Skip to content

chore(deps): remediate security vulnerabilities#58

Draft
arthurfiorette wants to merge 1 commit into
mainfrom
deps/update-sec-deps-20260320
Draft

chore(deps): remediate security vulnerabilities#58
arthurfiorette wants to merge 1 commit into
mainfrom
deps/update-sec-deps-20260320

Conversation

@arthurfiorette
Copy link
Copy Markdown
Member

@arthurfiorette arthurfiorette commented Mar 20, 2026

  • severity=high; package=axios; fixedVersions=["1.13.5"]; ids=["CVE-2026-25639"]; summaries=["Axios is Vulnerable to Denial of Service via proto Key in mergeConfig"]
  • severity=high; package=flatted; fixedVersions=["3.4.0"]; ids=["CVE-2026-32141"]; summaries=["flatted vulnerable to unbounded recursion DoS in parse() revive phase"]
  • severity=high; package=koa; fixedVersions=["3.1.2"]; ids=["CVE-2026-27959"]; summaries=["Koa has Host Header Injection via ctx.hostname"]
  • severity=high; package=minimatch; fixedVersions=["10.2.1","10.2.3","3.1.3","3.1.4","9.0.6","9.0.7"]; ids=["CVE-2026-26996","CVE-2026-27903","CVE-2026-27904"]; summaries=["minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions","minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments","minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"]
  • severity=high; package=rollup; fixedVersions=["4.59.0"]; ids=["CVE-2026-27606"]; summaries=["Rollup 4 has Arbitrary File Write via Path Traversal"]
  • severity=high; package=undici; fixedVersions=["6.24.0"]; ids=["CVE-2026-1526","CVE-2026-1528","CVE-2026-2229"]; summaries=["Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression","Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation","Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"]
  • severity=medium; package=ajv; fixedVersions=["6.14.0"]; ids=["CVE-2025-69873"]; summaries=["ajv has ReDoS when using $data option"]
  • severity=medium; package=undici; fixedVersions=["6.24.0"]; ids=["CVE-2026-1525","CVE-2026-1527"]; summaries=["Undici has CRLF Injection in undici via upgrade option","Undici has an HTTP Request/Response Smuggling issue"]

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 20, 2026

🚀 Preview Environment Ready!

Name Status URL
jarvis ✅ Active https://rodrigo-yokota-29207-jarvis-zephyr-preview-enviro-9284200... ↗
hal ✅ Active https://rodrigo-yokota-29208-hal-zephyr-preview-environme-1daedf0... ↗

Details:

  • Latest Commit: 5a6ec93
  • Created at: 3/20/2026, 3:16:14 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arthurfiorette