Skip to content

fix(deps): vuln minor upgrades — 13 packages (minor: 5 · patch: 8) [web-frontend]#274

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/web-frontend/9-1783349252
Draft

fix(deps): vuln minor upgrades — 13 packages (minor: 5 · patch: 8) [web-frontend]#274
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/web-frontend/9-1783349252

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: High-severity security update — 13 packages upgraded (MINOR changes included)

Manifests changed:

  • web-frontend (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
react-router 7.13.1 7.18.1 minor Direct 4 HIGH, 2 MEDIUM, 1 LOW
flatted 3.3.3 3.4.2 minor Transitive 4 HIGH
vite 7.3.1 7.3.6 patch Direct 3 HIGH, 2 MEDIUM
picomatch 4.0.3 4.0.5 patch Transitive 2 HIGH, 2 MEDIUM
rollup 4.45.1 4.62.2 minor Transitive 2 HIGH
js-yaml 4.1.0 4.3.0 minor Transitive 3 MEDIUM
ajv 6.12.6 6.15.0 minor Transitive 2 MEDIUM
brace-expansion 1.1.12 1.1.15 patch Transitive 2 MEDIUM
yaml 1.10.2 1.10.3 patch Transitive 2 MEDIUM
postcss 8.5.6 8.5.16 patch Transitive 1 MEDIUM
@babel/core 7.28.0 7.28.6 patch Transitive 1 LOW
@eslint/plugin-kit 0.3.3 0.3.5 patch Transitive 1 LOW

Security Details

🚨 Critical & High Severity (21 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.3 3.4.2 -
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.3 - -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.3 3.4.0 -
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.3 - -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 - -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 4.0.4 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 - -
react-router GHSA-8x6r-g9mw-2r78 HIGH React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint 7.13.1 7.15.0 -
react-router GHSA-49rj-9fvp-4h2h HIGH React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE 7.13.1 7.14.2 -
react-router GHSA-8646-j5j9-6r62 HIGH React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets 7.13.1 7.13.2 -
react-router GHSA-rxv8-25v2-qmq8 HIGH React Router vulnerable to Denial of Service via reflected user input in single-fetch 7.13.1 7.14.0 -
rollup GHSA-mw96-cpmx-2vgc HIGH Rollup 4 has Arbitrary File Write via Path Traversal 4.45.1 2.80.0 -
rollup CVE-2026-27606 HIGH Rollup 4 has Arbitrary File Write via Path Traversal 4.45.1 - -
vite GHSA-v2wj-q39q-566r HIGH Vite: server.fs.deny bypassed with queries 7.3.1 8.0.5 -
vite GHSA-fx2h-pf6j-xcff HIGH vite: server.fs.deny bypass on Windows alternate paths 7.3.1 8.0.16 -
vite GHSA-p9ff-h696-f583 HIGH Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket 7.3.1 8.0.5 -
ℹ️ Other Vulnerabilities (19)
Package CVE Severity Summary Unsafe Version Fixed In Case
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 6.12.6 8.18.0 -
ajv CVE-2025-69873 MODERATE - 6.12.6 - -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.12 - -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.12 5.0.5 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 - -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 4.1.1 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 4.1.0 4.2.0 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 4.0.4 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 - -
postcss GHSA-qx2v-qp2m-jg93 MODERATE PostCSS has XSS via Unescaped </style> in its CSS Stringify Output 8.5.6 8.5.10 -
react-router GHSA-2j2x-hqr9-3h42 MODERATE React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation 7.13.1 7.14.1 -
react-router GHSA-f22v-gfqf-p8f3 MODERATE React Router has stored XSS via unescaped Location header in prerendered redirect HTML 7.13.1 7.13.2 -
vite GHSA-v6wh-96g9-6wx3 MODERATE launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows 7.3.1 8.0.16 -
vite GHSA-4w7w-66w2-5vf9 MODERATE Vite Vulnerable to Path Traversal in Optimized Deps .map Handling 7.3.1 8.0.5 -
yaml GHSA-48c2-rrv3-qjmp MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 2.8.3 -
yaml CVE-2026-33532 MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 - -
@babel/core GHSA-4x5r-pxfx-6jf8 LOW @babel/core: Arbitrary File Read via sourceMappingURL Comment 7.28.0 8.0.0-rc.6 -
@eslint/plugin-kit GHSA-xffm-g5w8-qvg7 LOW @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser 0.3.3 0.3.4 -
react-router GHSA-84g9-w2xq-vcv6 LOW React Router: Potential CSRF via PUT/PATCH/DELETE document requests 7.13.1 7.15.1 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants