Skip to content

fix(deps): vuln minor upgrades — 12 packages (minor: 3 · patch: 9) [sticker-catalogue/infra]#273

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/infra/1-1783349253
Draft

fix(deps): vuln minor upgrades — 12 packages (minor: 3 · patch: 9) [sticker-catalogue/infra]#273
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/infra/1-1783349253

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 12 packages upgraded (MINOR changes included)

Manifests changed:

  • sticker-catalogue/infra (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
handlebars 4.7.8 4.7.9 patch Transitive 2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
picomatch 4.0.3 4.0.5 patch Transitive 2 HIGH, 2 MEDIUM
glob 10.4.5 10.5.0 minor Transitive 2 HIGH
fast-uri 3.1.0 3.1.3 patch Transitive 2 HIGH
aws-cdk-lib 2.234.1 2.261.0 minor Direct 1 HIGH
js-yaml 3.14.1 3.14.2 patch Transitive 3 MEDIUM
ajv 8.17.1 8.20.0 minor Transitive 2 MEDIUM
brace-expansion 1.1.12 1.1.15 patch Transitive 2 MEDIUM
yaml 1.10.2 1.10.3 patch Transitive 2 MEDIUM
@babel/core 7.27.4 7.27.7 patch Transitive 1 LOW
diff 4.0.2 4.0.4 patch Transitive 2 LOW

Security Details

🚨 Critical & High Severity (23 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
handlebars CVE-2026-33937 CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 - -
handlebars GHSA-2w6w-674q-4c4q CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 4.7.9 -
aws-cdk-lib GHSA-999r-qq7v-r334 HIGH aws-cdk-lib: OS Command Injection in NodejsFunction Bundling 2.234.1 2.246.0 -
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.1.0 3.1.2 -
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.1.0 3.1.1 -
glob GHSA-5j98-mcp5-4vw2 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 11.1.0 -
glob CVE-2025-64756 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 - -
handlebars GHSA-xjpj-3mr7-gcpf HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 4.7.9 -
handlebars CVE-2026-33939 HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 - -
handlebars CVE-2026-33941 HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 - -
handlebars CVE-2026-33938 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 - -
handlebars GHSA-3mfm-83xf-c92r HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 4.7.9 -
handlebars CVE-2026-33940 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 - -
handlebars GHSA-xhpv-hc6g-r9c6 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 4.7.9 -
handlebars GHSA-9cx6-37pm-9jff HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 4.7.9 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 - -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 4.0.4 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 - -
ℹ️ Other Vulnerabilities (18)
Package CVE Severity Summary Unsafe Version Fixed In Case
ajv CVE-2025-69873 MODERATE - 8.17.1 - -
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 8.17.1 8.18.0 -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.12 - -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.12 5.0.5 -
handlebars GHSA-7rx3-28cr-v5wh MODERATE Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry 4.7.8 4.7.9 -
handlebars CVE-2026-33916 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 - -
handlebars GHSA-2qvq-rjwj-gvw9 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 4.7.9 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 - -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 3.14.1 4.2.0 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 4.0.4 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 - -
yaml GHSA-48c2-rrv3-qjmp MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 2.8.3 -
yaml CVE-2026-33532 MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 - -
@babel/core GHSA-4x5r-pxfx-6jf8 LOW @babel/core: Arbitrary File Read via sourceMappingURL Comment 7.27.4 8.0.0-rc.6 -
diff GHSA-73rr-hh4g-fpgx LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 8.0.3 -
diff CVE-2026-24001 LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 - -
handlebars GHSA-442j-39wm-28r2 LOW Handlebars.js has a Property Access Validation Bypass in container.lookup 4.7.8 4.7.9 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants