fix(deps): vuln minor upgrades — 14 packages (minor: 7 · patch: 7) [src/frontend]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

• src/frontend (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
pbkdf2	3.1.2	3.1.6	patch	Transitive	4 CRITICAL
fast-xml-parser	4.4.1	4.5.6	minor	Transitive	2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
cipher-base	1.0.4	1.0.7	patch	Transitive	2 CRITICAL
sha.js	2.4.11	2.4.12	patch	Transitive	2 CRITICAL
elliptic	6.5.7	6.6.1	minor	Transitive	1 CRITICAL, 3 LOW
shell-quote	1.8.1	1.8.4	patch	Transitive	1 CRITICAL
minimatch	3.1.2	3.1.5	patch	Transitive	6 HIGH
lodash	4.17.21	4.18.1	minor	Transitive	1 HIGH, 3 MEDIUM
@babel/plugin-transform-modules-systemjs	7.25.9	7.29.7	minor	Transitive	1 HIGH
qs	6.13.0	6.15.2	minor	Transitive	3 MEDIUM, 2 LOW
@babel/helpers	7.25.7	7.29.7	minor	Transitive	2 MEDIUM
bn.js	4.12.0	4.12.3	patch	Transitive	2 MEDIUM
brace-expansion	1.1.11	1.1.15	patch	Transitive	2 MEDIUM, 2 LOW
@smithy/config-resolver	4.1.0	4.5.7	minor	Transitive	1 LOW

---

Security Details

🚨 Critical & High Severity (24 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
cipher-base	GHSA-cpq7-6gpm-g9rc	CRITICAL	cipher-base is missing type checks, leading to hash rewind and passing on crafted data	1.0.4	1.0.5
cipher-base	CVE-2025-9287	CRITICAL	-	1.0.4	-
elliptic	GHSA-vjh7-7g9h-fjfh	CRITICAL	Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)	6.5.7	6.6.1
fast-xml-parser	CVE-2026-25896	CRITICAL	fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names	4.4.1	-
fast-xml-parser	GHSA-m7jm-9gc2-mpf2	CRITICAL	fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names	4.4.1	5.3.5
pbkdf2	CVE-2025-6547	CRITICAL	-	3.1.2	-
pbkdf2	GHSA-v62p-rq8g-8h59	CRITICAL	pbkdf2 silently disregards Uint8Array input, returning static keys	3.1.2	3.1.3
pbkdf2	CVE-2025-6545	CRITICAL	-	3.1.2	-
pbkdf2	GHSA-h7cp-r72f-jxh6	CRITICAL	pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos	3.1.2	3.1.3
sha.js	CVE-2025-9288	CRITICAL	-	2.4.11	-
sha.js	GHSA-95m3-7q98-8xr5	CRITICAL	sha.js is missing type checks leading to hash rewind and passing on crafted data	2.4.11	2.4.12
shell-quote	GHSA-w7jw-789q-3m8p	CRITICAL	shell-quote quote() does not escape newlines in object .op values	1.8.1	1.8.4
@babel/plugin-transform-modules-systemjs	GHSA-fv7c-fp4j-7gwp	HIGH	@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input	7.25.9	7.29.4
fast-xml-parser	CVE-2026-26278	HIGH	fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)	4.4.1	-
fast-xml-parser	GHSA-8gc5-j5rx-235r	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	4.4.1	5.5.6
fast-xml-parser	CVE-2026-33036	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	4.4.1	-
fast-xml-parser	GHSA-jmr7-xgp7-cmfj	HIGH	fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)	4.4.1	4.5.4
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.21	4.18.0
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	10.2.3
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	10.2.1
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	-
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	-
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	10.2.3

ℹ️ Other Vulnerabilities (25)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@babel/helpers	GHSA-968p-4wvh-cqc8	MODERATE	Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups	7.25.7	7.26.10
@babel/helpers	CVE-2025-27789	MODERATE	Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups	7.25.7	-
bn.js	GHSA-378v-28hj-76wf	MODERATE	bn.js affected by an infinite loop	4.12.0	4.12.3
bn.js	CVE-2026-2739	MODERATE	-	4.12.0	-
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	-
fast-xml-parser	GHSA-gh4j-gqv2-49f6	MODERATE	fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters	4.4.1	5.7.0
fast-xml-parser	GHSA-jp2q-39xq-3w4g	MODERATE	Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser	4.4.1	4.5.5
fast-xml-parser	CVE-2026-33349	MODERATE	fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation	4.4.1	-
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.21	4.18.0
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.21	4.17.23
lodash	CVE-2025-13465	MODERATE	-	4.17.21	-
qs	GHSA-6rw7-vpxm-498p	MODERATE	qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion	6.13.0	6.14.1
qs	GHSA-q8mj-m7cp-5q26	MODERATE	qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set	6.13.0	6.15.2
qs	CVE-2025-15284	MODERATE	-	6.13.0	-
@smithy/config-resolver	GHSA-6475-r3vj-m8vf	LOW	AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value	4.1.0	4.4.0
brace-expansion	CVE-2025-5889	LOW	-	1.1.11	-
brace-expansion	GHSA-v6h2-p8h4-qcjw	LOW	brace-expansion Regular Expression Denial of Service vulnerability	1.1.11	2.0.2
elliptic	CVE-2024-48948	LOW	-	6.5.7	-
elliptic	GHSA-848j-6mx2-7j84	LOW	Elliptic Uses a Cryptographic Primitive with a Risky Implementation	6.5.7	-
elliptic	GHSA-fc9h-whq2-v747	LOW	Valid ECDSA signatures erroneously rejected in Elliptic	6.5.7	6.6.0
fast-xml-parser	CVE-2026-27942	LOW	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder	4.4.1	-
fast-xml-parser	GHSA-fj3w-jwp8-x2g3	LOW	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder	4.4.1	5.3.8
qs	CVE-2026-2391	LOW	-	6.13.0	-
qs	GHSA-w7fw-mjwx-w883	LOW	qs's arrayLimit bypass in comma parsing allows denial of service	6.13.0	6.14.2

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System