Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 3 · patch: 12) [website]#104

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/website/3-1781532235
Draft

fix(deps): vuln minor upgrades — 15 packages (minor: 3 · patch: 12) [website]#104
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/website/3-1781532235

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • website (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
ejs 3.1.5 3.1.10 patch Transitive 2 CRITICAL, 2 MEDIUM
form-data 3.0.1 3.0.5 patch Transitive 2 CRITICAL
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
flatted 3.2.2 3.4.2 minor Transitive 4 HIGH
yaml 2.2.1 2.9.0 minor Transitive 2 HIGH, 2 MEDIUM
picomatch 2.3.0 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
braces 3.0.2 3.0.3 patch Transitive 2 HIGH
cross-spawn 7.0.3 7.0.6 patch Transitive 2 HIGH
decode-uri-component 0.2.0 0.2.2 patch Transitive 2 HIGH
node-fetch 2.6.1 2.6.13 patch Transitive 2 HIGH
semver 5.7.1 5.7.2 patch Transitive 2 HIGH
ws 7.5.5 7.5.11 patch Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
js-yaml 3.14.1 3.14.2 patch Transitive 2 MEDIUM

Security Details

🚨 Critical & High Severity (31 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
ejs CVE-2022-29078 CRITICAL - 3.1.5 -
ejs GHSA-phwq-j96m-2c2q CRITICAL ejs template injection vulnerability 3.1.5 3.1.7
form-data GHSA-fjxv-7rqg-78g4 CRITICAL form-data uses unsafe random function in form-data for choosing boundary 3.0.1 2.5.4
form-data CVE-2025-7783 CRITICAL - 3.0.1 -
braces GHSA-grv7-fg5c-xmjg HIGH Uncontrolled resource consumption in braces 3.0.2 3.0.3
braces CVE-2024-4068 HIGH - 3.0.2 -
cross-spawn CVE-2024-21538 HIGH - 7.0.3 -
cross-spawn GHSA-3xgq-45jj-v275 HIGH Regular Expression Denial of Service (ReDoS) in cross-spawn 7.0.3 7.0.5
decode-uri-component CVE-2022-38900 HIGH - 0.2.0 -
decode-uri-component GHSA-w573-4hg7-7wgq HIGH decode-uri-component vulnerable to Denial of Service (DoS) 0.2.0 0.2.1
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.2.2 -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.2.2 3.4.0
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.2.2 3.4.2
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.2.2 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 -
node-fetch CVE-2022-0235 HIGH Exposure of Sensitive Information to an Unauthorized Actor in node-fetch/node-fetch 2.6.1 -
node-fetch GHSA-r683-j2x4-v87g HIGH node-fetch forwards secure headers to untrusted sites 2.6.1 3.1.1
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.0 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.0 4.0.4
semver CVE-2022-25883 HIGH - 5.7.1 -
semver GHSA-c2qf-rxjj-qqgw HIGH semver vulnerable to Regular Expression Denial of Service 5.7.1 7.5.2
ws CVE-2024-37890 HIGH Denial of service when handling a request with many HTTP headers in ws 7.5.5 -
ws GHSA-3h5v-q93c-6h6q HIGH ws affected by a DoS when handling a request with many HTTP headers 7.5.5 5.2.4
yaml CVE-2023-2251 HIGH Uncaught Exception in eemeli/yaml 2.2.1 -
yaml GHSA-f9xv-q969-pqx4 HIGH Uncaught Exception in yaml 2.2.1 2.2.2
ℹ️ Other Vulnerabilities (15)
Package CVE Severity Summary Unsafe Version Fixed In
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5
ejs GHSA-ghr5-ch3p-vcr6 MODERATE ejs lacks certain pollution protection 3.1.5 3.1.10
ejs CVE-2024-33883 MODERATE - 3.1.5 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
lodash CVE-2025-13465 MODERATE - 4.17.21 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.0 4.0.4
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.0 -
yaml CVE-2026-33532 MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 2.2.1 -
yaml GHSA-48c2-rrv3-qjmp MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 2.2.1 2.8.3
brace-expansion CVE-2025-5889 LOW - 1.1.11 -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-6

datadog-prod-us1-6 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Run linters | Format   View in Datadog   GitHub Actions

Run linters | Protobuf generate delta   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 3a2b57b | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants