fix(deps): vuln minor upgrades — 15 packages (minor: 9 · patch: 6) [api-docs/event-catalog]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• api-docs/event-catalog (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
fast-xml-parser	4.5.3	4.5.6	patch	Transitive	2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
form-data	4.0.0	4.0.6	patch	Transitive	2 CRITICAL
protobufjs	7.4.0	7.6.4	minor	Transitive	1 CRITICAL, 4 HIGH, 4 MEDIUM
shell-quote	1.8.2	1.8.4	patch	Transitive	1 CRITICAL
axios	1.7.9	1.17.0	minor	Transitive	17 HIGH, 11 MEDIUM, 1 LOW
tar	7.4.3	7.5.16	minor	Transitive	12 HIGH
minimatch	3.1.2	3.1.5	patch	Transitive	6 HIGH
h3	1.15.1	1.15.11	patch	Transitive	4 HIGH, 3 MEDIUM
devalue	5.1.1	5.8.1	minor	Transitive	4 HIGH, 2 MEDIUM, 3 LOW
flatted	3.3.3	3.4.2	minor	Transitive	4 HIGH
vite	6.2.0	6.4.3	minor	Transitive	2 HIGH, 13 MEDIUM, 4 LOW
picomatch	2.3.1	2.3.2	patch	Transitive	2 HIGH, 2 MEDIUM
lodash	4.17.21	4.18.1	minor	Transitive	1 HIGH, 3 MEDIUM
dompurify	3.2.4	3.4.10	minor	Transitive	11 MEDIUM
mermaid	11.4.1	11.15.0	minor	Transitive	8 MEDIUM

---

Security Details

🚨 Critical & High Severity (66 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
fast-xml-parser	GHSA-m7jm-9gc2-mpf2	CRITICAL	fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names	4.5.3	5.3.5
fast-xml-parser	CVE-2026-25896	CRITICAL	fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names	4.5.3	-
form-data	CVE-2025-7783	CRITICAL	-	4.0.0	-
form-data	GHSA-fjxv-7rqg-78g4	CRITICAL	form-data uses unsafe random function in form-data for choosing boundary	4.0.0	2.5.4
protobufjs	GHSA-xq3m-2v4x-88gg	CRITICAL	Arbitrary code execution in protobufjs	7.4.0	8.0.1
shell-quote	GHSA-w7jw-789q-3m8p	CRITICAL	shell-quote quote() does not escape newlines in object .op values	1.8.2	1.8.4
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	1.7.9	1.15.1
axios	CVE-2026-25639	HIGH	Axios affected by Denial of Service via proto Key in mergeConfig	1.7.9	-
axios	GHSA-3g43-6gmg-66jw	HIGH	axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge	1.7.9	1.15.2
axios	GHSA-777c-7fjr-54vf	HIGH	Allocation of Resources Without Limits or Throttling in Axios	1.7.9	1.16.0
axios	GHSA-j5f8-grm9-p9fc	HIGH	Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection	1.7.9	1.16.0
axios	GHSA-pjwm-pj3p-43mv	HIGH	axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)	1.7.9	1.16.0
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	1.7.9	1.15.1
axios	GHSA-4hjh-wcwx-xvwj	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.7.9	1.12.0
axios	CVE-2025-58754	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.7.9	-
axios	GHSA-p92q-9vqr-4j8v	HIGH	Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter	1.7.9	1.16.0
axios	GHSA-q8qp-cvcw-x6jj	HIGH	Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking	1.7.9	1.15.2
axios	GHSA-hfxv-24rg-xrqf	HIGH	Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection	1.7.9	1.16.0
axios	GHSA-43fc-jf86-j433	HIGH	Axios is Vulnerable to Denial of Service via proto Key in mergeConfig	1.7.9	1.13.5
axios	GHSA-jr5f-v2jv-69x6	HIGH	axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL	1.7.9	1.8.2
axios	CVE-2025-27152	HIGH	Possible SSRF and Credential Leakage via Absolute URL in axios Requests	1.7.9	-
axios	GHSA-35jp-ww65-95wh	HIGH	axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy	1.7.9	1.16.0
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	1.7.9	1.15.1
devalue	GHSA-g2pg-6438-jwpf	HIGH	devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse	5.1.1	5.6.2
devalue	CVE-2025-57820	HIGH	Svelte devalue vulnerable to prototype pollution	5.1.1	-
devalue	GHSA-vj54-72f3-p5jv	HIGH	devalue prototype pollution vulnerability	5.1.1	5.3.2
devalue	CVE-2026-22775	HIGH	devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse	5.1.1	-
fast-xml-parser	CVE-2026-26278	HIGH	fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)	4.5.3	-
fast-xml-parser	GHSA-jmr7-xgp7-cmfj	HIGH	fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)	4.5.3	4.5.4
fast-xml-parser	GHSA-8gc5-j5rx-235r	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	4.5.3	5.5.6
fast-xml-parser	CVE-2026-33036	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	4.5.3	-
flatted	GHSA-25h7-pfq9-p65f	HIGH	flatted vulnerable to unbounded recursion DoS in parse() revive phase	3.3.3	3.4.0
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.3.3	-
flatted	CVE-2026-32141	HIGH	flatted: Unbounded recursion DoS in parse() revive phase	3.3.3	-
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.3.3	3.4.2
h3	GHSA-22cc-p3c6-wpvm	HIGH	h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields	1.15.1	2.0.1-rc.15
h3	CVE-2026-23527	HIGH	Request Smuggling (TE.TE) in h3 v1	1.15.1	-
h3	GHSA-mp2g-9vg9-f4cg	HIGH	h3 v1 has Request Smuggling (TE.TE) issue	1.15.1	1.15.5
h3	CVE-2026-33128	HIGH	h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields	1.15.1	-
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.21	4.18.0
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	-
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	10.2.3
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	10.2.3
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	-
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	10.2.1
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	4.0.4
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	-
protobufjs	GHSA-685m-2w69-288q	HIGH	protobuf.js: Denial of service through unbounded protobuf recursion	7.4.0	7.5.6
protobufjs	GHSA-75px-5xx7-5xc7	HIGH	protobuf.js: Code generation gadget after prototype pollution	7.4.0	7.5.6
protobufjs	GHSA-jvwf-75h9-cwgg	HIGH	protobuf.js: Process-wide denial of service through unsafe option paths	7.4.0	7.5.6
protobufjs	GHSA-66ff-xgx4-vchm	HIGH	protobuf.js: Code injection through bytes field defaults in generated toObject code	7.4.0	7.5.6
tar	GHSA-9ppj-qmqm-q256	HIGH	node-tar Symlink Path Traversal via Drive-Relative Linkpath	7.4.3	7.5.11
tar	CVE-2026-29786	HIGH	node-tar: Hardlink Path Traversal via Drive-Relative Linkpath	7.4.3	-
tar	GHSA-qffp-2rhf-9h96	HIGH	tar has Hardlink Path Traversal via Drive-Relative Linkpath	7.4.3	7.5.10
tar	CVE-2026-24842	HIGH	node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal	7.4.3	-
tar	GHSA-8qq5-rm4j-mr97	HIGH	node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization	7.4.3	7.5.3
tar	CVE-2026-23745	HIGH	node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization	7.4.3	-
tar	CVE-2026-31802	HIGH	node-tar Symlink Path Traversal via Drive-Relative Linkpath	7.4.3	-
tar	GHSA-83g3-92jg-28cx	HIGH	Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction	7.4.3	7.5.8
tar	GHSA-r6q2-hw4h-h46w	HIGH	Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS	7.4.3	7.5.4
tar	CVE-2026-23950	HIGH	node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS	7.4.3	-
tar	GHSA-34x7-hfp2-rc4v	HIGH	node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal	7.4.3	7.5.7
tar	CVE-2026-26960	HIGH	node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction	7.4.3	-
vite	GHSA-p9ff-h696-f583	HIGH	Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket	6.2.0	8.0.5
vite	CVE-2025-31125	high	This package is related to CVE CVE-2025-31125 which was detected by cisa.gov as actively being exploited in the wild	6.2.0	-

ℹ️ Other Vulnerabilities (70)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-445q-vr5w-6q77	MODERATE	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream	1.7.9	1.15.1
axios	GHSA-3w6x-2g7m-8v23	MODERATE	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver	1.7.9	1.15.2
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	1.7.9	1.15.1
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	1.7.9	1.15.1
axios	GHSA-898c-q2cr-xwhg	MODERATE	axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions	1.7.9	1.16.0
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	1.7.9	1.15.0
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	1.7.9	1.15.1
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	1.7.9	1.15.1
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	1.7.9	1.15.1
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.7.9	1.15.0
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	1.7.9	1.15.1
devalue	GHSA-cfw5-2vxh-hr84	MODERATE	devalue has prototype pollution in devalue.parse and devalue.unflatten	5.1.1	5.6.4
devalue	CVE-2026-30226	MODERATE	devalue has prototype pollution in devalue.parse and devalue.unflatten	5.1.1	-
dompurify	GHSA-39q2-94rc-95cp	MODERATE	DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation	3.2.4	3.4.0
dompurify	GHSA-crv5-9vww-q3g8	MODERATE	DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode	3.2.4	3.4.0
dompurify	GHSA-cjmm-f4jc-qw8r	MODERATE	DOMPurify ADD_ATTR predicate skips URI validation	3.2.4	3.3.2
dompurify	GHSA-h7mw-gpvr-xq4m	MODERATE	DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)	3.2.4	3.4.0
dompurify	GHSA-h8r8-wccr-v5f2	MODERATE	DOMPurify is vulnerable to mutation-XSS via Re-Contextualization	3.2.4	3.3.2
dompurify	GHSA-v8jm-5vwx-cfxm	MODERATE	DOMPurify contains a Cross-site Scripting vulnerability	3.2.4	3.2.7
dompurify	CVE-2025-15599	MODERATE	-	3.2.4	-
dompurify	GHSA-v9jr-rg53-9pgp	MODERATE	DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback	3.2.4	3.4.0
dompurify	CVE-2026-0540	MODERATE	-	3.2.4	-
dompurify	GHSA-cj63-jhhr-wcxv	MODERATE	DOMPurify USE_PROFILES prototype pollution allows event handlers	3.2.4	3.3.2
dompurify	GHSA-v2wj-7wpq-c8vv	MODERATE	DOMPurify contains a Cross-site Scripting vulnerability	3.2.4	3.3.2
fast-xml-parser	CVE-2026-33349	MODERATE	fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation	4.5.3	-
fast-xml-parser	GHSA-jp2q-39xq-3w4g	MODERATE	Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser	4.5.3	4.5.5
fast-xml-parser	GHSA-gh4j-gqv2-49f6	MODERATE	fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters	4.5.3	5.7.0
h3	GHSA-72gr-qfp7-vwhw	MODERATE	h3: Double Decoding in serveStatic Bypasses resolveDotSegments Path Traversal Protection via %252e%252e	1.15.1	1.15.9
h3	GHSA-wr4h-v87w-p3r7	MODERATE	h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read	1.15.1	2.0.1-rc.15
h3	GHSA-4hxc-9384-m385	MODERATE	h3: SSE Event Injection via Unsanitized Carriage Return (\r) in EventStream Data and Comment Fields (Bypass of CVE Fix)	1.15.1	2.0.1-rc.17
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.21	4.17.23
lodash	CVE-2025-13465	MODERATE	-	4.17.21	-
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.21	4.18.0
mermaid	GHSA-7rqq-prvp-x9jh	MODERATE	Mermaid improperly sanitizes sequence diagram labels leading to XSS	11.4.1	11.10.0
mermaid	GHSA-87f9-hvmw-gh4p	MODERATE	Mermaid: Improper sanitization of configuration leads to CSS injection	11.4.1	11.15.0
mermaid	GHSA-8gwm-58g9-j8pw	MODERATE	Mermaid does not properly sanitize architecture diagram iconText leading to XSS	11.4.1	11.10.0
mermaid	CVE-2025-54881	MODERATE	Mermaid improperly sanitizes of sequence diagram labels leading to XSS	11.4.1	-
mermaid	GHSA-ghcm-xqfw-q4vr	MODERATE	Mermaid: Improper sanitization of classDef in state diagrams leads to HTML injection	11.4.1	11.15.0
mermaid	GHSA-xcj9-5m2h-648r	MODERATE	Mermaid: Improper sanitization of classDefs in diagrams leads to CSS injection	11.4.1	11.15.0
mermaid	GHSA-6m6c-36f7-fhxh	MODERATE	Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS	11.4.1	11.15.0
mermaid	CVE-2025-54880	MODERATE	Mermaid does not properly sanitize architecture diagram iconText leading to XSS	11.4.1	-
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	4.0.4
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	-
protobufjs	GHSA-fx83-v9x8-x52w	MODERATE	protobuf.js: Prototype injection in generated message constructors	7.4.0	7.5.6
protobufjs	GHSA-jggg-4jg4-v7c6	MODERATE	protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion	7.4.0	7.5.8
protobufjs	GHSA-2pr8-phx7-x9h3	MODERATE	protobuf.js: Denial of service from crafted field names in generated code	7.4.0	7.5.6
protobufjs	GHSA-q6x5-8v7m-xcrf	MODERATE	protobufjs has overlong UTF-8 decoding	7.4.0	7.5.6
vite	GHSA-xcj6-pq6g-qj4x	MODERATE	Vite allows server.fs.deny to be bypassed with .svg or relative paths	6.2.0	6.2.5
vite	GHSA-859w-5945-r5v3	MODERATE	Vite's server.fs.deny bypassed with /. for files under project root	6.2.0	6.3.4
vite	CVE-2025-30208	MODERATE	Vite bypasses server.fs.deny when using ?raw??	6.2.0	-
vite	GHSA-93m4-6634-74q7	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.2.0	7.1.11
vite	GHSA-356w-63v5-8wf4	MODERATE	Vite has an server.fs.deny bypass with an invalid request-target	6.2.0	6.2.6
vite	CVE-2025-32395	MODERATE	Vite has an server.fs.deny bypass with an invalid request-target	6.2.0	-
vite	GHSA-x574-m823-4x7w	MODERATE	Vite bypasses server.fs.deny when using ?raw??	6.2.0	6.2.3
vite	CVE-2025-46565	MODERATE	Vite's server.fs.deny bypassed with /. for files under project root	6.2.0	-
vite	GHSA-4r4m-qw57-chr8	MODERATE	Vite has a server.fs.deny bypassed for inline and raw with ?import query	6.2.0	6.2.4
vite	CVE-2025-62522	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.2.0	-
vite	CVE-2025-31486	MODERATE	Vite allows server.fs.deny to be bypassed with .svg or relative paths	6.2.0	-
vite	CVE-2025-31125	MODERATE	Vite has a server.fs.deny bypassed for inline and raw with ?import query	6.2.0	-
vite	GHSA-4w7w-66w2-5vf9	MODERATE	Vite Vulnerable to Path Traversal in Optimized Deps .map Handling	6.2.0	8.0.5
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	1.7.9	1.15.1
devalue	GHSA-8qm3-746x-r74r	LOW	devalue unevaled code can create objects with polluted prototypes when evaled	5.1.1	5.6.3
devalue	GHSA-33hq-fvwr-56pm	LOW	devalue affected by CPU and memory amplification from sparse arrays	5.1.1	5.6.3
devalue	GHSA-mwv9-gp5h-frr4	LOW	Sveltejs devalue's devalue.parse and devalue.unflatten emit objects with __proto__ own properties	5.1.1	5.6.4
fast-xml-parser	CVE-2026-27942	LOW	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder	4.5.3	-
fast-xml-parser	GHSA-fj3w-jwp8-x2g3	LOW	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder	4.5.3	5.3.8
vite	GHSA-jqfw-vq24-v9c3	LOW	Vite's server.fs settings were not applied to HTML files	6.2.0	7.1.5
vite	CVE-2025-58752	LOW	Vite's server.fs settings were not applied to HTML files	6.2.0	-
vite	CVE-2025-58751	LOW	Vite middleware may serve files starting with the same name with the public directory	6.2.0	-
vite	GHSA-g4jq-h2w9-997c	LOW	Vite middleware may serve files starting with the same name with the public directory	6.2.0	7.1.5

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System