.0 minor Direct 1 HIGH
brace-expansion 5.0.3 5.0.7 patch Transitive 3 MEDIUM
yaml 1.10.2 1.10.3 patch Transitive 2 MEDIUM

Security Details

🚨 Critical & High Severity (57 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 - -
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 5.3.5 -
handlebars GHSA-2w6w-674q-4c4q CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 4.7.9 -
handlebars CVE-2026-33937 CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 - -
simple-git CVE-2026-28292 CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 - -
simple-git GHSA-r275-fr43-pm7q CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 3.32.3 -
aws-cdk-lib GHSA-999r-qq7v-r334 HIGH aws-cdk-lib: OS Command Injection in NodejsFunction Bundling 2.241.0 2.246.0 -
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.13.6 1.16.0 -
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.13.6 1.15.1 -
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.13.6 1.15.2 -
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.13.6 1.16.0 -
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.13.6 1.15.2 -
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.13.6 1.15.1 -
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.13.6 1.16.0 -
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.13.6 1.16.0 -
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.13.6 1.16.0 -
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.13.6 1.15.1 -
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.13.6 1.16.0 -
basic-ftp GHSA-rpmf-866q-6p89 HIGH basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering 5.2.0 5.3.1 -
basic-ftp GHSA-chqc-8p9q-pq6q HIGH basic-ftp has FTP Command Injection via CRLF 5.2.0 5.2.1 -
basic-ftp GHSA-rp42-5vxx-qpwr HIGH basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() 5.2.0 5.3.0 -
basic-ftp GHSA-6v7q-wjvx-w8wg HIGH basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands 5.2.0 5.2.2 -
effect GHSA-38f7-945m-qr2g HIGH Effect AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.19.19 3.20.0 -
effect CVE-2026-32887 HIGH Effect Bug: AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.19.19 - -
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.0.6 3.1.1 -
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.0.6 3.1.2 -
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 - -
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 4.5.4 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 5.5.6 -
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 - -
handlebars CVE-2026-33941 HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 - -
handlebars CVE-2026-33939 HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 - -
handlebars GHSA-9cx6-37pm-9jff HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 4.7.9 -
handlebars GHSA-xjpj-3mr7-gcpf HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 4.7.9 -
handlebars CVE-2026-33938 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 - -
handlebars GHSA-3mfm-83xf-c92r HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 4.7.9 -
handlebars CVE-2026-33940 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 - -
handlebars GHSA-xhpv-hc6g-r9c6 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 4.7.9 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.23 4.18.0 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 - -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4 -
simple-git GHSA-jcxm-m3jx-f287 HIGH simple-git Affected by Command Execution via Option-Parsing Bypass 3.16.0 3.32.0 -
simple-git GHSA-hffm-xvc3-vprc HIGH simple-git is vulnerable to Remote Code Execution 3.16.0 3.36.0 -
undici GHSA-vrm6-8vpv-qv8q HIGH Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression 6.23.0 6.24.0 -
undici CVE-2026-1528 HIGH - 6.23.0 - -
undici GHSA-vxpw-j846-p89q HIGH undici WebSocket client vulnerable to denial of service via fragment count bypass 6.23.0 6.27.0 -
undici GHSA-f269-vfmq-vjvj HIGH Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client 6.23.0 6.24.0 -
undici CVE-2026-1526 HIGH - 6.23.0 - -
undici GHSA-v9p9-hfj2-hcw8 HIGH Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation 6.23.0 6.24.0 -
undici CVE-2026-2229 HIGH - 6.23.0 - -
ws GHSA-96hv-2xvq-fx4p HIGH ws: Memory exhaustion DoS from tiny fragments and data chunks 8.19.0 5.2.5 -
ℹ️ Other Vulnerabilities (37)
Package CVE Severity Summary Unsafe Version Fixed In Case
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.13.6 1.15.0 -
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.13.6 1.15.1 -
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.13.6 1.15.1 -
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.13.6 1.16.0 -
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.13.6 1.15.1 -
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.13.6 1.15.1 -
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.13.6 1.15.0 -
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.13.6 1.15.1 -
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.13.6 1.15.1 -
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.13.6 1.15.2 -
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.13.6 1.15.1 -
brace-expansion GHSA-jxxr-4gwj-5jf2 MODERATE brace-expansion: Large numeric range defeats documented max DoS protection 5.0.3 5.0.6 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 5.0.5 -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 - -
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.4.1 5.7.0 -
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.4.1 - -
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.4.1 4.5.5 -
handlebars GHSA-7rx3-28cr-v5wh MODERATE Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry 4.7.8 4.7.9 -
handlebars CVE-2026-33916 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 - -
handlebars GHSA-2qvq-rjwj-gvw9 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 4.7.9 -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.23 4.18.0 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 - -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4 -
undici CVE-2026-1527 MODERATE - 6.23.0 - -
undici GHSA-p88m-4jfj-68fv MODERATE undici vulnerable to HTTP header injection via Set-Cookie percent-decoding 6.23.0 6.27.0 -
undici CVE-2026-1525 MODERATE - 6.23.0 - -
undici GHSA-4992-7rv2-5pvq MODERATE Undici has CRLF Injection in undici via upgrade option 6.23.0 6.24.0 -
undici GHSA-2mjp-6q6p-2qxm MODERATE Undici has an HTTP Request/Response Smuggling issue 6.23.0 6.24.0 -
ws GHSA-58qx-3vcg-4xpx MODERATE ws: Uninitialized memory disclosure 8.19.0 8.20.1 -
yaml GHSA-48c2-rrv3-qjmp MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 2.8.3 -
yaml CVE-2026-33532 MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 - -
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.13.6 1.15.1 -
fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 5.3.8 -
fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 - -
handlebars GHSA-442j-39wm-28r2 LOW Handlebars.js has a Property Access Validation Bypass in container.lookup 4.7.8 4.7.9 -
undici GHSA-35p6-xmwp-9g52 LOW undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse 6.23.0 6.27.0 -
undici GHSA-g8m3-5g58-fq7m LOW undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching 6.23.0 6.27.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants