Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 5 · patch: 10) #330

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783349451
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 5 · patch: 10) #330
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783349451

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
shell-quote 1.8.3 1.8.4 patch Transitive 1 CRITICAL
axios 1.15.0 1.18.1 minor Transitive 11 HIGH, 9 MEDIUM, 1 LOW
minimatch 9.0.5 9.0.9 patch Transitive 6 HIGH
undici 7.24.5 7.28.0 minor Transitive 3 HIGH, 2 MEDIUM, 2 LOW
picomatch 4.0.3 4.0.5 patch Transitive 2 HIGH, 2 MEDIUM
fast-uri 3.0.6 3.1.3 minor Transitive 2 HIGH
@isaacs/brace-expansion 5.0.0 5.0.1 patch Transitive 2 HIGH
ws 8.18.3 8.21.0 minor Transitive 1 HIGH, 1 MEDIUM
form-data 4.0.5 4.0.6 patch Transitive 1 HIGH
sigstore 4.1.0 4.1.1 patch Transitive 1 HIGH
tmp 0.2.5 0.2.7 patch Transitive 1 HIGH
brace-expansion 5.0.4 5.0.7 patch Transitive 3 MEDIUM
ajv 8.17.1 8.20.0 minor Transitive 2 MEDIUM
yaml 2.8.0 2.8.4 patch Transitive 2 MEDIUM
@sigstore/verify 3.1.0 3.1.1 patch Transitive 1 MEDIUM

Security Details

🚨 Critical & High Severity (31 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.3 1.8.4 -
@isaacs/brace-expansion GHSA-7h2j-956f-4vf2 HIGH @isaacs/brace-expansion has Uncontrolled Resource Consumption 5.0.0 5.0.1 -
@isaacs/brace-expansion CVE-2026-25547 HIGH Uncontrolled Resource Consumption in @isaacs/brace-expansion 5.0.0 - -
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.15.0 1.16.0 -
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.15.0 1.15.2 -
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.15.0 1.15.1 -
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.15.0 1.16.0 -
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.15.0 1.16.0 -
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.15.0 1.16.0 -
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.15.0 1.15.1 -
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.15.0 1.16.0 -
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.15.0 1.15.1 -
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.15.0 1.16.0 -
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.15.0 1.15.2 -
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.0.6 3.1.1 -
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.0.6 3.1.2 -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.5 2.5.6 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 - -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 10.2.3 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 10.2.1 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 10.2.3 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 - -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 4.0.4 -
sigstore GHSA-52v5-jr5w-gjxr HIGH sigstore's certificateOIDs verification constraints are silently dropped and never enforced 4.1.0 4.1.1 -
tmp GHSA-ph9p-34f9-6g65 HIGH tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape 0.2.5 0.2.6 -
undici GHSA-vxpw-j846-p89q HIGH undici WebSocket client vulnerable to denial of service via fragment count bypass 7.24.5 6.27.0 -
undici GHSA-vmh5-mc38-953g HIGH undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent 7.24.5 7.28.0 -
undici GHSA-hm92-r4w5-c3mj HIGH undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse 7.24.5 7.28.0 -
ws GHSA-96hv-2xvq-fx4p HIGH ws: Memory exhaustion DoS from tiny fragments and data chunks 8.18.3 5.2.5 -
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In Case
@sigstore/verify GHSA-xgjw-pm74-86q4 MODERATE sigstore-js has Insufficient Verification of Data Authenticity 3.1.0 3.1.1 -
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 8.17.1 8.18.0 -
ajv CVE-2025-69873 MODERATE - 8.17.1 - -
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.15.0 1.15.2 -
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.15.0 1.16.0 -
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.15.0 1.15.1 -
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.15.0 1.15.1 -
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.15.0 1.15.1 -
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.15.0 1.15.1 -
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.15.0 1.15.1 -
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.15.0 1.15.1 -
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.15.0 1.15.1 -
brace-expansion GHSA-jxxr-4gwj-5jf2 MODERATE brace-expansion: Large numeric range defeats documented max DoS protection 5.0.4 5.0.6 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.4 5.0.5 -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.4 - -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 - -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 4.0.4 -
undici GHSA-pr7r-676h-xcf6 MODERATE undici vulnerable to cross-user information disclosure via shared cache whitespace bypass 7.24.5 7.28.0 -
undici GHSA-p88m-4jfj-68fv MODERATE undici vulnerable to HTTP header injection via Set-Cookie percent-decoding 7.24.5 6.27.0 -
ws GHSA-58qx-3vcg-4xpx MODERATE ws: Uninitialized memory disclosure 8.18.3 8.20.1 -
yaml GHSA-48c2-rrv3-qjmp MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 2.8.0 2.8.3 -
yaml CVE-2026-33532 MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 2.8.0 - -
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.15.0 1.15.1 -
undici GHSA-35p6-xmwp-9g52 LOW undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse 7.24.5 6.27.0 -
undici GHSA-g8m3-5g58-fq7m LOW undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching 7.24.5 6.27.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants