Skip to content

fix(deps): vuln minor upgrades — 11 packages (minor: 5 · patch: 6) #788

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781544870
Draft

fix(deps): vuln minor upgrades — 11 packages (minor: 5 · patch: 6) #788
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1781544870

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: Critical-severity security update — 11 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
fast-xml-parser 4.4.1 4.5.6 minor Transitive 2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
@babel/helpers 7.25.9 7.29.7 minor Transitive 2 MEDIUM
brace-expansion 1.1.11 1.1.15 patch Transitive 2 MEDIUM, 2 LOW
js-yaml 3.14.1 3.14.2 patch Transitive 2 MEDIUM
uuid 8.0.0 8.3.2 minor Transitive 1 MEDIUM
aws-sdk 2.1691.0 2.1693.0 minor Transitive 1 LOW
@smithy/config-resolver 3.0.10 3.0.13 patch Transitive 1 LOW
diff 4.0.2 4.0.4 patch Transitive 2 LOW

Security Details

🚨 Critical & High Severity (15 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 5.3.5
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.4.1 -
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 4.5.4
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 5.5.6
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.4.1 -
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.4.1 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 -
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 -
ℹ️ Other Vulnerabilities (23)
Package CVE Severity Summary Unsafe Version Fixed In
@babel/helpers CVE-2025-27789 MODERATE Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups 7.25.9 -
@babel/helpers GHSA-968p-4wvh-cqc8 MODERATE Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups 7.25.9 7.26.10
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 1.1.11 5.0.5
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.4.1 4.5.5
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.4.1 5.7.0
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.4.1 -
js-yaml GHSA-mh29-5h37-fv8m MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 4.1.1
js-yaml CVE-2025-64718 MODERATE js-yaml has prototype pollution in merge (<<) 3.14.1 -
lodash CVE-2025-13465 MODERATE - 4.17.21 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 -
uuid GHSA-w5hq-g745-h8pq MODERATE uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided 8.0.0 11.1.1
@smithy/config-resolver GHSA-6475-r3vj-m8vf LOW AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value 3.0.10 4.4.0
aws-sdk GHSA-j965-2qgj-vjmq LOW JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 2.1691.0 -
brace-expansion CVE-2025-5889 LOW - 1.1.11 -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 1.1.11 2.0.2
diff CVE-2026-24001 LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 -
diff GHSA-73rr-hh4g-fpgx LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 4.0.2 8.0.3
fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 -
fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.4.1 5.3.8

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jun 15, 2026
edited by datadog-official Bot
Loading

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

DataDog/datadog-lambda-js | e2e-test-status   View in Datadog   GitLab

build | unit-test (22.11)   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 9e99e04 | Docs | Datadog PR Page | Give us feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants