Skip to content

fix(deps): vuln minor upgrades — 13 packages (minor: 8 · patch: 5) [dashboard]#21

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/dashboard/1-1783387048
Draft

fix(deps): vuln minor upgrades — 13 packages (minor: 8 · patch: 5) [dashboard]#21
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/dashboard/1-1783387048

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown

Summary: High-severity security update — 13 packages upgraded (MINOR changes included)

Manifests changed:

  • dashboard (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
tar 7.4.3 7.5.19 minor Transitive 12 HIGH, 1 MEDIUM
next 15.4.10 15.5.20 minor Direct 9 HIGH, 10 MEDIUM, 2 LOW
minimatch 9.0.5 9.0.9 patch Transitive 6 HIGH
flatted 3.3.3 3.4.2 minor Transitive 4 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
ws 8.18.3 8.21.0 minor Transitive 1 HIGH, 1 MEDIUM
form-data 4.0.4 4.0.6 patch Transitive 1 HIGH
ajv 6.12.6 6.15.0 minor Transitive 2 MEDIUM
brace-expansion 2.0.1 2.0.3 patch Transitive 2 MEDIUM, 2 LOW
yaml 2.8.0 2.8.4 patch Transitive 2 MEDIUM
ip-address 10.0.1 10.2.0 minor Transitive 1 MEDIUM
js-yaml 4.1.1 4.3.0 minor Transitive 1 MEDIUM
postcss 8.4.31 8.5.16 minor Direct 1 MEDIUM

Security Details

🚨 Critical & High Severity (35 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.3.3 3.4.2 -
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.3.3 - -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.3.3 3.4.0 -
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.3.3 - -
form-data GHSA-hmw2-7cc7-3qxx HIGH form-data: CRLF injection in form-data via unescaped multipart field names and filenames 4.0.4 2.5.6 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 10.2.1 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 10.2.3 -
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 9.0.5 - -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 10.2.3 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 9.0.5 - -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 9.0.5 - -
next GHSA-8h8q-6873-q5fj HIGH Next.js Vulnerable to Denial of Service with Server Components 15.4.10 15.5.16 -
next GHSA-h25m-26qc-wcjf HIGH Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components 15.4.10 15.0.8 -
next GHSA-mg66-mrh9-m8jx HIGH Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components 15.4.10 15.5.16 -
next GHSA-492v-c6pp-mqqv HIGH Next.js has a Middleware / Proxy bypass through dynamic route parameter injection 15.4.10 15.5.16 -
next GHSA-36qx-fr4f-26g5 HIGH Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n 15.4.10 15.5.16 -
next GHSA-26hh-7cqf-hhc6 HIGH Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up 15.4.10 15.5.18 -
next GHSA-267c-6grr-h53f HIGH Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes 15.4.10 15.5.16 -
next GHSA-q4gf-8mx6-v5v3 HIGH Next.js has a Denial of Service with Server Components 15.4.10 15.5.15 -
next GHSA-c4j6-fc7j-m34r HIGH Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades 15.4.10 15.5.16 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4 -
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 - -
tar GHSA-9ppj-qmqm-q256 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.4.3 7.5.11 -
tar GHSA-83g3-92jg-28cx HIGH Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction 7.4.3 7.5.8 -
tar CVE-2026-29786 HIGH node-tar: Hardlink Path Traversal via Drive-Relative Linkpath 7.4.3 - -
tar CVE-2026-23950 HIGH node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS 7.4.3 - -
tar GHSA-qffp-2rhf-9h96 HIGH tar has Hardlink Path Traversal via Drive-Relative Linkpath 7.4.3 7.5.10 -
tar GHSA-r6q2-hw4h-h46w HIGH Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS 7.4.3 7.5.4 -
tar CVE-2026-23745 HIGH node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization 7.4.3 - -
tar GHSA-8qq5-rm4j-mr97 HIGH node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization 7.4.3 7.5.3 -
tar GHSA-34x7-hfp2-rc4v HIGH node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal 7.4.3 7.5.7 -
tar CVE-2026-31802 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.4.3 - -
tar CVE-2026-24842 HIGH node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal 7.4.3 - -
tar CVE-2026-26960 HIGH node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction 7.4.3 - -
ws GHSA-96hv-2xvq-fx4p HIGH ws: Memory exhaustion DoS from tiny fragments and data chunks 8.18.3 5.2.5 -
ℹ️ Other Vulnerabilities (27)
Package CVE Severity Summary Unsafe Version Fixed In Case
ajv GHSA-2g4f-4pwh-qvx6 MODERATE ajv has ReDoS when using $data option 6.12.6 8.18.0 -
ajv CVE-2025-69873 MODERATE - 6.12.6 - -
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 2.0.1 - -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 2.0.1 5.0.5 -
ip-address GHSA-v2v4-37r5-5v8g MODERATE ip-address has XSS in Address6 HTML-emitting methods 10.0.1 10.1.1 -
js-yaml GHSA-h67p-54hq-rp68 MODERATE JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases 4.1.1 4.2.0 -
next GHSA-9g9p-9gw9-jx7f MODERATE Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration 15.4.10 15.5.10 -
next GHSA-gx5p-jg67-6x7h MODERATE Next.js has cross-site scripting in beforeInteractive scripts with untrusted input 15.4.10 15.5.16 -
next GHSA-ffhc-5mcf-pf4q MODERATE Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces 15.4.10 15.5.16 -
next GHSA-3x4c-7xq6-9pq8 MODERATE Next.js: Unbounded next/image disk cache growth can exhaust storage 15.4.10 16.1.7 -
next GHSA-wfc6-r584-vfw7 MODERATE Next.js vulnerable to cache poisoning in React Server Component responses 15.4.10 15.5.16 -
next GHSA-h64f-5h5j-jqjh MODERATE Next.js has a Denial of Service in the Image Optimization API 15.4.10 15.5.16 -
next CVE-2025-59471 MODERATE - 15.4.10 - -
next CVE-2026-27980 MODERATE Next.js: Unbounded next/image disk cache growth can exhaust storage 15.4.10 - -
next CVE-2026-29057 MODERATE Next.js: HTTP request smuggling in rewrites 15.4.10 - -
next GHSA-ggv3-7p47-pfv8 MODERATE Next.js: HTTP request smuggling in rewrites 15.4.10 16.1.7 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 - -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4 -
postcss GHSA-qx2v-qp2m-jg93 MODERATE PostCSS has XSS via Unescaped </style> in its CSS Stringify Output 8.4.31 8.5.10 -
tar GHSA-vmf3-w455-68vh MODERATE node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) 7.4.3 7.5.16 -
ws GHSA-58qx-3vcg-4xpx MODERATE ws: Uninitialized memory disclosure 8.18.3 8.20.1 -
yaml GHSA-48c2-rrv3-qjmp MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 2.8.0 2.8.3 -
yaml CVE-2026-33532 MODERATE yaml is vulnerable to Stack Overflow via deeply nested YAML collections 2.8.0 - -
brace-expansion CVE-2025-5889 LOW - 2.0.1 - -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 2.0.1 2.0.2 -
next GHSA-vfv6-92ff-j949 LOW Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting 15.4.10 15.5.16 -
next GHSA-3g8h-86w9-wvmq LOW Next.js's Middleware / Proxy redirects can be cache-poisoned 15.4.10 15.5.16 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants