Skip to content

fix(deps): vuln minor upgrades — 8 packages (minor: 5 · patch: 3) #1324

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
developfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783352202
Draft

fix(deps): vuln minor upgrades — 8 packages (minor: 5 · patch: 3) #1324
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
developfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783352202

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: High-severity security update — 8 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
glob 11.0.3 11.1.0 minor Transitive 2 HIGH
minimatch 3.1.3 3.1.5 patch Transitive 2 HIGH
sigstore 4.0.0 4.1.1 minor Transitive 1 HIGH
tmp 0.2.6 0.2.7 patch Transitive 1 HIGH
js-yaml 4.1.0 4.3.0 minor Transitive 3 MEDIUM
ajv 6.12.6 6.15.0 minor Transitive 2 MEDIUM
@sigstore/core 3.0.0 3.2.1 minor Transitive 1 MEDIUM
fast-xml-parser 4.5.5 4.5.7 patch Transitive 1 MEDIUM

Security Details

🚨 Critical & High Severity (6 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
glob GHSA-5j98-mcp5-4vw2 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 11.0.3 11.1.0 -
glob CVE-2025-64756 HIGH glob CLI: Command injection via -c/--cmd executes matches with shell:true 11.0.3 - -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.3 - -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.3 10.2.3 -
sigstore GHSA-52v5-jr5w-gjxr HIGH sigstore's certificateOIDs verification constraints are silently dropped and never enforced 4.0.0 4.1.1 -
tmp GHSA-7c78-jf6q-g5cm HIGH tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template 0.2.6 0.2.7 -
ℹ️ Other Vulnerabilities (7)
Package CVE Severity Summary Unsafe Version Fixed In Case
@sigstore/core GHSA-jfc7-64v2-mr8c MODERATE @sigstore/core has DSSE payloadType type-binding failure 3.0.0 3.2.1 -
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 6.12.6 8.18.0 -
ajv CVE-2025-69873 MODERATE - 6.12.6 - -
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.5.5 5.7.0 -
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 - -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 4.1.0 4.1.1 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 4.1.0 4.2.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-official

datadog-official Bot commented Jul 6, 2026

Copy link
Copy Markdown

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

DataDog/dd-sdk-reactnative | test:build   View in Datadog   GitLab

DataDog/dd-sdk-reactnative | test:native-ios-newarch   View in Datadog   GitLab

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 56734cf | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants