Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 8 · patch: 7) #43

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783349002
Open

fix(deps): vuln minor upgrades — 15 packages (minor: 8 · patch: 7) #43
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783349002

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • . (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
protobufjs 7.2.6 7.6.5 minor Transitive 1 CRITICAL, 5 HIGH, 5 MEDIUM
shell-quote 1.8.1 1.8.4 patch Transitive 1 CRITICAL
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
path-to-regexp 0.1.7 0.1.13 patch Transitive 5 HIGH
validator 13.9.0 13.15.35 minor Transitive 2 HIGH, 2 MEDIUM
body-parser 1.20.2 1.20.5 patch Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
js-yaml 4.1.0 4.3.0 minor Direct 3 MEDIUM
qs 6.11.0 6.15.3 minor Transitive 2 MEDIUM, 2 LOW
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
@opentelemetry/core 1.15.0 1.15.2 patch Transitive 1 MEDIUM
@protobufjs/utf8 1.1.0 1.1.1 patch Transitive 1 MEDIUM
express 4.19.2 4.22.2 minor Direct 2 LOW
on-headers 1.0.2 1.1.0 minor Transitive 2 LOW
serve-static 1.15.0 1.16.3 minor Transitive 2 LOW

Security Details

🚨 Critical & High Severity (23 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.2.6 8.0.1 -
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.1 1.8.4 -
body-parser CVE-2024-45590 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.20.2 - -
body-parser GHSA-qwcr-r2fm-qrc7 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.20.2 1.20.3 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 - -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 - -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 - -
path-to-regexp CVE-2024-52798 HIGH path-to-regexp Unpatched path-to-regexp ReDoS in 0.1.x 0.1.7 - -
path-to-regexp GHSA-37ch-88jc-xwx2 HIGH path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters 0.1.7 0.1.13 -
path-to-regexp GHSA-9wv6-86v2-598j HIGH path-to-regexp outputs backtracking regular expressions 0.1.7 1.9.0 -
path-to-regexp CVE-2024-45296 HIGH path-to-regexp outputs backtracking regular expressions 0.1.7 - -
path-to-regexp GHSA-rhx6-c78j-4q9w HIGH path-to-regexp contains a ReDoS 0.1.7 0.1.12 -
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.2.6 7.5.6 -
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.2.6 7.5.6 -
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.2.6 7.5.6 -
protobufjs GHSA-wcpc-wj8m-hjx6 HIGH protobufjs: Denial of service through unbounded Any expansion during JSON conversion 7.2.6 7.6.1 -
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.2.6 7.5.6 -
validator GHSA-vghf-hv5q-vc2g HIGH Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements 13.9.0 13.15.22 -
validator CVE-2025-12758 HIGH - 13.9.0 - -
ℹ️ Other Vulnerabilities (29)
Package CVE Severity Summary Unsafe Version Fixed In Case
@opentelemetry/core GHSA-8988-4f7v-96qf MODERATE OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation 1.15.0 2.8.0 -
@protobufjs/utf8 GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 1.1.0 1.1.1 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5 -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 - -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 4.1.1 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 4.1.0 4.2.0 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 - -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0 -
lodash CVE-2025-13465 MODERATE - 4.17.21 - -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23 -
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.2.6 7.5.6 -
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.2.6 7.5.8 -
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.2.6 7.5.6 -
protobufjs GHSA-f38q-mgvj-vph7 MODERATE protobufjs : Schema-derived names can shadow runtime-significant properties 7.2.6 7.6.3 -
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.2.6 7.5.6 -
qs GHSA-6rw7-vpxm-498p MODERATE qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion 6.11.0 6.14.1 -
qs CVE-2025-15284 MODERATE - 6.11.0 - -
validator GHSA-9965-vmph-33xx MODERATE validator.js has a URL validation bypass vulnerability in its isURL function 13.9.0 13.15.20 -
validator CVE-2025-56200 MODERATE - 13.9.0 - -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2 -
brace-expansion CVE-2025-5889 LOW - 1.1.11 - -
express GHSA-qw6h-vgh9-j6wx LOW express vulnerable to XSS via response.redirect() 4.19.2 4.20.0 -
express CVE-2024-43796 LOW express vulnerable to XSS via response.redirect() 4.19.2 - -
on-headers GHSA-76c9-3jph-rj3q LOW on-headers is vulnerable to http response header manipulation 1.0.2 1.1.0 -
on-headers CVE-2025-7339 LOW - 1.0.2 - -
qs GHSA-w7fw-mjwx-w883 LOW qs's arrayLimit bypass in comma parsing allows denial of service 6.11.0 6.14.2 -
qs CVE-2026-2391 LOW - 6.11.0 - -
serve-static GHSA-cm22-4g7w-348p LOW serve-static vulnerable to template injection that can lead to XSS 1.15.0 1.16.0 -
serve-static CVE-2024-43800 LOW serve-static affected by template injection that can lead to XSS 1.15.0 - -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@dd-prapprover-prod-77c48c

dd-prapprover-prod-77c48c Bot commented Jul 7, 2026

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-07-07T12:27:11Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: waiting for CI tests to complete...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants