Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 5 · patch: 10) #21

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
trunkfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783415391
Open

fix(deps): vuln minor upgrades — 15 packages (minor: 5 · patch: 10) #21
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
trunkfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783415391

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
form-data 4.0.0 4.0.6 patch Transitive 2 CRITICAL, 1 HIGH
@babel/traverse 7.18.2 7.29.7 minor Transitive 2 CRITICAL
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
flatted 3.2.5 3.4.2 minor Transitive 4 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
path-to-regexp 6.2.2 6.3.0 minor Transitive 2 HIGH
braces 3.0.2 3.0.3 patch Transitive 2 HIGH
cross-spawn 7.0.3 7.0.6 patch Transitive 2 HIGH
json5 2.2.1 2.2.3 patch Transitive 2 HIGH
semver 6.3.0 6.3.1 patch Transitive 2 HIGH
js-yaml 3.14.1 3.14.2 patch Transitive 3 MEDIUM
@babel/helpers 7.18.2 7.29.7 minor Transitive 2 MEDIUM
ajv 6.12.6 6.15.0 minor Transitive 2 MEDIUM
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
micromatch 4.0.5 4.0.8 patch Transitive 2 MEDIUM

Security Details

🚨 Critical & High Severity (27 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
@babel/traverse GHSA-67hx-6x53-jw92 CRITICAL Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code 7.18.2 7.23.2 -
@babel/traverse CVE-2023-45133 CRITICAL Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code 7.18.2 - -
form-data CVE-2025-7783 CRITICAL - 4.0.0 - -
form-data GHSA-fjxv-7rqg-78g4 CRITICAL form-data uses unsafe random function in form-data for choosing boundary 4.0.0 2.5.4 -
braces CVE-2024-4068 HIGH - 3.0.2 - -
braces GHSA-grv7-fg5c-xmjg HIGH Uncontrolled resource consumption in braces 3.0.2 3.0.3 -
cross-spawn GHSA-3xgq-45jj-v275 HIGH Regular Expression Denial of Service (ReDoS) in cross-spawn 7.0.3 7.0.5 -
cross-spawn CVE-2024-21538 HIGH - 7.0.3 - -
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.2.5 3.4.2 -
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.2.5 - -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.2.5 3.4.0 -
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.2.5 - -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.0 2.5.6 -
json5 GHSA-9c47-m6qq-7p4h HIGH Prototype Pollution in JSON5 via Parse Method 2.2.1 2.2.2 -
json5 CVE-2022-46175 HIGH - 2.2.1 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 - -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 - -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3 -
path-to-regexp CVE-2024-45296 HIGH path-to-regexp outputs backtracking regular expressions 6.2.2 - -
path-to-regexp GHSA-9wv6-86v2-598j HIGH path-to-regexp outputs backtracking regular expressions 6.2.2 1.9.0 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4 -
semver GHSA-c2qf-rxjj-qqgw HIGH semver vulnerable to Regular Expression Denial of Service 6.3.0 7.5.2 -
semver CVE-2022-25883 HIGH - 6.3.0 - -
ℹ️ Other Vulnerabilities (15)
Package CVE Severity Summary Unsafe Version Fixed In Case
@babel/helpers GHSA-968p-4wvh-cqc8 MODERATE Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups 7.18.2 7.26.10 -
@babel/helpers CVE-2025-27789 MODERATE Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups 7.18.2 - -
ajv CVE-2025-69873 MODERATE - 6.12.6 - -
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 6.12.6 8.18.0 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5 -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 - -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 - -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 3.14.1 4.2.0 -
micromatch CVE-2024-4067 MODERATE - 4.0.5 - -
micromatch GHSA-952p-6rrq-rcjv MODERATE Regular Expression Denial of Service (ReDoS) in micromatch 4.0.5 4.0.8 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 - -
brace-expansion CVE-2025-5889 LOW - 1.1.11 - -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants