Skip to content

fix: frontend deps#201

Merged
rafaelsilva29 merged 1 commit into
mainfrom
fix/frontend-deps
May 12, 2026
Merged

fix: frontend deps#201
rafaelsilva29 merged 1 commit into
mainfrom
fix/frontend-deps

Conversation

@rafaelsilva29

Copy link
Copy Markdown
Member

Description

Addresses 26+ open Dependabot security alerts in the frontend by updating vulnerable npm dependencies.

Direct dependency upgrades:

  • axios 1.10.01.16.0 — fixes 17 CVEs including SSRF, DoS, prototype pollution, header injection, and auth bypass
  • qs 6.14.06.15.1 — fixes DoS via arrayLimit bypass (GHSA-w7fw-mjwx-w883, GHSA-6rw7-vpxm-498p)
  • lodash 4.17.214.18.1 — fixes code injection via _.template and prototype pollution in _.unset/_.omit
  • react-router-dom 7.3.07.15.0 — fixes XSS via open redirects and SSR XSS in ScrollRestoration
  • vite 6.2.06.4.2 — fixes arbitrary file read via WebSocket, path traversal, and server.fs bypass

Transitive dependency pins via resolutions:

  • rollup^4.60.3 — arbitrary file write via path traversal
  • minimatch^10.2.5 — multiple ReDoS vulnerabilities
  • picomatch^4.0.4 — ReDoS via extglob quantifiers
  • flatted^3.4.2 — prototype pollution and unbounded recursion DoS
  • fast-uri^3.1.2 — path traversal and host confusion via percent-encoded segments
  • serialize-javascript^7.0.5 — RCE via RegExp/Date serialization
  • defu^6.1.7 — prototype pollution via __proto__ key
  • @babel/plugin-transform-modules-systemjs^7.29.4 — arbitrary code generation from malicious input
  • tar^7.5.15 — multiple path traversal and symlink poisoning vulnerabilities
  • glob^11.0.2 — command injection via -c/--cmd
  • mdast-util-to-hast^13.2.1 — unsanitized class attribute
  • svgo^4.0.1 — DoS via entity expansion (Billion Laughs)

All changes verified with yarn npm audit returning no suggestions.

Type of Change

  • Bugfix

Checklist

  • I have read the contributing guidelines
  • Existing issues have been referenced (where applicable)
  • I have verified this change is not present in other open pull requests
  • Functionality is documented
  • All code style checks pass
  • New code contribution is covered by automated tests
  • All new and existing tests pass

Signed-off-by: Rafael Silva (rafaelsi) <rafaelsi@cisco.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

@rafaelsilva29 rafaelsilva29 merged commit 4b49482 into main May 12, 2026
7 of 9 checks passed
@rafaelsilva29 rafaelsilva29 deleted the fix/frontend-deps branch May 12, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant