Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 9 · patch: 6) [src/shared-infra]#669

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/shared-infra/1-1783348444
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 9 · patch: 6) [src/shared-infra]#669
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/shared-infra/1-1783348444

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • src/shared-infra (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
handlebars 4.7.8 4.7.9 patch Transitive 2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
fast-xml-parser 4.4.1 4.5.7 minor Transitive 2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
basic-ftp 5.0.5 5.3.1 minor Transitive 2 CRITICAL, 3 HIGH
simple-git 3.16.0 3.36.0 minor Transitive 2 CRITICAL, 2 HIGH
form-data 2.5.2 2.5.6 patch Transitive 2 CRITICAL, 1 HIGH
protobufjs 7.4.0 7.6.5 minor Transitive 1 CRITICAL, 5 HIGH, 5 MEDIUM
shell-quote 1.8.2 1.8.4 patch Transitive 1 CRITICAL
axios 1.13.2 1.18.1 minor Direct 13 HIGH, 11 MEDIUM, 1 LOW
undici 6.21.1 6.27.0 minor Transitive 7 HIGH, 7 MEDIUM, 4 LOW
minimatch 9.0.5 9.0.9 patch Transitive 6 HIGH
flatted 3.3.2 3.4.2 minor Transitive 4 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
underscore 1.13.7 1.13.8 patch Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
aws-cdk-lib 2.178.1 2.261.0 minor Direct 1 HIGH, 1 MEDIUM, 2 LOW

Security Details

🚨 Critical & High Severity (71 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
basic-ftp GHSA-5rq4-664w-9x2c CRITICAL Basic FTP has Path Traversal Vulnerability in its downloadToDir() method 5.0.5 5.2.0 -
basic-ftp CVE-2026-27699 CRITICAL Basic FTP has Path Traversal Vulnerability in its downloadToDir() method 5.0.5 - -
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 - -
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 5.3.5 -
form-data CVE-2025-7783 CRITICAL - 2.5.2 - -
form-data GHSA-fjxv-7rqg-78g4 CRITICAL form-data uses unsafe random function in form-data for choosing boundary 2.5.2 2.5.4 -
handlebars CVE-2026-33937 CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 - -
handlebars GHSA-2w6w-674q-4c4q CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 4.7.9 -
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.4.0 8.0.1 -
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.2 1.8.4 -
simple-git GHSA-r275-fr43-pm7q CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 3.32.3 -
simple-git CVE-2026-28292 CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 - -
aws-cdk-lib GHSA-999r-qq7v-r334 HIGH aws-cdk-lib: OS Command Injection in NodejsFunction Bundling 2.178.1 2.246.0 -
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.13.2 1.16.0 -
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.13.2 1.15.2 -
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.13.2 1.16.0 -
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.13.2 1.16.0 -
axios GHSA-43fc-jf86-j433 HIGH Axios is Vulnerable to Denial of Service via proto Key in mergeConfig 1.13.2 1.13.5 -
axios CVE-2026-25639 HIGH Axios affected by Denial of Service via proto Key in mergeConfig 1.13.2 - -
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.13.2 1.16.0 -
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.13.2 1.15.1 -
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.13.2 1.16.0 -
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.13.2 1.15.1 -
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.13.2 1.15.1 -
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.13.2 1.15.2 -
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.13.2 1.16.0 -
basic-ftp GHSA-rpmf-866q-6p89 HIGH basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering 5.0.5 5.3.1 -
basic-ftp GHSA-6v7q-wjvx-w8wg HIGH basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands 5.0.5 5.2.2 -
basic-ftp GHSA-rp42-5vxx-qpwr HIGH basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() 5.0.5 5.3.0 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 5.5.6 -
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 - -
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 4.5.4 -
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 - -
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.2 3.4.2 -
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.2 - -
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.2 - -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.2 3.4.0 -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 2.5.2 2.5.6 -
handlebars CVE-2026-33940 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 - -
handlebars CVE-2026-33941 HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 - -
handlebars GHSA-xhpv-hc6g-r9c6 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 4.7.9 -
handlebars GHSA-xjpj-3mr7-gcpf HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 4.7.9 -
handlebars CVE-2026-33939 HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 - -
handlebars GHSA-9cx6-37pm-9jff HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 4.7.9 -
handlebars GHSA-3mfm-83xf-c92r HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 4.7.9 -
handlebars CVE-2026-33938 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 - -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 - -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 - -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 10.2.1 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 10.2.3 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4 -
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.4.0 7.5.6 -
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.4.0 7.5.6 -
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.4.0 7.5.6 -
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.4.0 7.5.6 -
protobufjs GHSA-wcpc-wj8m-hjx6 HIGH protobufjs: Denial of service through unbounded Any expansion during JSON conversion 7.4.0 7.6.1 -
simple-git GHSA-hffm-xvc3-vprc HIGH simple-git is vulnerable to Remote Code Execution 3.16.0 3.36.0 -
simple-git GHSA-jcxm-m3jx-f287 HIGH simple-git Affected by Command Execution via Option-Parsing Bypass 3.16.0 3.32.0 -
underscore CVE-2026-27601 HIGH Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.7 - -
underscore GHSA-qpx9-hpmf-5gmw HIGH Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.7 1.13.8 -
undici CVE-2026-1528 HIGH - 6.21.1 - -
undici GHSA-f269-vfmq-vjvj HIGH Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client 6.21.1 6.24.0 -
undici GHSA-vxpw-j846-p89q HIGH undici WebSocket client vulnerable to denial of service via fragment count bypass 6.21.1 6.27.0 -
undici CVE-2026-2229 HIGH - 6.21.1 - -
undici GHSA-v9p9-hfj2-hcw8 HIGH Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation 6.21.1 6.24.0 -
undici CVE-2026-1526 HIGH - 6.21.1 - -
undici GHSA-vrm6-8vpv-qv8q HIGH Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression 6.21.1 6.24.0 -
ℹ️ Other Vulnerabilities (45)
Package CVE Severity Summary Unsafe Version Fixed In Case
aws-cdk-lib GHSA-qq4x-c6h6-rfxh MODERATE aws-cdk-lib has Insertion of Sensitive Information into Log File vulnerability when using Cognito UserPoolClient Construct 2.178.1 2.187.0 -
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.13.2 1.15.1 -
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.13.2 1.15.1 -
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.13.2 1.15.0 -
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.13.2 1.15.1 -
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.13.2 1.15.2 -
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.13.2 1.15.0 -
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.13.2 1.15.1 -
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.13.2 1.15.1 -
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.13.2 1.15.1 -
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.13.2 1.15.1 -
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.13.2 1.16.0 -
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.4.1 4.5.5 -
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.4.1 - -
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.4.1 5.7.0 -
handlebars GHSA-7rx3-28cr-v5wh MODERATE Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry 4.7.8 4.7.9 -
handlebars GHSA-2qvq-rjwj-gvw9 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 4.7.9 -
handlebars CVE-2026-33916 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 - -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23 -
lodash CVE-2025-13465 MODERATE - 4.17.21 - -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 - -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4 -
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.4.0 7.5.6 -
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.4.0 7.5.6 -
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.4.0 7.5.8 -
protobufjs GHSA-f38q-mgvj-vph7 MODERATE protobufjs : Schema-derived names can shadow runtime-significant properties 7.4.0 7.6.3 -
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.4.0 7.5.6 -
undici GHSA-4992-7rv2-5pvq MODERATE Undici has CRLF Injection in undici via upgrade option 6.21.1 6.24.0 -
undici CVE-2026-22036 MODERATE Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion 6.21.1 - -
undici CVE-2026-1525 MODERATE - 6.21.1 - -
undici GHSA-2mjp-6q6p-2qxm MODERATE Undici has an HTTP Request/Response Smuggling issue 6.21.1 6.24.0 -
undici GHSA-p88m-4jfj-68fv MODERATE undici vulnerable to HTTP header injection via Set-Cookie percent-decoding 6.21.1 6.27.0 -
undici CVE-2026-1527 MODERATE - 6.21.1 - -
undici GHSA-g9mf-h72j-4rw9 MODERATE Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion 6.21.1 7.18.2 -
aws-cdk-lib GHSA-5pq3-h73f-66hr LOW AWS CDK CodePipeline: trusted entities are too broad 2.178.1 2.189.0 -
aws-cdk-lib GHSA-qc59-cxj2-c2w4 LOW aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role 2.178.1 2.189.1 -
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.13.2 1.15.1 -
fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 5.3.8 -
fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 - -
handlebars GHSA-442j-39wm-28r2 LOW Handlebars.js has a Property Access Validation Bypass in container.lookup 4.7.8 4.7.9 -
undici GHSA-g8m3-5g58-fq7m LOW undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching 6.21.1 6.27.0 -
undici GHSA-cxrh-j4jr-qwg3 LOW undici Denial of Service attack via bad certificate data 6.21.1 5.29.0 -
undici CVE-2025-47279 LOW undici Denial of Service attack via bad certificate data 6.21.1 - -
undici GHSA-35p6-xmwp-9g52 LOW undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse 6.21.1 6.27.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants