fix(deps): vuln minor upgrades — 13 packages (minor: 8 · patch: 5)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 13 packages upgraded (MINOR changes included)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
handlebars	4.7.8	4.7.9	patch	Transitive	2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
basic-ftp	5.0.5	5.3.1	minor	Transitive	2 CRITICAL, 3 HIGH
simple-git	3.25.0	3.36.0	minor	Transitive	2 CRITICAL, 2 HIGH
undici	6.23.0	6.26.0	minor	Transitive	6 HIGH, 4 MEDIUM
minimatch	9.0.5	9.0.9	patch	Transitive	6 HIGH
flatted	3.3.3	3.4.2	minor	Transitive	4 HIGH
fast-xml-parser	5.5.1	5.8.0	minor	Transitive	2 HIGH, 3 MEDIUM
picomatch	2.3.1	2.3.2	patch	Transitive	2 HIGH, 2 MEDIUM
fast-uri	3.0.6	3.1.2	minor	Transitive	2 HIGH
lodash	4.17.21	4.18.1	minor	Transitive	1 HIGH, 3 MEDIUM
fast-xml-builder	1.1.0	1.1.9	patch	Transitive	1 HIGH
brace-expansion	5.0.4	5.0.6	patch	Transitive	3 MEDIUM
ajv	8.17.1	8.20.0	minor	Transitive	2 MEDIUM

---

Security Details

🚨 Critical & High Severity (43 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
basic-ftp	GHSA-5rq4-664w-9x2c	CRITICAL	Basic FTP has Path Traversal Vulnerability in its downloadToDir() method	5.0.5	5.2.0
basic-ftp	CVE-2026-27699	CRITICAL	Basic FTP has Path Traversal Vulnerability in its downloadToDir() method	5.0.5	-
handlebars	GHSA-2w6w-674q-4c4q	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	4.7.9
handlebars	CVE-2026-33937	CRITICAL	Handlebars.js has JavaScript Injection via AST Type Confusion	4.7.8	-
simple-git	CVE-2026-28292	CRITICAL	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE	3.25.0	-
simple-git	GHSA-r275-fr43-pm7q	CRITICAL	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE	3.25.0	3.32.3
basic-ftp	GHSA-6v7q-wjvx-w8wg	HIGH	basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands	5.0.5	5.2.2
basic-ftp	GHSA-rp42-5vxx-qpwr	HIGH	basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()	5.0.5	5.3.0
basic-ftp	GHSA-rpmf-866q-6p89	HIGH	basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering	5.0.5	5.3.1
fast-uri	GHSA-v39h-62p7-jpjc	HIGH	fast-uri vulnerable to host confusion via percent-encoded authority delimiters	3.0.6	3.1.2
fast-uri	GHSA-q3j6-qgpj-74h6	HIGH	fast-uri vulnerable to path traversal via percent-encoded dot segments	3.0.6	3.1.1
fast-xml-builder	GHSA-5wm8-gmm8-39j9	HIGH	fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes	1.1.0	1.1.7
fast-xml-parser	GHSA-8gc5-j5rx-235r	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	5.5.1	5.5.6
fast-xml-parser	CVE-2026-33036	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	5.5.1	-
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.3.3	3.4.2
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.3.3	-
flatted	GHSA-25h7-pfq9-p65f	HIGH	flatted vulnerable to unbounded recursion DoS in parse() revive phase	3.3.3	3.4.0
flatted	CVE-2026-32141	HIGH	flatted: Unbounded recursion DoS in parse() revive phase	3.3.3	-
handlebars	CVE-2026-33938	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	-
handlebars	CVE-2026-33941	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	-
handlebars	CVE-2026-33939	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	-
handlebars	GHSA-3mfm-83xf-c92r	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block	4.7.8	4.7.9
handlebars	GHSA-xhpv-hc6g-r9c6	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	4.7.9
handlebars	CVE-2026-33940	HIGH	Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial	4.7.8	-
handlebars	GHSA-9cx6-37pm-9jff	HIGH	Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation	4.7.8	4.7.9
handlebars	GHSA-xjpj-3mr7-gcpf	HIGH	Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options	4.7.8	4.7.9
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.21	4.18.0
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	9.0.5	-
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	9.0.5	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	9.0.5	10.2.3
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	9.0.5	-
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	9.0.5	10.2.1
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	9.0.5	10.2.3
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	4.0.4
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	-
simple-git	GHSA-jcxm-m3jx-f287	HIGH	simple-git Affected by Command Execution via Option-Parsing Bypass	3.25.0	3.32.0
simple-git	GHSA-hffm-xvc3-vprc	HIGH	simple-git is vulnerable to Remote Code Execution	3.25.0	3.36.0
undici	GHSA-v9p9-hfj2-hcw8	HIGH	Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation	6.23.0	6.24.0
undici	GHSA-vrm6-8vpv-qv8q	HIGH	Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression	6.23.0	6.24.0
undici	CVE-2026-1526	HIGH	-	6.23.0	-
undici	CVE-2026-2229	HIGH	-	6.23.0	-
undici	CVE-2026-1528	HIGH	-	6.23.0	-
undici	GHSA-f269-vfmq-vjvj	HIGH	Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client	6.23.0	6.24.0

ℹ️ Other Vulnerabilities (21)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
ajv	CVE-2025-69873	MODERATE	-	8.17.1	-
ajv	GHSA-2g4f-4pwh-qvx6	MODERATE	ajv has ReDoS when using $data option	8.17.1	8.18.0
brace-expansion	GHSA-jxxr-4gwj-5jf2	MODERATE	brace-expansion: Large numeric range defeats documented max DoS protection	5.0.4	5.0.6
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.4	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.4	-
fast-xml-parser	GHSA-jp2q-39xq-3w4g	MODERATE	Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser	5.5.1	4.5.5
fast-xml-parser	GHSA-gh4j-gqv2-49f6	MODERATE	fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters	5.5.1	5.7.0
fast-xml-parser	CVE-2026-33349	MODERATE	fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation	5.5.1	-
handlebars	GHSA-7rx3-28cr-v5wh	MODERATE	Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry	4.7.8	4.7.9
handlebars	GHSA-2qvq-rjwj-gvw9	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	4.7.9
handlebars	CVE-2026-33916	MODERATE	Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection	4.7.8	-
lodash	CVE-2025-13465	MODERATE	-	4.17.21	-
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.21	4.18.0
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.21	4.17.23
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	-
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	4.0.4
undici	CVE-2026-1527	MODERATE	-	6.23.0	-
undici	GHSA-2mjp-6q6p-2qxm	MODERATE	Undici has an HTTP Request/Response Smuggling issue	6.23.0	6.24.0
undici	CVE-2026-1525	MODERATE	-	6.23.0	-
undici	GHSA-4992-7rv2-5pvq	MODERATE	Undici has CRLF Injection in undici via upgrade option	6.23.0	6.24.0
handlebars	GHSA-442j-39wm-28r2	LOW	Handlebars.js has a Property Access Validation Bypass in container.lookup	4.7.8	4.7.9

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Check dist/ | check-dist     

build-test | build     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0f28d47 | Docs | Datadog PR Page | Give us feedback!}