Skip to content

fix(deps): vuln minor upgrades — 14 packages (minor: 6 · patch: 8) #794

Merged
joeyzhao2018 merged 2 commits into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783352940
Jul 14, 2026
Merged

fix(deps): vuln minor upgrades — 14 packages (minor: 6 · patch: 8) #794
joeyzhao2018 merged 2 commits into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783352940

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
fast-xml-parser 4.4.1 4.5.7 minor Transitive 2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
form-data 3.0.4 3.0.5 patch Transitive 1 HIGH
ws 7.5.10 7.5.11 patch Transitive 1 HIGH
js-yaml 3.14.1 3.14.2 patch Transitive 3 MEDIUM
@babel/helpers 7.25.9 7.29.7 minor Transitive 2 MEDIUM
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
uuid 8.0.0 8.3.2 minor Transitive 1 MEDIUM
@babel/core 7.25.9 7.29.7 minor Transitive 1 LOW
aws-sdk 2.1691.0 2.1693.0 minor Transitive 1 LOW
@smithy/config-resolver 3.0.10 3.0.13 patch Transitive 1 LOW
diff 4.0.2 4.0.4 patch Transitive 2 LOW

Security Details

🚨 Critical & High Severity (17 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 - -
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 5.3.5 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 5.5.6 -
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 - -
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 4.5.4 -
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 - -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 3.0.4 2.5.6 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 - -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4 -
ws GHSA-96hv-2xvq-fx4p HIGH ws: Memory exhaustion DoS from tiny fragments and data chunks 7.5.10 5.2.5 -
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In Case
@babel/helpers GHSA-968p-4wvh-cqc8 MODERATE Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups 7.25.9 7.26.10 -
@babel/helpers CVE-2025-27789 MODERATE Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups 7.25.9 - -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 - -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5 -
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.4.1 4.5.5 -
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.4.1 - -
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.4.1 5.7.0 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 3.14.1 4.2.0 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 - -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23 -
lodash CVE-2025-13465 MODERATE - 4.17.21 - -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 - -
uuid GHSA-w5hq-g745-h8pq MODERATE uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided 8.0.0 11.1.1 -
@babel/core GHSA-4x5r-pxfx-6jf8 LOW @babel/core: Arbitrary File Read via sourceMappingURL Comment 7.25.9 8.0.0-rc.6 -
@smithy/config-resolver GHSA-6475-r3vj-m8vf LOW AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value 3.0.10 4.4.0 -
aws-sdk GHSA-j965-2qgj-vjmq LOW JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 2.1691.0 - -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2 -
brace-expansion CVE-2025-5889 LOW - 1.1.11 - -
diff CVE-2026-24001 LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 - -
diff GHSA-73rr-hh4g-fpgx LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 8.0.3 -
fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 - -
fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 5.3.8 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-5

This comment has been minimized.

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor Author

Auto-rebase failed

Lockfile regeneration failed during rebase onto main. Your branch was not updated. You may need to rebase and regenerate lockfiles manually.

Error details

child workflow execution error (type: engraver.Engraver_AllManagersWorkflow, workflowID: 019f6219-ae40-7d6f-b337-e3edc0528ae0_71, runID: 019f6219-c8bb-70b2-9678-7d3067b87f75, initiatedEventID: 71, startedEventID: 72): custom action(s) failed and produced no changes: [registry.ddbuild.io/images/engraver-custom-action:update-yarn-lockfile]


Auto-Rebase · Add no-auto-rebase to opt out

@joeyzhao2018 joeyzhao2018 marked this pull request as ready for review July 14, 2026 21:10
@joeyzhao2018 joeyzhao2018 requested review from a team as code owners July 14, 2026 21:10

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2057666048

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread package.json
"resolutions": {
"fast-xml-parser": "^4.5.7",
"uuid": "^8.3.2",
"js-yaml": "^3.14.2"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep js-yaml 4.x consumers out of the 3.x override

Yarn Classic resolutions are global overrides, and its docs note they warn when a resolution is incompatible with the original range; this unqualified js-yaml override now collapses @datadog/wasm-js-rewriter@5.0.1's js-yaml "^4.1.0" dependency to js-yaml@3.15.0 in yarn.lock (js-yaml@^3.13.1, js-yaml@^3.14.2, js-yaml@^4.1.0). Before this change that edge resolved to 4.2.0, so any use of the rewriter/source-map code now runs against an unsupported major; please use a scoped resolution or keep a separate 4.x lock entry instead of forcing all consumers to 3.x.

Useful? React with 👍 / 👎.

@joeyzhao2018 joeyzhao2018 merged commit e98c43c into main Jul 14, 2026
42 checks passed
@joeyzhao2018 joeyzhao2018 deleted the engraver-auto-version-upgrade/minorpatch/npm/0-1783352940 branch July 14, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant