Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) [ui]#103

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/ui/0-1781532235
Closed

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) [ui]#103
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/ui/0-1781532235

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • ui (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
handlebars 4.7.8 4.7.9 patch Direct 2 CRITICAL, 8 HIGH, 3 MEDIUM, 1 LOW
tar 7.4.3 7.5.16 minor Transitive 12 HIGH
minimatch 5.1.6 5.1.9 patch Transitive 6 HIGH
@xmldom/xmldom 0.8.10 0.8.13 patch Transitive 5 HIGH
flatted 3.3.3 3.4.2 minor Transitive 4 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
fast-uri 3.0.6 3.1.2 minor Transitive 2 HIGH
glob 10.4.5 10.5.0 minor Transitive 2 HIGH
rollup 2.79.2 2.80.0 minor Transitive 2 HIGH
immutable 5.1.2 5.1.6 patch Transitive 2 HIGH
preact 10.26.5 10.26.10 patch Transitive 2 HIGH
socket.io-parser 4.2.4 4.2.6 patch Transitive 2 HIGH
underscore 1.13.7 1.13.8 patch Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
dompurify 3.2.6 3.4.10 minor Direct 11 MEDIUM

Security Details

🚨 Critical & High Severity (54 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
handlebars GHSA-2w6w-674q-4c4q CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 4.7.9
handlebars CVE-2026-33937 CRITICAL Handlebars.js has JavaScript Injection via AST Type Confusion 4.7.8 -
@xmldom/xmldom GHSA-wh4c-j3r5-mjhp HIGH xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion 0.8.10 0.8.12
@xmldom/xmldom GHSA-2v35-w6hq-6mfw HIGH xmldom: Uncontrolled recursion in XML serialization leads to DoS 0.8.10 0.8.13
@xmldom/xmldom GHSA-f6ww-3ggp-fr8h HIGH xmldom has XML injection through unvalidated DocumentType serialization 0.8.10 0.8.13
@xmldom/xmldom GHSA-x6wf-f3px-wcqx HIGH xmldom has XML node injection through unvalidated processing instruction serialization 0.8.10 0.8.13
@xmldom/xmldom GHSA-j759-j44w-7fr8 HIGH xmldom has XML node injection through unvalidated comment serialization 0.8.10 0.8.13
fast-uri GHSA-q3j6-qgpj-74h6 HIGH fast-uri vulnerable to path traversal via percent-encoded dot segments 3.0.6 3.1.1
fast-uri GHSA-v39h-62p7-jpjc HIGH fast-uri vulnerable to host confusion via percent-encoded authority delimiters 3.0.6 3.1.2
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.3 3.4.2
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.3 -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.3 3.4.0
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.3 -
glob CVE-2025-64756 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 -
glob GHSA-5j98-mcp5-4vw2 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 10.4.5 11.1.0
handlebars CVE-2026-33941 HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 -
handlebars CVE-2026-33938 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 -
handlebars GHSA-3mfm-83xf-c92r HIGH Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block 4.7.8 4.7.9
handlebars GHSA-xhpv-hc6g-r9c6 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 4.7.9
handlebars CVE-2026-33940 HIGH Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial 4.7.8 -
handlebars GHSA-9cx6-37pm-9jff HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 4.7.9
handlebars CVE-2026-33939 HIGH Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation 4.7.8 -
handlebars GHSA-xjpj-3mr7-gcpf HIGH Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options 4.7.8 4.7.9
immutable CVE-2026-29063 HIGH Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable 5.1.2 -
immutable GHSA-wf6x-7x77-mvgw HIGH Immutable is vulnerable to Prototype Pollution 5.1.2 4.3.8
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 5.1.6 10.2.3
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 5.1.6 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 5.1.6 10.2.1
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 5.1.6 10.2.3
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 5.1.6 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 5.1.6 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 -
