npm audit found vulnerabilities

[github-actions]

# npm audit report

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@actions/glob/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
node_modules/archiver-utils/node_modules/brace-expansion
node_modules/cacache/node_modules/brace-expansion
node_modules/editorconfig/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/filelist/node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion
node_modules/js-beautify/node_modules/brace-expansion
node_modules/mem-fs-editor/node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion
node_modules/multimatch/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  11.4.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  node_modules/mocha

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

undici  <6.23.0
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/attest@2.1.0, which is a breaking change
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/attest  >=2.2.0
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/attest

8 vulnerabilities (3 low, 4 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

# npm audit report

ajv  <6.14.0 || >=7.0.0-alpha.0 <8.18.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/@eslint/eslintrc/node_modules/ajv
node_modules/ajv
node_modules/eslint/node_modules/ajv
node_modules/prettier-eslint/node_modules/ajv

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@actions/glob/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
node_modules/archiver-utils/node_modules/brace-expansion
node_modules/cacache/node_modules/brace-expansion
node_modules/editorconfig/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/filelist/node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion
node_modules/js-beautify/node_modules/brace-expansion
node_modules/mem-fs-editor/node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion
node_modules/multimatch/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  8.0.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

fast-xml-parser  5.0.0 - 5.3.7
Severity: critical
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - https://github.com/advisories/GHSA-m7jm-9gc2-mpf2
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) - https://github.com/advisories/GHSA-jmr7-xgp7-cmfj
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
fix available via `npm audit fix`
node_modules/fast-xml-parser

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

minimatch  <=3.1.3 || 5.0.0 - 5.1.7 || 9.0.0 - 9.0.6 || 10.0.0 - 10.2.2
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install prettier-eslint@16.3.0, which is a breaking change
node_modules/@actions/glob/node_modules/minimatch
node_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/@humanwhocodes/config-array/node_modules/minimatch
node_modules/@jest/reporters/node_modules/minimatch
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/archiver-utils/node_modules/minimatch
node_modules/cacache/node_modules/minimatch
node_modules/editorconfig/node_modules/minimatch
node_modules/eslint-plugin-react/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/filelist/node_modules/minimatch
node_modules/glob/node_modules/minimatch
node_modules/jest-config/node_modules/minimatch
node_modules/jest-runtime/node_modules/minimatch
node_modules/js-beautify/node_modules/minimatch
node_modules/mem-fs-editor/node_modules/minimatch
node_modules/minimatch
node_modules/mocha/node_modules/minimatch
node_modules/multimatch/node_modules/minimatch
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/prettier-eslint/node_modules/eslint/node_modules/minimatch
node_modules/prettier-eslint/node_modules/minimatch
node_modules/readdir-glob/node_modules/minimatch
node_modules/test-exclude/node_modules/minimatch
  @typescript-eslint/typescript-estree  6.16.0 - 7.5.0
  Depends on vulnerable versions of minimatch
  node_modules/prettier-eslint/node_modules/@typescript-eslint/typescript-estree
    @typescript-eslint/parser  6.16.0 - 7.5.0
    Depends on vulnerable versions of @typescript-eslint/typescript-estree
    node_modules/prettier-eslint/node_modules/@typescript-eslint/parser
      prettier-eslint  16.3.1 - 16.4.2
      Depends on vulnerable versions of @typescript-eslint/parser
      node_modules/prettier-eslint
  editorconfig  1.0.3 - 1.0.4 || 2.0.0
  Depends on vulnerable versions of minimatch
  node_modules/editorconfig

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/serialize-javascript

tar  <7.5.8
Severity: high
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
fix available via `npm audit fix`
node_modules/tar

undici  <6.23.0
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/attest@3.2.0, which is a breaking change
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/attest  2.2.0 - 2.2.1
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/attest

17 vulnerabilities (2 low, 5 moderate, 9 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

# npm audit report

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@actions/glob/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
node_modules/archiver-utils/node_modules/brace-expansion
node_modules/cacache/node_modules/brace-expansion
node_modules/editorconfig/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/filelist/node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion
node_modules/js-beautify/node_modules/brace-expansion
node_modules/mem-fs-editor/node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion
node_modules/multimatch/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  8.0.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

minimatch  <=3.1.3 || 5.0.0 - 5.1.7 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install prettier-eslint@16.3.0, which is a breaking change
node_modules/@actions/glob/node_modules/minimatch
node_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/@humanwhocodes/config-array/node_modules/minimatch
node_modules/@jest/reporters/node_modules/minimatch
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/archiver-utils/node_modules/minimatch
node_modules/cacache/node_modules/minimatch
node_modules/editorconfig/node_modules/minimatch
node_modules/eslint-plugin-react/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/filelist/node_modules/minimatch
node_modules/glob/node_modules/minimatch
node_modules/jest-config/node_modules/minimatch
node_modules/jest-runtime/node_modules/minimatch
node_modules/js-beautify/node_modules/minimatch
node_modules/mem-fs-editor/node_modules/minimatch
node_modules/mocha/node_modules/minimatch
node_modules/multimatch/node_modules/minimatch
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/prettier-eslint/node_modules/eslint/node_modules/minimatch
node_modules/prettier-eslint/node_modules/minimatch
node_modules/readdir-glob/node_modules/minimatch
node_modules/test-exclude/node_modules/minimatch
  @typescript-eslint/typescript-estree  6.16.0 - 7.5.0
  Depends on vulnerable versions of minimatch
  node_modules/prettier-eslint/node_modules/@typescript-eslint/typescript-estree
    @typescript-eslint/parser  6.16.0 - 7.5.0
    Depends on vulnerable versions of @typescript-eslint/typescript-estree
    node_modules/prettier-eslint/node_modules/@typescript-eslint/parser
      prettier-eslint  16.3.1 - 16.4.2
      Depends on vulnerable versions of @typescript-eslint/parser
      node_modules/prettier-eslint
  editorconfig  1.0.3 - 1.0.4 || 2.0.0
  Depends on vulnerable versions of minimatch
  node_modules/editorconfig

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/serialize-javascript

tar  <7.5.8
Severity: high
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
fix available via `npm audit fix`
node_modules/tar

undici  <6.23.0
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/attest@3.2.0, which is a breaking change
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/attest  2.2.0 - 2.2.1
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/attest

15 vulnerabilities (2 low, 4 moderate, 9 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

# npm audit report

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  8.0.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

minimatch  <=3.1.3 || 5.0.0 - 5.1.7 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install prettier-eslint@16.3.0, which is a breaking change
node_modules/@actions/glob/node_modules/minimatch
node_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/@humanwhocodes/config-array/node_modules/minimatch
node_modules/@jest/reporters/node_modules/minimatch
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/archiver-utils/node_modules/minimatch
node_modules/cacache/node_modules/minimatch
node_modules/editorconfig/node_modules/minimatch
node_modules/eslint-plugin-react/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/filelist/node_modules/minimatch
node_modules/glob/node_modules/minimatch
node_modules/jest-config/node_modules/minimatch
node_modules/jest-runtime/node_modules/minimatch
node_modules/js-beautify/node_modules/minimatch
node_modules/mem-fs-editor/node_modules/minimatch
node_modules/mocha/node_modules/minimatch
node_modules/multimatch/node_modules/minimatch
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/prettier-eslint/node_modules/eslint/node_modules/minimatch
node_modules/prettier-eslint/node_modules/minimatch
node_modules/readdir-glob/node_modules/minimatch
node_modules/test-exclude/node_modules/minimatch
  @typescript-eslint/typescript-estree  6.16.0 - 7.5.0
  Depends on vulnerable versions of minimatch
  node_modules/prettier-eslint/node_modules/@typescript-eslint/typescript-estree
    @typescript-eslint/parser  6.16.0 - 7.5.0
    Depends on vulnerable versions of @typescript-eslint/typescript-estree
    node_modules/prettier-eslint/node_modules/@typescript-eslint/parser
      prettier-eslint  16.3.1 - 16.4.2
      Depends on vulnerable versions of @typescript-eslint/parser
      node_modules/prettier-eslint
  editorconfig  1.0.3 - 1.0.4 || 2.0.0
  Depends on vulnerable versions of minimatch
  node_modules/editorconfig

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/serialize-javascript

tar  <=7.5.9
Severity: high
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
fix available via `npm audit fix`
node_modules/tar

undici  <6.23.0
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/attest@3.2.0, which is a breaking change
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/attest  2.2.0 - 2.2.1
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/attest

14 vulnerabilities (1 low, 4 moderate, 9 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

# npm audit report

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  8.0.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

minimatch  <=3.1.3 || 5.0.0 - 5.1.7 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install prettier-eslint@16.3.0, which is a breaking change
node_modules/@actions/glob/node_modules/minimatch
node_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/@humanwhocodes/config-array/node_modules/minimatch
node_modules/@jest/reporters/node_modules/minimatch
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/archiver-utils/node_modules/minimatch
node_modules/cacache/node_modules/minimatch
node_modules/editorconfig/node_modules/minimatch
node_modules/eslint-plugin-react/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/filelist/node_modules/minimatch
node_modules/glob/node_modules/minimatch
node_modules/jest-config/node_modules/minimatch
node_modules/jest-runtime/node_modules/minimatch
node_modules/js-beautify/node_modules/minimatch
node_modules/mem-fs-editor/node_modules/minimatch
node_modules/mocha/node_modules/minimatch
node_modules/multimatch/node_modules/minimatch
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/prettier-eslint/node_modules/eslint/node_modules/minimatch
node_modules/prettier-eslint/node_modules/minimatch
node_modules/readdir-glob/node_modules/minimatch
node_modules/test-exclude/node_modules/minimatch
  @typescript-eslint/typescript-estree  6.16.0 - 7.5.0
  Depends on vulnerable versions of minimatch
  node_modules/prettier-eslint/node_modules/@typescript-eslint/typescript-estree
    @typescript-eslint/parser  6.16.0 - 7.5.0
    Depends on vulnerable versions of @typescript-eslint/typescript-estree
    node_modules/prettier-eslint/node_modules/@typescript-eslint/parser
      prettier-eslint  16.3.1 - 16.4.2
      Depends on vulnerable versions of @typescript-eslint/parser
      node_modules/prettier-eslint
  editorconfig  1.0.3 - 1.0.4 || 2.0.0
  Depends on vulnerable versions of minimatch
  node_modules/editorconfig

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/serialize-javascript

tar  <=7.5.9
Severity: high
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
fix available via `npm audit fix`
node_modules/tar

undici  <6.23.0
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/attest@3.2.0, which is a breaking change
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/attest  2.2.0 - 2.2.1
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/attest

14 vulnerabilities (1 low, 4 moderate, 9 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

# npm audit report

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  8.0.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
fix available via `npm audit fix`
node_modules/fast-xml-parser

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

minimatch  <=3.1.3 || 5.0.0 - 5.1.7 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install prettier-eslint@16.3.0, which is a breaking change
node_modules/@actions/glob/node_modules/minimatch
node_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/@humanwhocodes/config-array/node_modules/minimatch
node_modules/@jest/reporters/node_modules/minimatch
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/archiver-utils/node_modules/minimatch
node_modules/cacache/node_modules/minimatch
node_modules/editorconfig/node_modules/minimatch
node_modules/eslint-plugin-react/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/filelist/node_modules/minimatch
node_modules/glob/node_modules/minimatch
node_modules/jest-config/node_modules/minimatch
node_modules/jest-runtime/node_modules/minimatch
node_modules/js-beautify/node_modules/minimatch
node_modules/mem-fs-editor/node_modules/minimatch
node_modules/mocha/node_modules/minimatch
node_modules/multimatch/node_modules/minimatch
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/prettier-eslint/node_modules/eslint/node_modules/minimatch
node_modules/prettier-eslint/node_modules/minimatch
node_modules/readdir-glob/node_modules/minimatch
node_modules/test-exclude/node_modules/minimatch
  @typescript-eslint/typescript-estree  6.16.0 - 7.5.0
  Depends on vulnerable versions of minimatch
  node_modules/prettier-eslint/node_modules/@typescript-eslint/typescript-estree
    @typescript-eslint/parser  6.16.0 - 7.5.0
    Depends on vulnerable versions of @typescript-eslint/typescript-estree
    node_modules/prettier-eslint/node_modules/@typescript-eslint/parser
      prettier-eslint  16.3.1 - 16.4.2
      Depends on vulnerable versions of @typescript-eslint/parser
      node_modules/prettier-eslint
  editorconfig  1.0.3 - 1.0.4 || 2.0.0
  Depends on vulnerable versions of minimatch
  node_modules/editorconfig

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/serialize-javascript

simple-git  3.15.0 - 3.32.2
Severity: critical
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE - https://github.com/advisories/GHSA-r275-fr43-pm7q
fix available via `npm audit fix`
node_modules/simple-git

tar  <=7.5.10
Severity: high
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
fix available via `npm audit fix`
node_modules/tar

undici  <=6.23.0
Severity: high
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
fix available via `npm audit fix --force`
Will install @actions/attest@3.2.0, which is a breaking change
node_modules/@actions/artifact/node_modules/undici
node_modules/@actions/cache/node_modules/undici
node_modules/@actions/github/node_modules/undici
node_modules/@actions/glob/node_modules/undici
node_modules/@actions/http-client/node_modules/undici
node_modules/@actions/tool-cache/node_modules/undici
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/attest  2.2.0 - 2.2.1
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/attest

17 vulnerabilities (1 low, 3 moderate, 12 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

# npm audit report

diff  6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/diff
  mocha  8.0.0 - 12.0.0-beta-3
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fix available via `npm audit fix`
node_modules/fast-xml-parser

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/archiver-utils/node_modules/glob
node_modules/cacache/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob
node_modules/js-beautify/node_modules/glob
node_modules/mocha/node_modules/glob

js-yaml  <3.14.2
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml

minimatch  <=3.1.3 || 5.0.0 - 5.1.7 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install prettier-eslint@16.3.0, which is a breaking change
node_modules/@actions/glob/node_modules/minimatch
node_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/@humanwhocodes/config-array/node_modules/minimatch
node_modules/@jest/reporters/node_modules/minimatch
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/archiver-utils/node_modules/minimatch
node_modules/cacache/node_modules/minimatch
node_modules/editorconfig/node_modules/minimatch
node_modules/eslint-plugin-react/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/filelist/node_modules/minimatch
node_modules/glob/node_modules/minimatch
node_modules/jest-config/node_modules/minimatch
node_modules/jest-runtime/node_modules/minimatch
node_modules/js-beautify/node_modules/minimatch
node_modules/mem-fs-editor/node_modules/minimatch
node_modules/mocha/node_modules/minimatch
node_modules/multimatch/node_modules/minimatch
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/prettier-eslint/node_modules/eslint/node_modules/minimatch
node_modules/prettier-eslint/node_modules/minimatch
node_modules/readdir-glob/node_modules/minimatch
node_modules/test-exclude/node_modules/minimatch
  @typescript-eslint/typescript-estree  6.16.0 - 7.5.0
  Depends on vulnerable versions of minimatch
  node_modules/prettier-eslint/node_modules/@typescript-eslint/typescript-estree
    @typescript-eslint/parser  6.16.0 - 7.5.0
    Depends on vulnerable versions of @typescript-eslint/typescript-estree
    node_modules/prettier-eslint/node_modules/@typescript-eslint/parser
      prettier-eslint  16.3.1 - 16.4.2
      Depends on vulnerable versions of @typescript-eslint/parser
      node_modules/prettier-eslint
  editorconfig  1.0.3 - 1.0.4 || 2.0.0
  Depends on vulnerable versions of minimatch
  node_modules/editorconfig

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
fix available via `npm audit fix`
node_modules/anymatch/node_modules/picomatch
node_modules/micromatch/node_modules/picomatch
node_modules/picomatch

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install mocha@11.3.0, which is a breaking change
node_modules/serialize-javascript

simple-git  3.15.0 - 3.32.2
Severity: critical
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE - https://github.com/advisories/GHSA-r275-fr43-pm7q
fix available via `npm audit fix`
node_modules/simple-git

tar  <=7.5.10
Severity: high
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
fix available via `npm audit fix`
node_modules/tar

undici  <=6.23.0
Severity: high
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
fix available via `npm audit fix --force`
Will install @actions/attest@3.2.0, which is a breaking change
node_modules/@actions/artifact/node_modules/undici
node_modules/@actions/cache/node_modules/undici
node_modules/@actions/github/node_modules/undici
node_modules/@actions/glob/node_modules/undici
node_modules/@actions/http-client/node_modules/undici
node_modules/@actions/tool-cache/node_modules/undici
node_modules/undici
  @actions/github  6.0.1 - 8.0.0
  Depends on vulnerable versions of undici
  node_modules/@actions/attest/node_modules/@actions/github
    @actions/attest  2.2.0 - 2.2.1
    Depends on vulnerable versions of @actions/github
    node_modules/@actions/attest

18 vulnerabilities (1 low, 3 moderate, 13 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force