Skip to content

pnpm dependency update 2026-07-07#25

Open
commercelayer-ci wants to merge 2 commits into
mainfrom
chore/deps-update-202607071253
Open

pnpm dependency update 2026-07-07#25
commercelayer-ci wants to merge 2 commits into
mainfrom
chore/deps-update-202607071253

Conversation

@commercelayer-ci

Copy link
Copy Markdown
Contributor

Dependency update

Closes #23
Branch: chore/deps-update-202607071253
Based on stable: v3.2.4
Prerelease tag: v3.2.5-auto-deps-202607071253.0
Node.js: 20.x
pnpm: 10.x

Automated dependency update via pnpm. Review the dependency diff and validation output before merging.

Dependency update results

  • Check: success
  • Build: success
  • Test: success

Semver bump log

No semver updates found.

Audit log

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Serialize JavaScript is Vulnerable to RCE via          │
│                     │ RegExp.flags and Date.prototype.toISOString()          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=7.0.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-5c6j-r48x-rmvq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Serialize JavaScript has CPU Exhaustion Denial of      │
│                     │ Service via crafted array-like objects                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serialize-javascript                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=5.0.0 <7.0.5                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=7.0.5                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>serialize-javascript                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qj8w-gfj5-8c6v      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ uuid: Missing buffer bounds check in v3/v5/v6 when buf │
│                     │ is provided                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ uuid                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <11.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=11.1.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>node-notifier>uuid                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-w5hq-g745-h8pq      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ jsdiff has a Denial of Service vulnerability in        │
│                     │ parsePatch and applyPatch                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ diff                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=6.0.0 <8.0.3                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ .>mocha>diff                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-73rr-hh4g-fpgx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
4 vulnerabilities found
Severity: 1 low | 2 moderate | 1 high

Major updates log not updated

package.json
  @commercelayer/sdk  ^6.58.0  →   ^7.12.0
  @oclif/core         ^3.27.0  →  ^4.11.14
  @oclif/test         ^3.2.15  →   ^4.1.20
  @types/node         ^25.9.4  →   ^26.1.0
  open                 ^8.4.2  →   ^11.0.0

@commercelayer-ci commercelayer-ci added the dependencies Pull requests that update a dependency file label Jul 7, 2026
@commercelayer-ci commercelayer-ci self-assigned this Jul 7, 2026
pviti
pviti previously approved these changes Jul 7, 2026
@pviti pviti requested a review from marco-commercelayer July 7, 2026 13:01
@dmantellassi dmantellassi self-requested a review July 7, 2026 13:02
@pviti pviti self-requested a review July 7, 2026 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[VANTA] [VULNERABILITY] <MEDIUM> CVE-2026-41907, fix before 2026-07-21

2 participants