Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) [src/user-management-service]#651

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/user-management-service/5-1781533577
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) [src/user-management-service]#651
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/user-management-service/5-1781533577

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • src/user-management-service (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
handlebars 4.7.8 4.7.9 patch Transitive 2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
simple-git 3.16.0 3.36.0 minor Transitive 2 CRITICAL, 2 HIGH
axios 1.13.6 1.17.0 minor Transitive 11 HIGH, 11 MEDIUM, 1 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
basic-ftp 5.2.0 5.3.1 minor Transitive 4 HIGH
fast-xml-parser 5.4.1 5.8.0 minor Transitive 2 HIGH, 3 MEDIUM
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
glob 10.4.5 10.5.0 minor Transitive 2 HIGH
cross-spawn 7.0.3 7.0.6 patch Transitive 2 HIGH
fast-uri 3.1.0 3.1.2 patch Transitive 2 HIGH
underscore 1.13.7 1.13.8 patch Transitive 2 HIGH
lodash-es 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
lodash 4.17.23 4.18.1 minor Transitive 1 HIGH, 1 MEDIUM
brace-expansion 5.0.3 5.0.6 patch Transitive 3 MEDIUM
js-yaml 3.14.1 3.14.2 patch Transitive 2 MEDIUM

Security Details

🚨 Critical & High Severity (49 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
handlebars CVE-2026-33937 CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 -
handlebars GHSA-2w6w-674q-4c4q CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 4.7.9
simple-git CVE-2026-28292 CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 -
simple-git GHSA-r275-fr43-pm7q CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 3.32.3
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.13.6 1.15.1
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.13.6 1.15.1
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.13.6 1.15.2
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.13.6 1.16.0
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.13.6 1.16.0
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.13.6 1.16.0
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.13.6 1.16.0
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.13.6 1.15.1
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.13.6 1.16.0
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.13.6 1.15.2
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.13.6 1.16.0
basic-ftp GHSA-6v7q-wjvx-w8wg HIGH basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands 5.2.0 5.2.2
basic-ftp GHSA-rpmf-866q-6p89 HIGH basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering 5.2.0 5.3.1
basic-ftp GHSA-rp42-5vxx-qpwr HIGH basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() 5.2.0 5.3.0
basic-ftp GHSA-chqc-8p9q-pq6q HIGH basic-ftp has FTP Command Injection via CRLF 5.2.0 5.2.1
cross-spawn GHSA-3xgq-45jj-v275 HIGH Regular Expression Denial of Service (ReDoS) in cross-spawn 7.0.3 7.0.5
cross-spawn CVE-2024-21538 HIGH - 7.0.3 -
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.1.0 3.1.1
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.1.0 3.1.2
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 5.4.1 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 5.4.1 5.5.6
glob CVE-2025-64756 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 -
glob GHSA-5j98-mcp5-4vw2 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 11.1.0
handlebars GHSA-xjpj-3mr7-gcpf HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 4.7.9
handlebars CVE-2026-33940 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 -
handlebars GHSA-xhpv-hc6g-r9c6 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 4.7.9
handlebars CVE-2026-33939 HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 -
handlebars GHSA-9cx6-37pm-9jff HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 4.7.9
handlebars CVE-2026-33938 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 -
handlebars GHSA-3mfm-83xf-c92r HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 4.7.9
handlebars CVE-2026-33941 HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.23 4.18.0
lodash-es GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 -
simple-git GHSA-hffm-xvc3-vprc HIGH simple-git is vulnerable to Remote Code Execution 3.16.0 3.36.0
simple-git GHSA-jcxm-m3jx-f287 HIGH simple-git Affected by Command Execution via Option-Parsing Bypass 3.16.0 3.32.0
underscore GHSA-qpx9-hpmf-5gmw HIGH Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.7 1.13.8
underscore CVE-2026-27601 HIGH Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.7 -
ℹ️ Other Vulnerabilities (30)
Package CVE Severity Summary Unsafe Version Fixed In
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.13.6 1.15.1
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.13.6 1.15.0
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.13.6 1.15.1
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.13.6 1.15.1
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.13.6 1.16.0
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.13.6 1.15.1
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.13.6 1.15.1
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.13.6 1.15.2
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.13.6 1.15.0
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.13.6 1.15.1
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.13.6 1.15.1
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 5.0.5
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 -
brace-expansion GHSA-jxxr-4gwj-5jf2 MODERATE brace-expansion: Large numeric range defeats documented max DoS protection 5.0.3 5.0.6
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 5.4.1 -
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 5.4.1 5.7.0
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 5.4.1 4.5.5
handlebars GHSA-2qvq-rjwj-gvw9 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 4.7.9
handlebars CVE-2026-33916 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 -
handlebars GHSA-7rx3-28cr-v5wh MODERATE Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry 4.7.8 4.7.9
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.23 4.18.0
lodash-es GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
lodash-es CVE-2025-13465 MODERATE - 4.17.21 -
lodash-es GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 -
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.13.6 1.15.1
handlebars GHSA-442j-39wm-28r2 LOW Handlebars.js has a Property Access Validation Bypass in container.lookup 4.7.8 4.7.9

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeastham1993 jeastham1993 Awaiting requested review from jeastham1993 jeastham1993 will be requested when the pull request is marked ready for review jeastham1993 is a code owner

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants