You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .nsprc
+3-3Lines changed: 3 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -3,8 +3,8 @@
3
3
"notes": "CVE-2025-14505: elliptic ECDSA signature corruption can lead to private key recovery if attacker obtains both faulty and correct signatures for identical inputs. Accepted risk: dev-only transitive dependency (node-stdlib-browser -> crypto-browserify -> browserify-sign), not used for signing in this project, no fix available.",
4
4
"expiry": "2026-08-15"
5
5
},
6
-
"GHSA-g9mf-h72j-4rw9": {
7
-
"notes": "undici DoS via unbounded decompression chain. Accepted risk: dev-only transitive dependency (@actions/core, @actions/github), only affects CI/CD workflows, not bundled in extension. Fix requires major version jump (5.x -> 6.x/7.x) breaking @actions/http-client constraint.",
8
-
"expiry": "2026-08-15"
6
+
"GHSA-vpq2-c234-7xj6": {
7
+
"notes": "CVE-2026-3449: @tootallnate/once promise hangs on AbortSignal abort (CVSS 1.9, availability only). Transitive dep via http-proxy-agent in dev-only packages (test-electron, jsdom) and BigQuery driver; worst case is a single stalled HTTP proxy request, no data leak or code execution.",
0 commit comments