fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) [datafusion/wasmtest]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• datafusion/wasmtest (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
shell-quote	1.8.1	1.8.4	patch	Transitive	1 CRITICAL
node-forge	1.3.1	1.4.0	minor	Transitive	12 HIGH, 2 MEDIUM
minimatch	3.1.2	3.1.5	patch	Transitive	6 HIGH
path-to-regexp	0.1.10	0.1.13	patch	Transitive	3 HIGH
http-proxy-middleware	2.0.6	2.0.9	patch	Transitive	2 HIGH, 4 MEDIUM
picomatch	2.3.1	2.3.2	patch	Transitive	2 HIGH, 2 MEDIUM
fast-uri	3.0.6	3.1.2	minor	Transitive	2 HIGH
cross-spawn	7.0.3	7.0.6	patch	Transitive	2 HIGH
launch-editor	2.6.0	2.14.1	minor	Transitive	1 HIGH, 1 MEDIUM
ws	8.17.1	8.21.0	minor	Transitive	1 HIGH, 1 MEDIUM
webpack-dev-server	4.15.1	4.15.2	patch	Direct	5 MEDIUM
qs	6.13.0	6.15.2	minor	Transitive	3 MEDIUM, 2 LOW
ajv	6.12.6	6.15.0	minor	Transitive	2 MEDIUM
brace-expansion	1.1.11	1.1.15	patch	Transitive	2 MEDIUM, 2 LOW
webpack	5.94.0	5.107.2	minor	Direct	4 LOW

---

Security Details

🚨 Critical & High Severity (32 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
shell-quote	GHSA-w7jw-789q-3m8p	CRITICAL	shell-quote quote() does not escape newlines in object .op values	1.8.1	1.8.4
cross-spawn	CVE-2024-21538	HIGH	-	7.0.3	-
cross-spawn	GHSA-3xgq-45jj-v275	HIGH	Regular Expression Denial of Service (ReDoS) in cross-spawn	7.0.3	7.0.5
fast-uri	GHSA-q3j6-qgpj-74h6	HIGH	fast-uri vulnerable to path traversal via percent-encoded dot segments	3.0.6	3.1.1
fast-uri	GHSA-v39h-62p7-jpjc	HIGH	fast-uri vulnerable to host confusion via percent-encoded authority delimiters	3.0.6	3.1.2
http-proxy-middleware	GHSA-c7qv-q95q-8v27	HIGH	Denial of service in http-proxy-middleware	2.0.6	2.0.7
http-proxy-middleware	CVE-2024-21536	HIGH	-	2.0.6	-
launch-editor	GHSA-c27g-q93r-2cwf	HIGH	launch-editor vulnerable to command injection via the crafted request on Windows	2.6.0	2.9.0
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	10.2.3
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	-
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	10.2.1
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	10.2.3
node-forge	GHSA-554w-wpv2-vw27	HIGH	node-forge has ASN.1 Unbounded Recursion	1.3.1	1.3.2
node-forge	GHSA-5m6q-g25r-mvwx	HIGH	Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input	1.3.1	1.4.0
node-forge	GHSA-q67f-28xg-22rw	HIGH	Forge has signature forgery in Ed25519 due to missing S > L check	1.3.1	1.4.0
node-forge	CVE-2026-33895	HIGH	Forge has signature forgery in Ed25519 due to missing S > L check	1.3.1	-
node-forge	GHSA-ppp5-5v6c-4jwp	HIGH	Forge has signature forgery in RSA-PKCS due to ASN.1 extra field	1.3.1	1.4.0
node-forge	CVE-2026-33894	HIGH	Forge has signature forgery in RSA-PKCS due to ASN.1 extra field	1.3.1	-
node-forge	GHSA-2328-f5f3-gj25	HIGH	Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)	1.3.1	1.4.0
node-forge	CVE-2026-33896	HIGH	Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)	1.3.1	-
node-forge	CVE-2025-66031	HIGH	node-forge ASN.1 Unbounded Recursion	1.3.1	-
node-forge	CVE-2026-33891	HIGH	Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input	1.3.1	-
node-forge	CVE-2025-12816	HIGH	-	1.3.1	-
node-forge	GHSA-5gfm-wpxj-wjgq	HIGH	node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization	1.3.1	1.3.2
path-to-regexp	GHSA-rhx6-c78j-4q9w	HIGH	path-to-regexp contains a ReDoS	0.1.10	0.1.12
path-to-regexp	CVE-2024-52798	HIGH	path-to-regexp Unpatched path-to-regexp ReDoS in 0.1.x	0.1.10	-
path-to-regexp	GHSA-37ch-88jc-xwx2	HIGH	path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters	0.1.10	0.1.13
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	-
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	4.0.4
ws	GHSA-96hv-2xvq-fx4p	HIGH	ws: Memory exhaustion DoS from tiny fragments and data chunks	8.17.1	5.2.5

ℹ️ Other Vulnerabilities (30)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
ajv	GHSA-2g4f-4pwh-qvx6	MODERATE	ajv has ReDoS when using $data option	6.12.6	8.18.0
ajv	CVE-2025-69873	MODERATE	-	6.12.6	-
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	-
http-proxy-middleware	GHSA-4www-5p9h-95mh	MODERATE	http-proxy-middleware can call writeBody twice because "else if" is not used	2.0.6	2.0.8
http-proxy-middleware	CVE-2025-32996	MODERATE	-	2.0.6	-
http-proxy-middleware	GHSA-9gqv-wp59-fq42	MODERATE	http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed	2.0.6	2.0.9
http-proxy-middleware	CVE-2025-32997	MODERATE	-	2.0.6	-
launch-editor	GHSA-v6wh-96g9-6wx3	MODERATE	launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows	2.6.0	2.14.1
node-forge	GHSA-65ch-62r8-g69g	MODERATE	node-forge is vulnerable to ASN.1 OID Integer Truncation	1.3.1	1.3.2
node-forge	CVE-2025-66030	MODERATE	node-forge ASN.1 OID Integer Truncation	1.3.1	-
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	-
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	4.0.4
qs	CVE-2025-15284	MODERATE	-	6.13.0	-
qs	GHSA-6rw7-vpxm-498p	MODERATE	qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion	6.13.0	6.14.1
qs	GHSA-q8mj-m7cp-5q26	MODERATE	qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set	6.13.0	6.15.2
webpack-dev-server	CVE-2025-30359	MODERATE	webpack-dev-server users' source code may be stolen when they access a malicious web site	4.15.1	-
webpack-dev-server	GHSA-4v9v-hfq4-rm2v	MODERATE	webpack-dev-server users' source code may be stolen when they access a malicious web site	4.15.1	5.2.1
webpack-dev-server	GHSA-79cf-xcqc-c78w	MODERATE	webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins	4.15.1	5.2.4
webpack-dev-server	CVE-2025-30360	MODERATE	webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser	4.15.1	-
webpack-dev-server	GHSA-9jgg-88mc-972h	MODERATE	webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser	4.15.1	5.2.1
ws	GHSA-58qx-3vcg-4xpx	MODERATE	ws: Uninitialized memory disclosure	8.17.1	8.20.1
brace-expansion	GHSA-v6h2-p8h4-qcjw	LOW	brace-expansion Regular Expression Denial of Service vulnerability	1.1.11	2.0.2
brace-expansion	CVE-2025-5889	LOW	-	1.1.11	-
qs	CVE-2026-2391	LOW	-	6.13.0	-
qs	GHSA-w7fw-mjwx-w883	LOW	qs's arrayLimit bypass in comma parsing allows denial of service	6.13.0	6.14.2
webpack	CVE-2025-68458	LOW	webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior	5.94.0	-
webpack	GHSA-8fgc-7cc6-rx7x	LOW	webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior	5.94.0	5.104.1
webpack	CVE-2025-68157	LOW	webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects	5.94.0	-
webpack	GHSA-38r7-794h-5758	LOW	webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence	5.94.0	5.104.0

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-datadog-prod-us1-2]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 7 Pipeline jobs failed

Rust | Verify Vendored Code     

Datafusion extended tests | Run sqllogictests with the sqlite test suite     

Datafusion extended tests | cargo test hash collisions (amd64)     

View all 7 failed jobs.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8dbcb19 | Docs | Datadog PR Page | Give us feedback!}