Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) #1309

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
developfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781544091
Closed

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) #1309
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
developfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781544091

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
protobufjs 7.5.3 7.5.9 patch Transitive 1 CRITICAL, 4 HIGH, 4 MEDIUM
shell-quote 1.8.3 1.8.4 patch Transitive 1 CRITICAL
axios 1.15.0 1.17.0 minor Transitive 11 HIGH, 9 MEDIUM, 1 LOW
flatted 3.3.3 3.4.2 minor Transitive 4 HIGH
picomatch 4.0.2 4.0.4 patch Transitive 2 HIGH, 2 MEDIUM
fast-uri 3.0.6 3.1.2 minor Transitive 2 HIGH
glob 11.0.3 11.1.0 minor Transitive 2 HIGH
minimatch 3.1.3 3.1.5 patch Transitive 2 HIGH
@babel/plugin-transform-modules-systemjs 7.27.1 7.29.7 minor Transitive 1 HIGH
simple-git 3.33.0 3.36.0 minor Transitive 1 HIGH
path-to-regexp 0.1.12 0.1.13 patch Transitive 1 HIGH
tmp 0.2.4 0.2.7 patch Transitive 1 HIGH
ajv 6.12.6 6.15.0 minor Transitive 2 MEDIUM
brace-expansion 1.1.12 1.1.15 patch Transitive 2 MEDIUM
js-yaml 4.1.0 4.1.1 patch Transitive 2 MEDIUM

Security Details

🚨 Critical & High Severity (33 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
protobufjs GHSA-xq3m-2v4x-88gg CRITICAL Arbitrary code execution in protobufjs 7.5.3 8.0.1
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.3 1.8.4
@babel/plugin-transform-modules-systemjs GHSA-fv7c-fp4j-7gwp HIGH @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input 7.27.1 7.29.4
axios GHSA-3g43-6gmg-66jw HIGH axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge 1.15.0 1.15.2
axios GHSA-p92q-9vqr-4j8v HIGH Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter 1.15.0 1.16.0
axios GHSA-777c-7fjr-54vf HIGH Allocation of Resources Without Limits or Throttling in Axios 1.15.0 1.16.0
axios GHSA-6chq-wfr3-2hj9 HIGH Axios: Header Injection via Prototype Pollution 1.15.0 1.15.1
axios GHSA-35jp-ww65-95wh HIGH axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy 1.15.0 1.16.0
axios GHSA-q8qp-cvcw-x6jj HIGH Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking 1.15.0 1.15.2
axios GHSA-pjwm-pj3p-43mv HIGH axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) 1.15.0 1.16.0
axios GHSA-j5f8-grm9-p9fc HIGH Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection 1.15.0 1.16.0
axios GHSA-pf86-5x62-jrwf HIGH Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking 1.15.0 1.15.1
axios GHSA-hfxv-24rg-xrqf HIGH Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection 1.15.0 1.16.0
axios GHSA-pmwg-cvhr-8vh7 HIGH Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 1.15.0 1.15.1
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.0.6 3.1.2
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.0.6 3.1.1
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.3 3.4.2
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.3 -
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.3 -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.3 3.4.0
glob CVE-2025-64756 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 11.0.3 -
glob GHSA-5j98-mcp5-4vw2 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 11.0.3 11.1.0
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.3 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.3 10.2.3
path-to-regexp GHSA-37ch-88jc-xwx2 HIGH path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters 0.1.12 0.1.13
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.2 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 4.0.2 4.0.4
protobufjs GHSA-75px-5xx7-5xc7 HIGH protobuf.js: Code generation gadget after prototype pollution 7.5.3 7.5.6
protobufjs GHSA-jvwf-75h9-cwgg HIGH protobuf.js: Process-wide denial of service through unsafe option paths 7.5.3 7.5.6
protobufjs GHSA-685m-2w69-288q HIGH protobuf.js: Denial of service through unbounded protobuf recursion 7.5.3 7.5.6
protobufjs GHSA-66ff-xgx4-vchm HIGH protobuf.js: Code injection through bytes field defaults in generated toObject code 7.5.3 7.5.6
simple-git GHSA-hffm-xvc3-vprc HIGH simple-git is vulnerable to Remote Code Execution 3.33.0 3.36.0
tmp GHSA-ph9p-34f9-6g65 HIGH tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape 0.2.4 0.2.6
ℹ️ Other Vulnerabilities (22)
Package CVE Severity Summary Unsafe Version Fixed In
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 6.12.6 8.18.0
ajv CVE-2025-69873 MODERATE - 6.12.6 -
axios GHSA-898c-q2cr-xwhg MODERATE axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions 1.15.0 1.16.0
axios GHSA-xx6v-rp6x-q39c MODERATE Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion 1.15.0 1.15.1
axios GHSA-w9j2-pvgh-6h63 MODERATE Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy 1.15.0 1.15.1
axios GHSA-5c9x-8gcm-mpgx MODERATE Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 1.15.0 1.15.1
axios GHSA-vf2m-468p-8v99 MODERATE Axios: HTTP adapter streamed responses bypass maxContentLength 1.15.0 1.15.1
axios GHSA-3w6x-2g7m-8v23 MODERATE Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver 1.15.0 1.15.2
axios GHSA-445q-vr5w-6q77 MODERATE Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream 1.15.0 1.15.1
axios GHSA-62hf-57xw-28j9 MODERATE Axios: unbounded recursion in toFormData causes DoS via deeply nested request data 1.15.0 1.15.1
axios GHSA-m7pr-hjqh-92cm MODERATE Axios: no_proxy bypass via IP alias allows SSRF 1.15.0 1.15.1
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.12 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.12 5.0.5
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 4.1.1
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.2 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 4.0.2 4.0.4
protobufjs GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 7.5.3 7.5.6
protobufjs GHSA-jggg-4jg4-v7c6 MODERATE protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion 7.5.3 7.5.8
protobufjs GHSA-2pr8-phx7-x9h3 MODERATE protobuf.js: Denial of service from crafted field names in generated code 7.5.3 7.5.6
protobufjs GHSA-fx83-v9x8-x52w MODERATE protobuf.js: Prototype injection in generated message constructors 7.5.3 7.5.6
axios GHSA-xhjh-pmcv-23jw LOW Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams 1.15.0 1.15.1

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jun 15, 2026
edited by datadog-official Bot
Loading

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/dd-sdk-reactnative | test:build   View in Datadog   GitLab

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: c3f575f | Docs | Datadog PR Page | Give us feedback!

@sbarrio sbarrio closed this Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-npm adms-updates-override campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sbarrio