preact GHSA-36hm-qxxp-pg3m HIGH Preact has JSON VNode Injection issue 10.26.5 10.26.10
preact CVE-2026-22028 HIGH Preact has JSON VNode Injection issue 10.26.5 -
rollup GHSA-mw96-cpmx-2vgc HIGH Rollup 4 has Arbitrary File Write via Path Traversal 2.79.2 2.80.0
rollup CVE-2026-27606 HIGH Rollup 4 has Arbitrary File Write via Path Traversal 2.79.2 -
socket.io-parser GHSA-677m-j7p3-52f9 HIGH socket.io allows an unbounded number of binary attachments 4.2.4 3.3.5
socket.io-parser CVE-2026-33151 HIGH socket.io allows an unbounded number of binary attachments 4.2.4 -
tar GHSA-34x7-hfp2-rc4v HIGH node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal 7.4.3 7.5.7
tar CVE-2026-23745 HIGH node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization 7.4.3 -
tar CVE-2026-29786 HIGH node-tar: Hardlink Path Traversal via Drive-Relative Linkpath 7.4.3 -
tar CVE-2026-23950 HIGH node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS 7.4.3 -
tar GHSA-8qq5-rm4j-mr97 HIGH node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization 7.4.3 7.5.3
tar GHSA-r6q2-hw4h-h46w HIGH Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS 7.4.3 7.5.4
tar CVE-2026-31802 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.4.3 -
tar GHSA-9ppj-qmqm-q256 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.4.3 7.5.11
tar CVE-2026-26960 HIGH node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction 7.4.3 -
tar GHSA-83g3-92jg-28cx HIGH Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction 7.4.3 7.5.8
tar GHSA-qffp-2rhf-9h96 HIGH tar has Hardlink Path Traversal via Drive-Relative Linkpath 7.4.3 7.5.10
tar CVE-2026-24842 HIGH node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal 7.4.3 -
underscore GHSA-qpx9-hpmf-5gmw HIGH Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.7 1.13.8
underscore CVE-2026-27601 HIGH Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.7 -
ℹ️ Other Vulnerabilities (20)
Package CVE Severity Summary Unsafe Version Fixed In
dompurify GHSA-h7mw-gpvr-xq4m MODERATE DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) 3.2.6 3.4.0
dompurify GHSA-v8jm-5vwx-cfxm MODERATE DOMPurify contains a Cross-site Scripting vulnerability 3.2.6 3.2.7
dompurify CVE-2026-0540 MODERATE - 3.2.6 -
dompurify GHSA-h8r8-wccr-v5f2 MODERATE DOMPurify is vulnerable to mutation-XSS via Re-Contextualization 3.2.6 3.3.2
dompurify GHSA-cj63-jhhr-wcxv MODERATE DOMPurify USE_PROFILES prototype pollution allows event handlers 3.2.6 3.3.2
dompurify GHSA-v2wj-7wpq-c8vv MODERATE DOMPurify contains a Cross-site Scripting vulnerability 3.2.6 3.3.2
dompurify CVE-2025-15599 MODERATE - 3.2.6 -
dompurify GHSA-v9jr-rg53-9pgp MODERATE DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback 3.2.6 3.4.0
dompurify GHSA-cjmm-f4jc-qw8r MODERATE DOMPurify ADD_ATTR predicate skips URI validation 3.2.6 3.3.2
dompurify GHSA-crv5-9vww-q3g8 MODERATE DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode 3.2.6 3.4.0
dompurify GHSA-39q2-94rc-95cp MODERATE DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation 3.2.6 3.4.0
handlebars GHSA-7rx3-28cr-v5wh MODERATE Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry 4.7.8 4.7.9
handlebars CVE-2026-33916 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 -
handlebars GHSA-2qvq-rjwj-gvw9 MODERATE Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection 4.7.8 4.7.9
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
lodash CVE-2025-13465 MODERATE - 4.17.21 -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4
handlebars GHSA-442j-39wm-28r2 LOW Handlebars.js has a Property Access Validation Bypass in container.lookup 4.7.8 4.7.9

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Run linters | Format   View in Datadog   GitHub Actions

Run linters | Protobuf generate delta   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0318601 | Docs | Datadog PR Page | Give us feedback!

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot deleted the engraver-auto-version-upgrade/minorpatch/npm/ui/0-1781532235 branch July 6, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants