Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 8 · patch: 7) #36

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781556849
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 8 · patch: 7) #36
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781556849

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • . (pnpm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
protobufjs 7.5.4 7.6.4 minor Transitive 1 CRITICAL, 5 HIGH, 5 MEDIUM
shell-quote 1.8.3 1.8.4 patch Transitive 1 CRITICAL
axios 1.12.0 1.17.0 minor Transitive 13 HIGH, 11 MEDIUM, 1 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
tar 7.5.9 7.5.16 patch Transitive 4 HIGH, 1 MEDIUM
flatted 3.3.3 3.4.2 minor Transitive 4 HIGH
picomatch 4.0.3 4.0.4 patch Transitive 2 HIGH, 2 MEDIUM
effect 3.19.12 3.21.3 minor Transitive 2 HIGH
rollup 4.53.5 4.62.0 minor Transitive 2 HIGH
fast-uri 3.1.0 3.1.2 patch Transitive 2 HIGH
koa 3.1.1 3.1.2 patch Transitive 2 HIGH
svgo 2.8.0 2.8.2 patch Transitive 2 HIGH
@sveltejs/kit 2.53.0 2.65.0 minor Direct 1 HIGH, 2 MEDIUM, 1 LOW
svelte 5.53.3 5.56.3 minor Direct 8 MEDIUM
qs 6.14.0 6.15.2 minor Transitive 3 MEDIUM, 2 LOW

Security Details

🚨 Critical & High Severity (47 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.5.4 8.0.1
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.3 1.8.4
@sveltejs/kit GHSA-2crg-3p73-43xp HIGH @sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass 2.53.0 2.57.1
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.12.0 1.16.0
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.12.0 1.15.2
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.12.0 1.15.1
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.12.0 1.15.1
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.12.0 1.16.0
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.12.0 1.16.0
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.12.0 1.16.0
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.12.0 1.15.2
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.12.0 1.16.0
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.12.0 1.16.0
axios GHSA-43fc-jf86-j433 HIGH Axios is Vulnerable to Denial of Service via proto Key in mergeConfig 1.12.0 1.13.5
axios CVE-2026-25639 HIGH Axios affected by Denial of Service via proto Key in mergeConfig 1.12.0 -
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.12.0 1.15.1
effect CVE-2026-32887 HIGH Effect Bug: AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.19.12 -
effect GHSA-38f7-945m-qr2g HIGH Effect AsyncLocalStorage context lost/contaminated inside Effect fibers under concurrent load with RPC 3.19.12 3.20.0
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.1.0 3.1.1
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.1.0 3.1.2
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.3 -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.3 3.4.0
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.3 -
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.3 3.4.2
koa GHSA-7gcc-r8m5-44qm HIGH Koa has Host Header Injection via ctx.hostname 3.1.1 3.1.2
koa CVE-2026-27959 HIGH Koa has Host Header Injection via ctx.hostname 3.1.1 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 4.0.4
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.3 -
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.5.4 7.5.6
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.5.4 7.5.6
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.5.4 7.5.6
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.5.4 7.5.6
protobufjs GHSA-wcpc-wj8m-hjx6 HIGH protobufjs: Denial of service through unbounded Any expansion during JSON conversion 7.5.4 7.6.1
rollup GHSA-mw96-cpmx-2vgc HIGH Rollup 4 has Arbitrary File Write via Path Traversal 4.53.5 2.80.0
rollup CVE-2026-27606 HIGH Rollup 4 has Arbitrary File Write via Path Traversal 4.53.5 -
svgo CVE-2026-29074 HIGH SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs) 2.8.0 -
svgo GHSA-xpqw-6gx7-v673 HIGH SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) 2.8.0 2.8.1
tar GHSA-qffp-2rhf-9h96 HIGH tar has Hardlink Path Traversal via Drive-Relative Linkpath 7.5.9 7.5.10
tar GHSA-9ppj-qmqm-q256 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.5.9 7.5.11
tar CVE-2026-29786 HIGH node-tar: Hardlink Path Traversal via Drive-Relative Linkpath 7.5.9 -
tar CVE-2026-31802 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.5.9 -
ℹ️ Other Vulnerabilities (36)
Package CVE Severity Summary Unsafe Version Fixed In
@sveltejs/kit GHSA-hgv7-v322-mmgr MODERATE @sveltejs/kit: query.batch cross-talk 2.53.0 2.60.1
@sveltejs/kit GHSA-3f6h-2hrp-w5wx MODERATE @sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service 2.53.0 2.57.1
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.12.0 1.15.2
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.12.0 1.15.1
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.12.0 1.15.1
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.12.0 1.15.1
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.12.0 1.15.1
axios GHSA-fvcv-3m26-pcqx MODERATE Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain 1.12.0 1.15.0
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.12.0 1.16.0
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.12.0 1.15.1
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.12.0 1.15.1
axios GHSA-3p68-rc4w-qgx5 MODERATE Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF 1.12.0 1.15.0
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.12.0 1.15.1
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 4.0.4
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.3 -
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.5.4 7.5.6
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.5.4 7.5.6
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.5.4 7.5.6
protobufjs GHSA-f38q-mgvj-vph7 MODERATE protobufjs : Schema-derived names can shadow runtime-significant properties 7.5.4 7.6.3
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.5.4 7.5.8
qs CVE-2025-15284 MODERATE - 6.14.0 -
qs GHSA-q8mj-m7cp-5q26 MODERATE qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set 6.14.0 6.15.2
qs GHSA-6rw7-vpxm-498p MODERATE qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion 6.14.0 6.14.1
svelte GHSA-rcqx-6q8c-2c42 MODERATE Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State 5.53.3 5.55.7
svelte GHSA-qgvg-pr8v-6rr3 MODERATE Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers 5.53.3 5.53.5
svelte CVE-2026-27902 MODERATE Svelte Vulnerable to XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers 5.53.3 -
svelte GHSA-9rmh-mm8f-r9h6 MODERATE Svelte: ReDoS in <svelte:element> Tag Validation 5.53.3 5.55.7
svelte GHSA-phwv-c562-gvmh MODERATE Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent 5.53.3 5.53.5
svelte CVE-2026-27901 MODERATE Svelte vulnerable to XSS during SSR with contenteditable bind:innerText and bind:textContent 5.53.3 -
svelte GHSA-pr6f-5x2q-rwfp MODERATE Svelte SSR vulnerable to cross-site scripting via spread attributes 5.53.3 5.55.7
svelte GHSA-f3cj-j4f6-wq85 MODERATE Svelte: SSR XSS via Insecure Promise Serialization in hydratable 5.53.3 5.55.7
tar GHSA-vmf3-w455-68vh MODERATE node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) 7.5.9 7.5.16
@sveltejs/kit GHSA-fpg4-jhqr-589c LOW SvelteKit has deserialization expansion in unvalidated form remote function leading to Denial of Service (experimental only) 2.53.0 2.53.3
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.12.0 1.15.1
qs CVE-2026-2391 LOW - 6.14.0 -
qs GHSA-w7fw-mjwx-w883 LOW qs's arrayLimit bypass in comma parsing allows denial of service 6.14.0 6.14.2

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-6

datadog-prod-us1-6 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 8 Pipeline jobs failed

Danger | danger   View in Datadog   GitHub Actions

Playwright | e2e-tests   View in Datadog   GitHub Actions

Playwright | integration-tests   View in Datadog   GitHub Actions

View all 8 failed jobs.

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: d88a0d3 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants