[URGENT] chore: fix security vulnerabilities (2026-05-13)

[github-actions]

Security Fix — 2026-05-13

Image scanned

veecode/devportal-base:latest

Vulnerabilities found

• Critical: 10
• High: 38
• Medium: 38
• Low: 5

Fixes applied

npm (via Yarn resolutions):

CVE(s)	Package	Change
CVE-2026-42033, CVE-2026-42035, CVE-2026-42043, CVE-2026-42264, CVE-2026-42034, CVE-2026-42036–42039, CVE-2026-42041–42044	axios	1.15.0 → 1.15.2
CVE-2026-44240	basic-ftp	5.3.0 → 5.3.1
CVE-2026-6321, CVE-2026-6322	fast-uri	3.1.0 → 3.1.2 (new resolution)
CVE-2026-44665, CVE-2026-44664	fast-xml-builder	1.1.5 → 1.1.7 (new resolution)
CVE-2026-42338	ip-address	10.1.0 → 10.1.1 (new resolution)
CVE-2026-44288	@protobufjs/utf8	1.1.0 → 1.1.1 (new resolution)
CVE-2026-41907	uuid@^11.0.0	11.1.0 → 11.1.1 (new range resolution)
CVE-2026-41907	uuid@^13.0.0	13.0.0 → 13.0.1 (new range resolution)
CVE-2026-24118, CVE-2026-24781, CVE-2026-26332, CVE-2026-43997–44009, CVE-2026-43998–44004, GHSA-2cm2-m3w5-gp2f	vm2	^3.10.2 → 3.11.2

Python (via requirements.in):

CVE(s)	Package	Change
CVE-2026-44431, CVE-2026-44432	urllib3	>=2.6.3 → >=2.7.0

Vulnerabilities not fixed

CVE(s)	Package	Reason
CVE-2025-25288	@octokit/plugin-paginate-rest	Fix requires major bump (6→9/11); consumers span v6, v9, v11 — incompatible
CVE-2025-25290	@octokit/request	Fix requires major bump (6→8); consumers span v6 and v8 — incompatible
CVE-2025-25289	@octokit/request-error	Fix requires major bump (3→5/6); consumers span v3 and v5 — incompatible
CVE-2026-31808	file-type	Fix requires major bump (16→21); @trendyol-js/openstack-swift-sdk requires ^16.5.4
CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802	tar (v6.2.1)	Fix requires major bump (6→7); @backstage/backend-defaults@0.12.2 requires ^6.1.12
CVE-2026-44289–44294, CVE-2026-44288	protobufjs	7.5.5→7.5.6 causes webpack build regression (@protobufjs/inquire critical-dependency error); reverted. Partially mitigated via @protobufjs/utf8 1.1.1
CVE-2025-69534	Markdown	Fix (3.8.1) conflicts with mkdocs-techdocs-core==1.4.0 which requires Markdown<3.4
CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499, CVE-2026-39823–39826	stdlib (Go)	Go stdlib in compiled binaries — not fixable via yarn/pip
CVE-2026-4539	Pygments	Low severity — report only per policy
CVE-2025-68142	pymdown-extensions	Low severity — report only per policy
CVE-2026-3449	@tootallnate/once	Low severity — report only per policy
CVE-2026-24001	diff	Low severity — report only per policy
CVE-2026-42040	axios	Low severity — report only per policy (other axios CVEs fixed)

Validation results

• install: pass
• tsc: pass
• lint: pass
• build: pass
• test: pass

Manual attention required

• @octokit/* packages (plugin-paginate-rest, request, request-error): require coordinated Backstage upgrade to resolve version conflicts across consumers
• tar@6.x: requires @backstage/backend-defaults upgrade to a version that declares ^7.x
• protobufjs CVEs: partial mitigation via @protobufjs/utf8 1.1.1; full fix blocked by webpack incompatibility in 7.5.6
• Markdown (Python): requires mkdocs-techdocs-core upgrade beyond 1.4.0 first
• Go stdlib CVEs: require rebuilding binaries with updated Go toolchain — not addressable in this repo