Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 8 · patch: 7) [src/pricing-service]#655

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/pricing-service/6-1781533577
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 8 · patch: 7) [src/pricing-service]#655
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/pricing-service/6-1781533577

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • src/pricing-service (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
handlebars 4.7.8 4.7.9 patch Transitive 2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
simple-git 3.16.0 3.36.0 minor Transitive 2 CRITICAL, 2 HIGH
axios 1.13.6 1.17.0 minor Direct 11 HIGH, 11 MEDIUM, 1 LOW
undici 6.21.1 6.26.0 minor Transitive 6 HIGH, 6 MEDIUM, 2 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
basic-ftp 5.2.0 5.3.1 minor Transitive 4 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
effect 3.12.11 3.21.3 minor Transitive 2 HIGH
fast-uri 3.0.6 3.1.2 minor Transitive 2 HIGH
glob 10.4.5 10.5.0 minor Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
fast-xml-builder 1.1.4 1.1.9 patch Transitive 1 HIGH
brace-expansion 5.0.3 5.0.6 patch Transitive 3 MEDIUM
js-yaml 3.14.1 3.14.2 patch Transitive 2 MEDIUM
yaml 1.10.2 1.10.3 patch Transitive 2 MEDIUM

Security Details

🚨 Critical & High Severity (51 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
handlebars GHSA-2w6w-674q-4c4q CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 4.7.9
handlebars CVE-2026-33937 CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 -
simple-git GHSA-r275-fr43-pm7q CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 3.32.3
simple-git CVE-2026-28292 CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 -
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.13.6 1.16.0
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.13.6 1.15.1
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.13.6 1.15.1
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.13.6 1.16.0
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.13.6 1.16.0
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.13.6 1.16.0
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.13.6 1.16.0
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.13.6 1.15.2
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.13.6 1.16.0
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.13.6 1.15.2
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.13.6 1.15.1
basic-ftp GHSA-chqc-8p9q-pq6q HIGH basic-ftp has FTP Command Injection via CRLF 5.2.0 5.2.1
basic-ftp GHSA-rpmf-866q-6p89 HIGH basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering 5.2.0 5.3.1
basic-ftp GHSA-6v7q-wjvx-w8wg HIGH basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands 5.2.0 5.2.2
basic-ftp GHSA-rp42-5vxx-qpwr HIGH basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() 5.2.0 5.3.0
effect CVE-2026-32887 HIGH Effect Bug: AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.12.11 -
effect GHSA-38f7-945m-qr2g HIGH Effect AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.12.11 3.20.0
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.0.6 3.1.2
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.0.6 3.1.1
fast-xml-builder GHSA-5wm8-gmm8-39j9 HIGH fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes 1.1.4 1.1.7
glob CVE-2025-64756 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 -
glob GHSA-5j98-mcp5-4vw2 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 11.1.0
handlebars GHSA-9cx6-37pm-9jff HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 4.7.9
handlebars GHSA-xhpv-hc6g-r9c6 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 4.7.9
handlebars GHSA-3mfm-83xf-c92r HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 4.7.9
handlebars CVE-2026-33940 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 -
handlebars CVE-2026-33938 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 -
handlebars GHSA-xjpj-3mr7-gcpf HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 4.7.9
handlebars CVE-2026-33941 HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 -
handlebars CVE-2026-33939 HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 -
simple-git GHSA-hffm-xvc3-vprc HIGH simple-git is vulnerable to Remote Code Execution 3.16.0 3.36.0
simple-git GHSA-jcxm-m3jx-f287 HIGH simple-git Affected by Command Execution via Option-Parsing Bypass 3.16.0 3.32.0
undici CVE-2026-2229 HIGH - 6.21.1 -
undici GHSA-f269-vfmq-vjvj HIGH Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client 6.21.1 6.24.0
undici CVE-2026-1528 HIGH - 6.21.1 -
undici GHSA-v9p9-hfj2-hcw8 HIGH Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation 6.21.1 6.24.0
undici GHSA-vrm6-8vpv-qv8q HIGH Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression 6.21.1 6.24.0
undici CVE-2026-1526 HIGH - 6.21.1 -
ℹ️ Other Vulnerabilities (36)
Package CVE Severity Summary Unsafe Version Fixed In
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.13.6 1.15.1
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.13.6 1.15.0
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.13.6 1.16.0
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.13.6 1.15.1
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.13.6 1.15.0
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.13.6 1.15.1
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.13.6 1.15.2
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.13.6 1.15.1
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.13.6 1.15.1
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.13.6 1.15.1
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.13.6 1.15.1
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 -
brace-expansion GHSA-jxxr-4gwj-5jf2 MODERATE brace-expansion: Large numeric range defeats documented max DoS protection 5.0.3 5.0.6
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 5.0.3 5.0.5
handlebars GHSA-7rx3-28cr-v5wh MODERATE Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry 4.7.8 4.7.9
handlebars GHSA-2qvq-rjwj-gvw9 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 4.7.9
handlebars CVE-2026-33916 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1
lodash CVE-2025-13465 MODERATE - 4.17.21 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4
undici CVE-2026-1525 MODERATE - 6.21.1 -
undici GHSA-4992-7rv2-5pvq MODERATE Undici has CRLF Injection in undici via upgrade option 6.21.1 6.24.0
undici CVE-2026-1527 MODERATE - 6.21.1 -
undici CVE-2026-22036 MODERATE Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion 6.21.1 -
undici GHSA-g9mf-h72j-4rw9 MODERATE Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion 6.21.1 7.18.2
undici GHSA-2mjp-6q6p-2qxm MODERATE Undici has an HTTP Request/Response Smuggling issue 6.21.1 6.24.0
yaml GHSA-48c2-rrv3-qjmp MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 2.8.3
yaml CVE-2026-33532 MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 1.10.2 -
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.13.6 1.15.1
handlebars GHSA-442j-39wm-28r2 LOW Handlebars.js has a Property Access Validation Bypass in container.lookup 4.7.8 4.7.9
undici GHSA-cxrh-j4jr-qwg3 LOW undici Denial of Service attack via bad certificate data 6.21.1 5.29.0
undici CVE-2025-47279 LOW undici Denial of Service attack via bad certificate data 6.21.1 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-datadog-prod-us1-2

datadog-datadog-prod-us1-2 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Deploy Pricing Service | deploy-sam   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 3fdd607 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeastham1993 jeastham1993 Awaiting requested review from jeastham1993 jeastham1993 will be requested when the pull request is marked ready for review jeastham1993 is a code owner

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants