Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#2985

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-0700d5feda
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#2985
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-0700d5feda

chore(deps): bump the npm_and_yarn group across 1 directory with 7 up…

cbd9e77
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / Trivy failed Jul 15, 2026 in 4s

70 new alerts including 34 high severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 34 high
  • 28 medium
  • 8 low

Alerts not introduced by this pull request might have been detected because the code changes were too large.

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Prototype pollution allows information disclosure and request manipulation High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-42264
Severity: HIGH
Fixed Version: 1.15.2
Link: CVE-2026-42264

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Information disclosure due to prototype pollution vulnerability High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44495
Severity: HIGH
Fixed Version: 1.15.2, 0.31.1
Link: CVE-2026-44495

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Information disclosure of proxy credentials via HTTP redirects High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44486
Severity: HIGH
Fixed Version: 1.16.0, 0.32.0
Link: CVE-2026-44486

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Information disclosure of proxy credentials via redirect flows High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44487
Severity: HIGH
Fixed Version: 1.16.0, 0.32.0
Link: CVE-2026-44487

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Denial of Service due to unenforced request and response size limits High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44488
Severity: HIGH
Fixed Version: 1.16.0
Link: CVE-2026-44488

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-44496
Severity: HIGH
Fixed Version: 1.16.0, 0.32.0
Link: CVE-2026-44496

Check failure on line 19252 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies High

Package: fast-uri
Installed Version: 3.0.2
Vulnerability CVE-2026-6321
Severity: HIGH
Fixed Version: 3.1.1
Link: CVE-2026-6321

Check failure on line 19252 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

fast-uri: fast-uri: URI authority bypass due to improper delimiter handling High

Package: fast-uri
Installed Version: 3.0.2
Vulnerability CVE-2026-6322
Severity: HIGH
Fixed Version: 3.1.2
Link: CVE-2026-6322

Check failure on line 20946 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability High

Package: http-cache-semantics
Installed Version: 3.8.1
Vulnerability CVE-2022-25881
Severity: HIGH
Fixed Version: 4.1.1
Link: CVE-2022-25881

Check failure on line 23043 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

lodash: lodash: Arbitrary code execution via untrusted input in template imports High

Package: lodash
Installed Version: 4.17.23
Vulnerability CVE-2026-4800
Severity: HIGH
Fixed Version: 4.18.0
Link: CVE-2026-4800

Check failure on line 23049 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

lodash: lodash: Arbitrary code execution via untrusted input in template imports High

Package: lodash-es
Installed Version: 4.17.23
Vulnerability CVE-2026-4800
Severity: HIGH
Fixed Version: 4.18.0
Link: CVE-2026-4800

Check failure on line 23467 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode High

Package: ssri
Installed Version: 5.3.0
Vulnerability CVE-2021-27290
Severity: HIGH
Fixed Version: 6.0.2, 7.1.1, 8.0.1
Link: CVE-2021-27290

Check failure on line 24184 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality High

Package: uuid
Installed Version: 11.1.0
Vulnerability CVE-2026-41907
Severity: MEDIUM
Fixed Version: 11.1.1, 12.0.1, 13.0.1
Link: CVE-2026-41907

Check failure on line 24645 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments High

Package: ws
Installed Version: 7.5.10
Vulnerability CVE-2026-48779
Severity: HIGH
Fixed Version: 5.2.5, 6.2.4, 7.5.11, 8.21.0
Link: CVE-2026-48779

Check failure on line 26563 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service via specially crafted glob patterns High

Package: minimatch
Installed Version: 9.0.5
Vulnerability CVE-2026-26996
Severity: HIGH
Fixed Version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
Link: CVE-2026-26996

Check failure on line 26563 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns High

Package: minimatch
Installed Version: 9.0.5
Vulnerability CVE-2026-27903
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
Link: CVE-2026-27903

Check failure on line 26563 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions High

Package: minimatch
Installed Version: 9.0.5
Vulnerability CVE-2026-27904
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
Link: CVE-2026-27904

Check failure on line 31748 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

node-fetch: exposure of sensitive information to an unauthorized actor High

Package: node-fetch
Installed Version: 1.7.3
Vulnerability CVE-2022-0235
Severity: HIGH
Fixed Version: 3.1.1, 2.6.7
Link: CVE-2022-0235

Check failure on line 32827 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() High

Package: serialize-javascript
Installed Version: 6.0.2
Vulnerability GHSA-5c6j-r48x-rmvq
Severity: HIGH
Fixed Version: 7.0.3
Link: GHSA-5c6j-r48x-rmvq

Check failure on line 34853 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

tmp is a temporary file and directory creator for node.js. Prior to 0. ... High

Package: tmp
Installed Version: 0.0.33
Vulnerability CVE-2026-44705
Severity: HIGH
Fixed Version: 0.2.6
Link: CVE-2026-44705

Check failure on line 35783 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality High

Package: uuid
Installed Version: 8.3.2
Vulnerability CVE-2026-41907
Severity: MEDIUM
Fixed Version: 11.1.1, 12.0.1, 13.0.1
Link: CVE-2026-41907

Check failure on line 36275 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments High

Package: ws
Installed Version: 8.18.3
Vulnerability CVE-2026-48779
Severity: HIGH
Fixed Version: 5.2.5, 6.2.4, 7.5.11, 8.21.0
Link: CVE-2026-48779

Check failure on line 36585 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments High

Package: ws
Installed Version: 8.17.1
Vulnerability CVE-2026-48779
Severity: HIGH
Fixed Version: 5.2.5, 6.2.4, 7.5.11, 8.21.0
Link: CVE-2026-48779

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: NO_PROXY bypass via crafted URL High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-42043
Severity: HIGH
Fixed Version: 1.15.1, 0.31.1
Link: CVE-2026-42043

Check failure on line 13493 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios: Arbitrary HTTP header injection via prototype pollution High

Package: axios
Installed Version: 1.15.0
Vulnerability CVE-2026-42035
Severity: HIGH
Fixed Version: 1.15.1, 0.31.1
Link: CVE-2026-42035