feat(ci): add workflow to audit dependencies

[marians]

What does this PR do?

Adds the workflow created in giantswarm/github-workflows#168 for auditing dependency changes in PRs.

Should this change be mentioned in the release notes?

No

[github-actions]

JS Dependency Audit

1 added · 0 removed · 248 total (+1 vs base)

Projects audited

• . (manager: yarn-berry)
• ./packages/app (manager: unknown) — skipped on PR head: no recognized lockfile
• ./packages/backend (manager: unknown) — skipped on PR head: no recognized lockfile
• ./packages/backend-common (manager: unknown) — skipped on PR head: no recognized lockfile
• ./packages/backend-headless-service (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/ai-chat (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/ai-chat-backend (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/ai-chat-react (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/auth-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/catalog-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/error-reporter-react (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/flux (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/flux-react (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/gs (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/gs-backend (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/gs-common (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/kubernetes-react (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/scaffolder-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/techdocs-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
• ./plugins/ui-react (manager: unknown) — skipped on PR head: no recognized lockfile

Added by this PR (1)

• 🟡 moderate jszip (<3.8.0) — JSZip contains Path Traversal via loadAsync advisory

Full current vulnerability list (248)

• 🔴 critical basic-ftp (<5.2.0) — Basic FTP has Path Traversal Vulnerability in its downloadToDir() method advisory
• 🔴 critical cipher-base (<=1.0.4) — cipher-base is missing type checks, leading to hash rewind and passing on crafted data advisory
• 🔴 critical elliptic (<=6.6.0) — Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) advisory
• 🔴 critical fast-xml-parser (>=4.1.3 <4.5.4) — fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names advisory
• 🔴 critical form-data (<2.5.4) — form-data uses unsafe random function in form-data for choosing boundary advisory
• 🔴 critical handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion advisory
• 🔴 critical jsonpath-plus (<10.2.0) — JSONPath Plus Remote Code Execution (RCE) Vulnerability advisory
• 🔴 critical pbkdf2 (>=3.0.10 <=3.1.2) — pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos advisory
• 🔴 critical pbkdf2 (>=1.0.0 <=3.1.2) — pbkdf2 silently disregards Uint8Array input, returning static keys advisory
• 🔴 critical protobufjs (<7.5.5) — Arbitrary code execution in protobufjs advisory
• 🔴 critical sha.js (<=2.4.11) — sha.js is missing type checks leading to hash rewind and passing on crafted data advisory
• 🔴 critical vm2 (<=3.10.1) — vm2 has a Sandbox Escape advisory
• 🔴 critical vm2 (<=3.10.4) — VM2 Has a Sandbox Escape Issue via SuppressedError advisory
• 🔴 critical vm2 (<=3.10.3) — VM2 Has Sandbox Breakout Through Inspect Function advisory
• 🔴 critical vm2 (<=3.10.3) — VM2 Has Sandbox Breakout Through Promise Species advisory
• 🔴 critical vm2 (<=3.10.5) — vm2 Access to Host Object Enables Sandbox Escape advisory
• 🔴 critical vm2 (<=3.10.5) — vm2 has a Sandbox Escape Vulnerability advisory
• 🔴 critical vm2 (>=3.9.6 <=3.10.5) — vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape advisory
• 🔴 critical vm2 (<=3.11.0) — vm2 NodeVM nesting: true bypasses require: false allowing sandbox escape and arbitrary OS command execution advisory
• 🔴 critical vm2 (<=3.10.4) — VM2 Sandbox Breakout Through lookupGetter advisory
• 🔴 critical vm2 (<=3.11.1) — vm2 has sandbox breakout via neutralizeArraySpeciesBatch advisory
• 🔴 critical vm2 (<3.11.2) — vm2 has Sandbox Breakout Through Null Proto Exception advisory
• 🟠 high @backstage/backend-defaults (<0.12.2) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
• 🟠 high @backstage/plugin-scaffolder-node (>=0.12.0 <0.12.3) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
• 🟠 high @backstage/plugin-scaffolder-node (<0.11.2) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
• 🟠 high @hono/node-server (<1.19.10) — @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware advisory
• 🟠 high axios (<0.30.0) — axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL advisory
• 🟠 high axios (>=1.0.0 <1.8.2) — axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL advisory
• 🟠 high axios (>=1.0.0 <1.12.0) — Axios is vulnerable to DoS attack through lack of data size check advisory
• 🟠 high axios (<=0.31.0) — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 advisory
• 🟠 high axios (>=1.0.0 <1.15.1) — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 advisory
• 🟠 high axios (>=1.0.0 <1.15.2) — Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking advisory
• 🟠 high axios (<=0.31.0) — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking advisory
• 🟠 high axios (>=1.0.0 <1.15.1) — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking advisory
• 🟠 high axios (<=0.31.0) — Axios: Header Injection via Prototype Pollution advisory
• 🟠 high axios (>=1.0.0 <1.15.1) — Axios: Header Injection via Prototype Pollution advisory
• 🟠 high axios (<=0.30.2) — Axios is Vulnerable to Denial of Service via proto Key in mergeConfig advisory
• 🟠 high axios (>=1.0.0 <=1.13.4) — Axios is Vulnerable to Denial of Service via proto Key in mergeConfig advisory
• 🟠 high basic-ftp (<=5.2.1) — basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands advisory
• 🟠 high basic-ftp (<=5.2.2) — basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() advisory
• 🟠 high basic-ftp (<=5.3.0) — basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering advisory
• 🟠 high fast-uri (<=3.1.0) — fast-uri vulnerable to path traversal via percent-encoded dot segments advisory
• 🟠 high fast-uri (<=3.1.1) — fast-uri vulnerable to host confusion via percent-encoded authority delimiters advisory
• 🟠 high fast-xml-builder (<=1.1.6) — fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes advisory
• 🟠 high fast-xml-parser (>=4.1.3 <4.5.4) — fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) advisory
• 🟠 high fast-xml-parser (>=4.0.0-beta.3 <4.5.5) — fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) advisory
• 🟠 high fast-xml-parser (>=5.0.0 <5.5.6) — fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) advisory
• 🟠 high flatted (<3.4.0) — flatted vulnerable to unbounded recursion DoS in parse() revive phase advisory
• 🟠 high flatted (<=3.4.1) — Prototype Pollution via parse() in NodeJS flatted advisory
• 🟠 high glob (>=10.2.0 <10.5.0) — glob CLI: Command injection via -c/--cmd executes matches with shell:true advisory
• 🟠 high glob (>=11.0.0 <11.1.0) — glob CLI: Command injection via -c/--cmd executes matches with shell:true advisory
• 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block advisory
• 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial advisory
• 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation advisory
• 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options advisory
• 🟠 high immutable (<3.8.3) — Immutable is vulnerable to Prototype Pollution advisory
• 🟠 high jsonpath-plus (<10.3.0) — JSONPath Plus allows Remote Code Execution advisory
• 🟠 high jws (=4.0.0) — auth0/node-jws Improperly Verifies HMAC Signature advisory
• 🟠 high jws (<3.2.3) — auth0/node-jws Improperly Verifies HMAC Signature advisory
• 🟠 high koa (>=3.0.0 <3.1.2) — Koa has Host Header Injection via ctx.hostname advisory
• 🟠 high linkifyjs (<4.3.2) — Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) advisory
• 🟠 high lodash (>=4.0.0 <=4.17.23) — lodash vulnerable to Code Injection via _.template imports key names advisory
• 🟠 high lodash-es (>=4.0.0 <=4.17.23) — lodash vulnerable to Code Injection via _.template imports key names advisory
• 🟠 high minimatch (<3.1.3) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
• 🟠 high minimatch (>=5.0.0 <5.1.7) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
• 🟠 high minimatch (>=7.0.0 <7.4.7) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
• 🟠 high minimatch (>=9.0.0 <9.0.6) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
• 🟠 high minimatch (>=10.0.0 <10.2.1) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
• 🟠 high minimatch (<3.1.3) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
• 🟠 high minimatch (>=5.0.0 <5.1.8) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
• 🟠 high minimatch (>=7.0.0 <7.4.8) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
• 🟠 high minimatch (>=9.0.0 <9.0.7) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
• 🟠 high minimatch (>=10.0.0 <10.2.3) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
• 🟠 high minimatch (<3.1.4) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
• 🟠 high minimatch (>=5.0.0 <5.1.8) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
• 🟠 high minimatch (>=7.0.0 <7.4.8) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
• 🟠 high minimatch (>=9.0.0 <9.0.7) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
• 🟠 high minimatch (>=10.0.0 <10.2.3) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
• 🟠 high multer (<2.1.0) — Multer vulnerable to Denial of Service via incomplete cleanup advisory
• 🟠 high multer (<2.1.0) — Multer vulnerable to Denial of Service via resource exhaustion advisory
• 🟠 high multer (<2.1.1) — Multer Vulnerable to Denial of Service via Uncontrolled Recursion advisory
• 🟠 high node-forge (<=1.3.3) — Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) advisory
• 🟠 high node-forge (<1.4.0) — Forge has signature forgery in Ed25519 due to missing S > L check advisory
• 🟠 high node-forge (<1.4.0) — Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input advisory
• 🟠 high node-forge (<1.4.0) — Forge has signature forgery in RSA-PKCS due to ASN.1 extra field advisory
• 🟠 high path-to-regexp (<0.1.13) — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters advisory
• 🟠 high path-to-regexp (>=8.0.0 <8.4.0) — path-to-regexp vulnerable to Denial of Service via sequential optional groups advisory
• 🟠 high picomatch (<2.3.2) — Picomatch has a ReDoS vulnerability via extglob quantifiers advisory
• 🟠 high picomatch (>=4.0.0 <4.0.4) — Picomatch has a ReDoS vulnerability via extglob quantifiers advisory
• 🟠 high tar (<7.5.7) — node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal advisory
• 🟠 high tar (<=7.5.2) — node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization advisory
• 🟠 high tar (<7.5.8) — Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction advisory
• 🟠 high tar (<=7.5.9) — tar has Hardlink Path Traversal via Drive-Relative Linkpath advisory
• 🟠 high tar (<=7.5.10) — node-tar Symlink Path Traversal via Drive-Relative Linkpath advisory
• 🟠 high tar (<=7.5.3) — Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS advisory
• 🟠 high underscore (<=1.13.7) — Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack advisory
• 🟠 high undici (>=7.0.0 <7.24.0) — Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client advisory
• 🟠 high undici (>=7.0.0 <7.24.0) — Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression advisory
• 🟠 high undici (<6.24.0) — Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression advisory
• 🟠 high undici (>=7.0.0 <7.24.0) — Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation advisory
• 🟠 high undici (<6.24.0) — Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation advisory
• 🟠 high vm2 (<=3.10.5) — vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) advisory
• 🟠 high vm2 (<=3.10.5) — vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion advisory
• 🟡 moderate @babel/runtime (<7.26.10) — Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups advisory
• 🟡 moderate @backstage/backend-common (0.25.0) — This package is deprecated, please follow the deprecation instructions for the exports you still use
• 🟡 moderate @backstage/cli-common (<=0.1.16) — @backstage/cli-common has a possible resolveSafeChildPath Symlink Chain Bypass advisory
• 🟡 moderate @backstage/plugin-circleci (0.3.35) — This package has been moved to the to the https://github.com/CircleCI-Public/backstage-plugin repository. You should migrate to using that instead.
• 🟡 moderate @fortawesome/react-fontawesome (0.2.6) — v0.2.x is no longer supported. Unless you are still using FontAwesome 5, please update to v3.1.1 or greater.
• 🟡 moderate @hono/node-server (<1.19.13) — @hono/node-server: Middleware bypass via repeated slashes in serveStatic advisory
• 🟡 moderate @humanwhocodes/config-array (0.13.0) — Use @eslint/config-array instead
• 🟡 moderate @humanwhocodes/object-schema (2.0.3) — Use @eslint/object-schema instead
• 🟡 moderate @material-ui/core (4.12.4) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
• 🟡 moderate @material-ui/lab (4.0.0-alpha.57) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
• 🟡 moderate @material-ui/pickers (3.3.11) — This package no longer supported. It has been relaced by @mui/x-date-pickers
• 🟡 moderate @material-ui/styles (4.11.5) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
• 🟡 moderate @octokit/endpoint (>=9.0.5 <9.0.6) — @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
• 🟡 moderate @octokit/plugin-paginate-rest (>=1.0.0 <9.2.2) — @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
• 🟡 moderate @octokit/plugin-paginate-rest (>=9.3.0-beta.1 <11.4.1) — @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
• 🟡 moderate @octokit/request (>=1.0.0 <8.4.1) — @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
• 🟡 moderate @octokit/request-error (>=1.0.0 <5.1.1) — @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
• 🟡 moderate @react-hookz/deep-equal (1.0.4) — PACKAGE IS DEPRECATED AND WILL BE DETED SOON, USE @ver0/deep-equal INSTEAD
• 🟡 moderate @rjsf/material-ui (5.24.13) — Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
• 🟡 moderate @sentry/browser (<7.119.1) — Sentry SDK Prototype Pollution gadget in JavaScript SDKs advisory
• 🟡 moderate @types/http-proxy-middleware (1.0.0) — This is a stub types definition. http-proxy-middleware provides its own type definitions, so you do not need this installed.
• 🟡 moderate @types/keyv (4.2.0) — This is a stub types definition. keyv provides its own type definitions, so you do not need this installed.
• 🟡 moderate @ungap/structured-clone (1.3.0) — Potential CWE-502 - Update to 1.3.1 or higher
• 🟡 moderate atlassian-openapi (1.0.19) — DEPRECATED: atlassian-openapi has moved to @atlassian/atlassian-openapi. The latest version is 1.0.6. Please update your dependency.
• 🟡 moderate axios (>=0.8.1 <0.28.0) — Axios Cross-Site Request Forgery Vulnerability advisory
• 🟡 moderate axios (<0.31.0) — Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF advisory
• 🟡 moderate axios (>=1.0.0 <1.15.0) — Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF advisory
• 🟡 moderate axios (<0.31.0) — Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain advisory
• 🟡 moderate axios (>=1.0.0 <1.15.0) — Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain advisory
• 🟡 moderate axios (<=0.31.0) — Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy advisory
• 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy advisory
• 🟡 moderate axios (>=1.0.0 <1.15.2) — Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver advisory
• 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream advisory
• 🟡 moderate axios (<=0.31.0) — Axios: no_proxy bypass via IP alias allows SSRF advisory
• 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: no_proxy bypass via IP alias allows SSRF advisory
• 🟡 moderate axios (<=0.31.0) — Axios: unbounded recursion in toFormData causes DoS via deeply nested request data advisory
• 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: unbounded recursion in toFormData causes DoS via deeply nested request data advisory
• 🟡 moderate axios (<=0.31.0) — Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 advisory
• 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 advisory
• 🟡 moderate axios (<=0.31.0) — Axios: HTTP adapter streamed responses bypass maxContentLength advisory
• 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: HTTP adapter streamed responses bypass maxContentLength advisory
• 🟡 moderate axios (<=0.31.0) — Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion advisory
• 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion advisory
• 🟡 moderate bn.js (>=5.0.0 <5.2.3) — bn.js affected by an infinite loop advisory
• 🟡 moderate bn.js (<4.12.3) — bn.js affected by an infinite loop advisory
• 🟡 moderate boolean (3.2.0) — Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
• 🟡 moderate brace-expansion (<1.1.13) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
• 🟡 moderate brace-expansion (>=2.0.0 <2.0.3) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
• 🟡 moderate brace-expansion (>=4.0.0 <5.0.5) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
• 🟡 moderate core-js (2.6.12) — core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
• 🟡 moderate dompurify (>=3.1.3 <3.2.7) — DOMPurify contains a Cross-site Scripting vulnerability advisory
• 🟡 moderate dompurify (>=3.1.3 <=3.3.1) — DOMPurify contains a Cross-site Scripting vulnerability advisory
• 🟡 moderate dompurify (<=3.3.1) — DOMPurify ADD_ATTR predicate skips URI validation advisory
• 🟡 moderate dompurify (<=3.3.1) — DOMPurify USE_PROFILES prototype pollution allows event handlers advisory
• 🟡 moderate dompurify (<=3.3.3) — DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation advisory
• 🟡 moderate dompurify (<3.4.0) — DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) advisory
• 🟡 moderate dompurify (>=1.0.10 <3.4.0) — DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode advisory
• 🟡 moderate dompurify (>=3.0.1 <3.4.0) — DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback advisory
• 🟡 moderate dompurify (<3.3.2) — DOMPurify is vulnerable to mutation-XSS via Re-Contextualization advisory
• 🟡 moderate eslint (8.57.1) — This version is no longer supported. Please see https://eslint.org/version-support for other options.
• 🟡 moderate fast-xml-parser (>=5.0.0 <5.5.7) — Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser advisory
• 🟡 moderate fast-xml-parser (>=4.0.0-beta.3 <4.5.5) — Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser advisory
• 🟡 moderate fast-xml-parser (<5.7.0) — fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters advisory
• 🟡 moderate file-type (>=13.0.0 <21.3.1) — file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header advisory
• 🟡 moderate follow-redirects (<=1.15.11) — follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets advisory
• 🟡 moderate glob (7.2.3) — Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
• 🟡 moderate handlebars (>=4.0.0 <4.7.9) — Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection advisory
• 🟡 moderate handlebars (>=4.6.0 <=4.7.8) — Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry advisory
• 🟡 moderate har-validator (5.1.5) — this library is no longer supported
• 🟡 moderate hono (<4.12.12) — Hono missing validation of cookie name on write path in setCookie() advisory
• 🟡 moderate hono (<4.12.12) — Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() advisory
• 🟡 moderate hono (>=4.0.0 <=4.12.11) — Hono: Path traversal in toSSG() allows writing files outside the output directory advisory
• 🟡 moderate hono (<4.12.12) — Hono: Middleware bypass via repeated slashes in serveStatic advisory
• 🟡 moderate hono (<4.12.14) — hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR advisory
• 🟡 moderate hono (<4.12.12) — Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses advisory
• 🟡 moderate hono (<4.12.16) — Hono: bodyLimit() can be bypassed for chunked / unknown-length requests advisory
• 🟡 moderate hono (<4.12.16) — hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection advisory
• 🟡 moderate hono (<4.12.18) — Hono has CSS Declaration Injection via Style Object Values in JSX SSR advisory
• 🟡 moderate hono (<4.12.18) — Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage advisory
• 🟡 moderate http-proxy-middleware (>=3.0.0 <3.0.5) — http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed advisory
• 🟡 moderate http-proxy-middleware (>=3.0.0 <3.0.4) — http-proxy-middleware can call writeBody twice because "else if" is not used advisory
• 🟡 moderate inflight (1.0.6) — This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
• 🟡 moderate ip-address (<=10.1.0) — ip-address has XSS in Address6 HTML-emitting methods advisory
• 🟡 moderate jszip (<3.8.0) — JSZip contains Path Traversal via loadAsync advisory
• 🟡 moderate lodash (<=4.17.23) — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit advisory
• 🟡 moderate lodash-es (>=4.0.0 <=4.17.22) — Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions advisory
• 🟡 moderate lodash-es (<=4.17.23) — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit advisory
• 🟡 moderate lodash.get (4.4.2) — This package is deprecated. Use the optional chaining (?.) operator instead.
• 🟡 moderate lodash.isequal (4.5.0) — This package is deprecated. Use require('node:util').isDeepStrictEqual instead.
• 🟡 moderate markdown-it (>=13.0.0 <14.1.1) — markdown-it is has a Regular Expression Denial of Service (ReDoS) advisory
• 🟡 moderate mermaid (>=11.0.0-alpha.1 <=11.14.0) — Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS advisory
• 🟡 moderate mermaid (>=11.0.0-alpha.1 <=11.14.0) — Mermaid: Improper sanitization of classDefs in diagrams leads to CSS injection advisory
• 🟡 moderate mermaid (>=11.0.0-alpha.1 <=11.14.0) — Mermaid: Improper sanitization of configuration leads to CSS injection advisory
• 🟡 moderate mermaid (>=11.0.0-alpha.1 <=11.14.0) — Mermaid: Improper sanitization of classDef in state diagrams leads to HTML injection advisory
• 🟡 moderate nanoid (<3.3.8) — Predictable results in nanoid generation when given non-integer values advisory
• 🟡 moderate node-domexception (1.0.0) — Use your platform's native DOMException instead
• 🟡 moderate path-to-regexp (>=8.0.0 <8.4.0) — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards advisory
• 🟡 moderate picomatch (<2.3.2) — Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching advisory
• 🟡 moderate picomatch (>=4.0.0 <4.0.4) — Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching advisory
• 🟡 moderate postcss (<8.5.10) — PostCSS has XSS via Unescaped </style> in its CSS Stringify Output advisory
• 🟡 moderate prebuild-install (7.1.3) — No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
• 🟡 moderate prismjs (<1.30.0) — PrismJS DOM Clobbering vulnerability advisory
• 🟡 moderate qs (<6.14.1) — qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion advisory
• 🟡 moderate react-beautiful-dnd (13.1.1) — react-beautiful-dnd is now deprecated. Context and options: react-beautiful-dnd is now deprecated atlassian/react-beautiful-dnd#2672
• 🟡 moderate request (<=2.88.2) — Server-Side Request Forgery in Request advisory
• 🟡 moderate rimraf (3.0.2) — Rimraf versions prior to v4 are no longer supported
• 🟡 moderate stable (0.1.8) — Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
• 🟡 moderate superagent (8.1.2) — Please upgrade to superagent v10.2.2+, see release notes at https://github.com/forwardemail/superagent/releases/tag/v10.2.2 - maintenance is supported by Forward Email @ https://forwardemail.net
• 🟡 moderate supertest (6.3.4) — Please upgrade to supertest v7.1.3+, see release notes at https://github.com/forwardemail/supertest/releases/tag/v7.1.3 - maintenance is supported by Forward Email @ https://forwardemail.net
• 🟡 moderate tough-cookie (<4.1.3) — tough-cookie Prototype Pollution vulnerability advisory
• 🟡 moderate undici (<6.23.0) — Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion advisory
• 🟡 moderate undici (>=7.0.0 <7.18.2) — Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion advisory
• 🟡 moderate undici (>=7.0.0 <7.24.0) — Undici has an HTTP Request/Response Smuggling issue advisory
• 🟡 moderate undici (<6.24.0) — Undici has an HTTP Request/Response Smuggling issue advisory
• 🟡 moderate undici (>=7.0.0 <7.24.0) — Undici has CRLF Injection in undici via upgrade option advisory
• 🟡 moderate undici (<6.24.0) — Undici has CRLF Injection in undici via upgrade option advisory
• 🟡 moderate undici (>=7.17.0 <7.24.0) — Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS advisory
• 🟡 moderate uuid (>=11.0.0 <11.1.1) — uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided advisory
• 🟡 moderate uuid (10.0.0) — uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
• 🟡 moderate vm2 (<=3.10.5) — vm2's Transformer Fast-Path Bypass Exposes Internal State Variable advisory
• 🟡 moderate vm2 (<=3.10.5) — vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak advisory
• 🟡 moderate vm2 (<=3.10.5) — vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary advisory
• 🟡 moderate vm2 (<3.11.2) — vm2 has access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL advisory
• 🟡 moderate yaml (>=1.0.0 <1.10.3) — yaml is vulnerable to Stack Overflow via deeply nested YAML collections advisory
• 🟡 moderate yaml (>=2.0.0 <2.8.3) — yaml is vulnerable to Stack Overflow via deeply nested YAML collections advisory
• 🟡 moderate zod (<=3.22.2) — Zod denial of service vulnerability advisory
• 🔵 low @backstage/backend-defaults (<0.12.2) — Backstage has a Possible SSRF when reading from allowed URL's in backend.reading.allow advisory
• 🔵 low @backstage/integration (<=1.20.0) — Backstage vulnerable to potential reading of SCM URLs using built in token advisory
• 🔵 low @smithy/config-resolver (<4.4.0) — AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value advisory
• 🔵 low @tootallnate/once (<3.0.1) — @tootallnate/once vulnerable to Incorrect Control Flow Scoping advisory
• 🔵 low axios (<=0.31.0) — Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams advisory
• 🔵 low axios (>=1.0.0 <1.15.1) — Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams advisory
• 🔵 low brace-expansion (>=1.0.0 <=1.1.11) — brace-expansion Regular Expression Denial of Service vulnerability advisory
• 🔵 low brace-expansion (>=2.0.0 <=2.0.1) — brace-expansion Regular Expression Denial of Service vulnerability advisory
• 🔵 low cookie (<0.7.0) — cookie accepts cookie name, path, and domain with out of bounds characters advisory
• 🔵 low diff (>=4.0.0 <4.0.4) — jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch advisory
• 🔵 low diff (>=5.0.0 <5.2.2) — jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch advisory
• 🔵 low elliptic (<6.6.0) — Valid ECDSA signatures erroneously rejected in Elliptic advisory
• 🔵 low elliptic (<=6.6.1) — Elliptic Uses a Cryptographic Primitive with a Risky Implementation advisory
• 🔵 low fast-xml-parser (>=4.0.0-beta.0 <4.5.4) — fast-xml-parser has stack overflow in XMLBuilder with preserveOrder advisory
• 🔵 low handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has a Property Access Validation Bypass in container.lookup advisory
• 🔵 low hono (<4.12.18) — Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() advisory
• 🔵 low on-headers (<1.1.0) — on-headers is vulnerable to http response header manipulation advisory
• 🔵 low tmp (<=0.2.3) — tmp allows arbitrary temporary file / directory write via symbolic link dir parameter advisory
• 🔵 low undici (>=7.0.0 <7.5.0) — undici Denial of Service attack via bad certificate data advisory