Skip to content

fix(deps): vuln minor upgrades — 14 packages (minor: 7 · patch: 7) #42

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781534401
Open

fix(deps): vuln minor upgrades — 14 packages (minor: 7 · patch: 7) #42
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781534401

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

  • . (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
protobufjs 7.2.6 7.6.4 minor Transitive 1 CRITICAL, 4 HIGH, 4 MEDIUM
shell-quote 1.8.1 1.8.4 patch Transitive 1 CRITICAL
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
path-to-regexp 0.1.7 0.1.13 patch Transitive 5 HIGH
validator 13.9.0 13.15.35 minor Transitive 2 HIGH, 2 MEDIUM
body-parser 1.20.2 1.20.5 patch Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
qs 6.11.0 6.15.2 minor Transitive 2 MEDIUM, 2 LOW
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
js-yaml 4.1.0 4.1.1 patch Direct 2 MEDIUM
@protobufjs/utf8 1.1.0 1.1.1 patch Transitive 1 MEDIUM
express 4.19.2 4.22.2 minor Direct 2 LOW
on-headers 1.0.2 1.1.0 minor Transitive 2 LOW
serve-static 1.15.0 1.16.3 minor Transitive 2 LOW

Security Details

🚨 Critical & High Severity (22 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.2.6 8.0.1
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.1 1.8.4
body-parser CVE-2024-45590 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.20.2 -
body-parser GHSA-qwcr-r2fm-qrc7 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.20.2 1.20.3
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1
path-to-regexp GHSA-9wv6-86v2-598j HIGH path-to-regexp outputs backtracking regular expressions 0.1.7 1.9.0
path-to-regexp CVE-2024-52798 HIGH path-to-regexp Unpatched path-to-regexp ReDoS in 0.1.x 0.1.7 -
path-to-regexp CVE-2024-45296 HIGH path-to-regexp outputs backtracking regular expressions 0.1.7 -
path-to-regexp GHSA-rhx6-c78j-4q9w HIGH path-to-regexp contains a ReDoS 0.1.7 0.1.12
path-to-regexp GHSA-37ch-88jc-xwx2 HIGH path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters 0.1.7 0.1.13
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.2.6 7.5.6
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.2.6 7.5.6
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.2.6 7.5.6
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.2.6 7.5.6
validator CVE-2025-12758 HIGH - 13.9.0 -
validator GHSA-vghf-hv5q-vc2g HIGH Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements 13.9.0 13.15.22
ℹ️ Other Vulnerabilities (26)
Package CVE Severity Summary Unsafe Version Fixed In
@protobufjs/utf8 GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 1.1.0 1.1.1
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 4.1.1
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
lodash CVE-2025-13465 MODERATE - 4.17.21 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.2.6 7.5.8
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.2.6 7.5.6
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.2.6 7.5.6
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.2.6 7.5.6
qs GHSA-6rw7-vpxm-498p MODERATE qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion 6.11.0 6.14.1
qs CVE-2025-15284 MODERATE - 6.11.0 -
validator CVE-2025-56200 MODERATE - 13.9.0 -
validator GHSA-9965-vmph-33xx MODERATE validator.js has a URL validation bypass vulnerability in its isURL function 13.9.0 13.15.20
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2
brace-expansion CVE-2025-5889 LOW - 1.1.11 -
express GHSA-qw6h-vgh9-j6wx LOW express vulnerable to XSS via response.redirect() 4.19.2 4.20.0
express CVE-2024-43796 LOW express vulnerable to XSS via response.redirect() 4.19.2 -
on-headers CVE-2025-7339 LOW - 1.0.2 -
on-headers GHSA-76c9-3jph-rj3q LOW on-headers is vulnerable to http response header manipulation 1.0.2 1.1.0
qs GHSA-w7fw-mjwx-w883 LOW qs's arrayLimit bypass in comma parsing allows denial of service 6.11.0 6.14.2
qs CVE-2026-2391 LOW - 6.11.0 -
serve-static GHSA-cm22-4g7w-348p LOW serve-static vulnerable to template injection that can lead to XSS 1.15.0 1.16.0
serve-static CVE-2024-43800 LOW serve-static affected by template injection that can lead to XSS 1.15.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants