[VANTA] [VULNERABILITY] <HIGH> GHSA-5c6j-r48x-rmvq, fix before 2026-04-01

[commercelayer-ci]

Important

CLOSE THE ISSUE ONLY IF YOU PLAN TO DEPLOY THE FIX BEFORE THE DEADLINE IN THE TITLE.

DO NOT MANUALLY MODIFY THE ISSUE TITLE OR TEXT BODY.

FIXED npm-serialize-javascript <= 7.0.2 GHSA-5c6j-r48x-rmvq HIGH

npm-serialize-javascript <= 7.0.2 CODE_REPOSITORY/commercelayer-cli-plugin-exports GHSA-5c6j-r48x-rmvq HIGH remediate by: 2026-04-01T14:19:30.006Z

• https://github.com/commercelayer/commercelayer-cli-plugin-exports/security/dependabot/56

Related URLs

• GHSA-5c6j-r48x-rmvq
• https://nvd.nist.gov/vuln/detail/CVE-2020-7660
• yahoo/serialize-javascript@2e609d0
• GHSA-hxcc-f52p-wc94
• https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3
• GHSA-5c6j-r48x-rmvq

^{npm-fast-xml-parser >= 4.0.0-beta.3, <= 5.5.5 CODE_REPOSITORY/commercelayer-cli-plugin-exports CVE-2026-33036 HIGH remediate by: 2026-04-17T06:15:42.032Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-exports/security/dependabot/59

Related URLs

• GHSA-8gc5-j5rx-235r
• NaturalIntelligence/fast-xml-parser@bd26122
• https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6
• GHSA-8gc5-j5rx-235r

FIXED npm-minimatch >= 9.0.0, < 9.0.7 CVE-2026-27903 HIGH

npm-minimatch >= 9.0.0, < 9.0.7 CODE_REPOSITORY/commercelayer-cli-plugin-exports CVE-2026-27903 HIGH remediate by: 2026-04-01T14:19:30.006Z

• https://github.com/commercelayer/commercelayer-cli-plugin-exports/security/dependabot/53

Related URLs

• GHSA-7r86-cg39-jmmj
• https://nvd.nist.gov/vuln/detail/CVE-2026-27903
• isaacs/minimatch@0bf499a
• GHSA-7r86-cg39-jmmj

FIXED npm-minimatch >= 9.0.0, < 9.0.7 CVE-2026-27904 HIGH

npm-minimatch >= 9.0.0, < 9.0.7 CODE_REPOSITORY/commercelayer-cli-plugin-exports CVE-2026-27904 HIGH remediate by: 2026-04-01T14:19:30.006Z

• https://github.com/commercelayer/commercelayer-cli-plugin-exports/security/dependabot/54

Related URLs

• GHSA-23c5-xmqv-rm74
• https://nvd.nist.gov/vuln/detail/CVE-2026-27904
• isaacs/minimatch@11d0df6
• GHSA-23c5-xmqv-rm74

FIXED npm-minimatch >= 9.0.0, < 9.0.6 CVE-2026-26996 HIGH

npm-minimatch >= 9.0.0, < 9.0.6 CODE_REPOSITORY/commercelayer-cli-plugin-exports CVE-2026-26996 HIGH remediate by: 2026-04-01T14:19:30.006Z

• https://github.com/commercelayer/commercelayer-cli-plugin-exports/security/dependabot/50

Related URLs

• GHSA-3ppc-4f35-3m26
• isaacs/minimatch@2e111f3
• https://nvd.nist.gov/vuln/detail/CVE-2026-26996
• GHSA-3ppc-4f35-3m26

^{npm-flatted < 3.4.0 CODE_REPOSITORY/commercelayer-cli-plugin-exports CVE-2026-32141 HIGH remediate by: 2026-04-14T06:14:58.215Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-exports/security/dependabot/58

Related URLs

• GHSA-25h7-pfq9-p65f
• https://nvd.nist.gov/vuln/detail/CVE-2026-32141
• Avoid recursion on parse due possible shenanigans WebReflection/flatted#88
• WebReflection/flatted@7eb65d8
• GHSA-25h7-pfq9-p65f

[marco-commercelayer]

CODE_REPOSITORY/commercelayer-cli-plugin-exports

All the listed vulnerabilities are still detected.
Please resolve within 8 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-exports

GHSA-5c6j-r48x-rmvq still detected.
Please resolve within 7 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-exports

GHSA-5c6j-r48x-rmvq still detected.
Please resolve within 6 days.

[commercelayer-ci]

No vulnerability is detected anymore.