Skip to content

Security: dependency vulnerability found — 2026-07-01 #431

Description

@github-actions

The scheduled security audit failed. Please review the details below:

NPM Audit Vulnerabilities

  • @opentelemetry/auto-instrumentations-node (high): via @opentelemetry/instrumentation-amqplib, @opentelemetry/instrumentation-aws-sdk, @opentelemetry/instrumentation-connect, @opentelemetry/instrumentation-express, @opentelemetry/instrumentation-fastify, @opentelemetry/instrumentation-fs, @opentelemetry/instrumentation-hapi, @opentelemetry/instrumentation-http, @opentelemetry/instrumentation-koa, @opentelemetry/instrumentation-mongoose, @opentelemetry/instrumentation-mysql2, @opentelemetry/instrumentation-pg, @opentelemetry/instrumentation-pino, @opentelemetry/instrumentation-restify, @opentelemetry/instrumentation-undici, @opentelemetry/resource-detector-alibaba-cloud, @opentelemetry/resource-detector-aws, @opentelemetry/resource-detector-azure, @opentelemetry/resource-detector-container, @opentelemetry/resource-detector-gcp, @opentelemetry/resources, @opentelemetry/sdk-node, Prometheus exporter process crash via malformed HTTP request
  • @opentelemetry/exporter-prometheus (high): via @opentelemetry/core, @opentelemetry/resources, @opentelemetry/sdk-metrics, Prometheus exporter process crash via malformed HTTP request
  • @opentelemetry/sdk-node (high): via @opentelemetry/core, @opentelemetry/exporter-logs-otlp-grpc, @opentelemetry/exporter-logs-otlp-http, @opentelemetry/exporter-logs-otlp-proto, @opentelemetry/exporter-metrics-otlp-grpc, @opentelemetry/exporter-metrics-otlp-http, @opentelemetry/exporter-metrics-otlp-proto, @opentelemetry/exporter-prometheus, @opentelemetry/exporter-trace-otlp-grpc, @opentelemetry/exporter-trace-otlp-http, @opentelemetry/exporter-trace-otlp-proto, @opentelemetry/exporter-zipkin, @opentelemetry/resources, @opentelemetry/sdk-logs, @opentelemetry/sdk-metrics, @opentelemetry/sdk-trace-base, @opentelemetry/sdk-trace-node, Prometheus exporter process crash via malformed HTTP request
  • @stellar/stellar-sdk (high): via axios
  • axios (high): via Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy, Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0, Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver, Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams, Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream, Axios: no_proxy bypass via IP alias allows SSRF, Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0, Axios: HTTP adapter streamed responses bypass maxContentLength, Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking, Axios: Header Injection via Prototype Pollution, Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion, Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking, axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718), Axios: unbounded recursion in toFormData causes DoS via deeply nested request data, Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection, Allocation of Resources Without Limits or Throttling in Axios, Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter, Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection, axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge, axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy, axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
  • form-data (high): via form-data: CRLF injection in form-data via unescaped multipart field names and filenames
  • picomatch (high): via Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching, Picomatch has a ReDoS vulnerability via extglob quantifiers

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions