fix(deps): vuln minor upgrades — 6 packages (minor: 2 · patch: 4)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 6 packages upgraded (MINOR changes included)

Manifests changed:

• . (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
minimatch	9.0.5	9.0.9	patch	Transitive	6 HIGH
flatted	3.3.3	3.4.2	minor	Transitive	4 HIGH
lodash	4.17.23	4.18.1	minor	Transitive	1 HIGH, 1 MEDIUM
brace-expansion	5.0.4	5.0.6	patch	Transitive	3 MEDIUM
js-yaml	3.14.1	3.14.2	patch	Transitive	3 MEDIUM
@babel/core	7.29.0	7.29.7	patch	Transitive	1 LOW

---

Security Details

🚨 Critical & High Severity (11 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
flatted	CVE-2026-32141	HIGH	flatted: Unbounded recursion DoS in parse() revive phase	3.3.3	-
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.3.3	3.4.2
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.3.3	-
flatted	GHSA-25h7-pfq9-p65f	HIGH	flatted vulnerable to unbounded recursion DoS in parse() revive phase	3.3.3	3.4.0
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.23	4.18.0
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	9.0.5	10.2.1
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	9.0.5	-
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	9.0.5	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	9.0.5	10.2.3
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	9.0.5	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	9.0.5	10.2.3

ℹ️ Other Vulnerabilities (8)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.4	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	5.0.4	-
brace-expansion	GHSA-jxxr-4gwj-5jf2	MODERATE	brace-expansion: Large numeric range defeats documented max DoS protection	5.0.4	5.0.6
js-yaml	GHSA-h67p-54hq-rp68	MODERATE	JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases	3.14.1	4.2.0
js-yaml	CVE-2025-64718	MODERATE	js-yaml has prototype pollution in merge (<<)	3.14.1	-
js-yaml	GHSA-mh29-5h37-fv8m	MODERATE	js-yaml has prototype pollution in merge (<<)	3.14.1	4.1.1
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.23	4.18.0
@babel/core	GHSA-4x5r-pxfx-6jf8	LOW	@babel/core: Arbitrary File Read via sourceMappingURL Comment	7.29.0	8.0.0-rc.6

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Pull Request Labels | label     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: b3168dd | Docs | Datadog PR Page | Give us feedback!}

[github-actions]

Overall package size

Self size: 2.19 MB
Deduped: 2.55 MB
No deduping: 2.55 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | source-map | 0.7.6 | 185.63 kB | 185.63 kB | | pprof-format | 2.2.1 | 163.06 kB | 163.06 kB | | node-gyp-build | 4.8.4 | 13.86 kB | 13.86 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-06-16T09:34:57Z
• ⬜ CI tests passed
• ⬜ Approved
• ⬜ Merge Started
• ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.