Skip to content

fix(deps): vuln minor upgrades — 14 packages (minor: 6 · patch: 8) #794

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783352940
Draft

fix(deps): vuln minor upgrades — 14 packages (minor: 6 · patch: 8) #794
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783352940

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: Critical-severity security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
fast-xml-parser 4.4.1 4.5.7 minor Transitive 2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
form-data 3.0.4 3.0.5 patch Transitive 1 HIGH
ws 7.5.10 7.5.11 patch Transitive 1 HIGH
js-yaml 3.14.1 3.14.2 patch Transitive 3 MEDIUM
@babel/helpers 7.25.9 7.29.7 minor Transitive 2 MEDIUM
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
uuid 8.0.0 8.3.2 minor Transitive 1 MEDIUM
@babel/core 7.25.9 7.29.7 minor Transitive 1 LOW
aws-sdk 2.1691.0 2.1693.0 minor Transitive 1 LOW
@smithy/config-resolver 3.0.10 3.0.13 patch Transitive 1 LOW
diff 4.0.2 4.0.4 patch Transitive 2 LOW

Security Details

🚨 Critical & High Severity (17 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 - -
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 5.3.5 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 5.5.6 -
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 - -
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 4.5.4 -
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 - -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 3.0.4 2.5.6 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 - -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 - -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 - -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4 -
ws GHSA-96hv-2xvq-fx4p HIGH ws: Memory exhaustion DoS from tiny fragments and data chunks 7.5.10 5.2.5 -
ℹ️ Other Vulnerabilities (25)
Package CVE Severity Summary Unsafe Version Fixed In Case
@babel/helpers GHSA-968p-4wvh-cqc8 MODERATE Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups 7.25.9 7.26.10 -
@babel/helpers CVE-2025-27789 MODERATE Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups 7.25.9 - -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 - -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5 -
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.4.1 4.5.5 -
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.4.1 - -
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.4.1 5.7.0 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 3.14.1 4.2.0 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 - -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23 -
lodash CVE-2025-13465 MODERATE - 4.17.21 - -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 - -
uuid GHSA-w5hq-g745-h8pq MODERATE uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided 8.0.0 11.1.1 -
@babel/core GHSA-4x5r-pxfx-6jf8 LOW @babel/core: Arbitrary File Read via sourceMappingURL Comment 7.25.9 8.0.0-rc.6 -
@smithy/config-resolver GHSA-6475-r3vj-m8vf LOW AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value 3.0.10 4.4.0 -
aws-sdk GHSA-j965-2qgj-vjmq LOW JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 2.1691.0 - -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2 -
brace-expansion CVE-2025-5889 LOW - 1.1.11 - -
diff CVE-2026-24001 LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 - -
diff GHSA-73rr-hh4g-fpgx LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 8.0.3 -
fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 - -
fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 5.3.8 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jul 6, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

DataDog/datadog-lambda-js | publish layer sandbox (node18): [us-west-2]   View in Datadog   GitLab

DataDog/datadog-lambda-js | publish layer sandbox (node22): [us-west-2]   View in Datadog   GitLab

ℹ️ Info

🔄 Datadog auto-retried 1 job - 0 passed on retry View in Datadog

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: fc7c64b | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants