build(deps): bump path-to-regexp, @nestjs/core, @nestjs/platform-fastify and @nestjs/swagger #210

dependabot · 2025-06-06T06:57:45Z

Bumps path-to-regexp to 8.2.0 and updates ancestor dependencies path-to-regexp, @nestjs/core, @nestjs/platform-fastify and @nestjs/swagger. These dependencies need to be updated together.

Updates path-to-regexp from 6.2.1 to 8.2.0

Release notes

Sourced from path-to-regexp's releases.

8.2.0

Fixed

Allowing path-to-regexp to run on older browsers by targeting ES2015

Target ES2015 5969033

Also saved 0.22kb (10%!) by removing the private class field down level

Remove s flag from regexp 51dbd45

pillarjs/path-to-regexp@v8.1.0...v8.2.0

v8.1.0

Added

Adds pathToRegexp method back for generating a regex

Adds stringify method for converting TokenData into a path string

pillarjs/path-to-regexp@v8.0.0...v8.1.0

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)

Parameter names follow JS identifier rules and allow unicode characters

Added

Parameter names can now be quoted, e.g. :"foo-bar"

Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

Removes loose mode

Removes regular expression overrides of parameters

pillarjs/path-to-regexp@v7.1.0...v8.0.0

Support array inputs (again)

Added

Support array inputs for match and pathToRegexp 3fdd88f

pillarjs/path-to-regexp@v7.1.0...v7.2.0

... (truncated)

Commits

776c898 8.2.0
678756a Dumb down code for negate
e85fe27 Upgrade deps
5969033 Target ES2015
51dbd45 Remove s flag from regexp
df39d6c Append backtrack, ignore bench in coverage
d6c3658 Update express 4 compatibility guide
c302644 8.1.0
7b4598c Document stringify method
d6150f5 Add pathToRegexp method back
Additional commits viewable in compare view

Updates @nestjs/core from 9.3.9 to 11.1.3

Release notes

Sourced from @nestjs/core's releases.

v11.1.2 (2025-05-26)

Bug fixes

microservices

#15172 fix(microservices): support custom strategy in async usefactory config (@mag123c)

#15166 fix(microservice): prevent error logs during redis client shutdown (@janroker)

Dependencies

common

#15185 chore(deps): bump file-type from 20.5.0 to 21.0.0 (@dependabot[bot])

platform-express

#15159 chore(deps): bump multer from 1.4.5-lts.2 to 2.0.0 (@dependabot[bot])

Committers: 2

JaeHo Jang (@mag123c)

Jan Roček (@janroker)

v11.1.1 (2025-05-14)

Bug fixes

core

#15056 fix(core): HTTP adapter error mapping (@maxbronnikov10)

microservices

#15062 fix(microservices): ensure all redis and amqp client closes properly (@yatin166)

#15032 fix(microservices): ensure all the amqp connections are closed properly (@yatin166)

#15020 fix(microservices): ensure all redis connections are closed (@yatin166)

core, platform-fastify

#15061 fix(core): bring back getHeader and appendHeader methods from AbstractHttpAdapter (@micalevisk)

platform-express

#15010 feat: remove use of pipeline (@jmcdo29)

Enhancements

microservices

#14606 feat(microservices): add specific transport id to microservices (@maxbronnikov10)

#15057 feat(microservices): Allow custom exchangeType as string for plugin compatibility (@ChangmoKang)

#15072 feat(microservices): Add exchange arguments to RabbitMQ (@gapon2401)

Dependencies

platform-fastify

#15129 chore(deps): bump fastify from 5.3.2 to 5.3.3 (@dependabot[bot])

platform-ws

#15068 chore(deps): bump ws from 8.18.1 to 8.18.2 (@dependabot[bot])

common

#15029 chore(deps): bump file-type from 20.4.1 to 20.5.0 (@dependabot[bot])

Committers: 7

Antonio Tripodi (@Tony133)

Changmo Kang (Ryan) (@ChangmoKang)

Igor Gaponov (@gapon2401)

Jackie McDoniel (@jmcdo29)

... (truncated)

Commits

1613f50 chore(@nestjs) publish v11.1.3 release
521544c Merge pull request #15203 from isaryy/microservice-defer-init
1c4a20a feat(core): defer initialization connected microservice
b84c1fe fix(core): gracefully shutdown the app when repl exits
32b5feb chore(@nestjs) publish v11.1.2 release
f262812 chore: update package.json
2cccff1 chore(@nestjs) publish v11.1.1 release
7338c03 Merge pull request #15056 from maxbronnikov10/fix/http-adapter-error
fb3b12d fix(core): HTTP adapter error mapping
cb6080e refactor(core,platform-fastify): drop useless optional signature
Additional commits viewable in compare view

Updates @nestjs/platform-fastify from 9.3.9 to 11.1.2

Release notes

Sourced from @nestjs/platform-fastify's releases.

v11.1.2 (2025-05-26)

Bug fixes

microservices

#15172 fix(microservices): support custom strategy in async usefactory config (@mag123c)

#15166 fix(microservice): prevent error logs during redis client shutdown (@janroker)

Dependencies

common

#15185 chore(deps): bump file-type from 20.5.0 to 21.0.0 (@dependabot[bot])

platform-express

#15159 chore(deps): bump multer from 1.4.5-lts.2 to 2.0.0 (@dependabot[bot])

Committers: 2

JaeHo Jang (@mag123c)

Jan Roček (@janroker)

v11.1.1 (2025-05-14)

Bug fixes

core

#15056 fix(core): HTTP adapter error mapping (@maxbronnikov10)

microservices

#15062 fix(microservices): ensure all redis and amqp client closes properly (@yatin166)

#15032 fix(microservices): ensure all the amqp connections are closed properly (@yatin166)

#15020 fix(microservices): ensure all redis connections are closed (@yatin166)

core, platform-fastify

#15061 fix(core): bring back getHeader and appendHeader methods from AbstractHttpAdapter (@micalevisk)

platform-express

#15010 feat: remove use of pipeline (@jmcdo29)

Enhancements

microservices

#14606 feat(microservices): add specific transport id to microservices (@maxbronnikov10)

#15057 feat(microservices): Allow custom exchangeType as string for plugin compatibility (@ChangmoKang)

#15072 feat(microservices): Add exchange arguments to RabbitMQ (@gapon2401)

Dependencies

platform-fastify

#15129 chore(deps): bump fastify from 5.3.2 to 5.3.3 (@dependabot[bot])

platform-ws

#15068 chore(deps): bump ws from 8.18.1 to 8.18.2 (@dependabot[bot])

common

#15029 chore(deps): bump file-type from 20.4.1 to 20.5.0 (@dependabot[bot])

Committers: 7

Antonio Tripodi (@Tony133)

Changmo Kang (Ryan) (@ChangmoKang)

Igor Gaponov (@gapon2401)

Jackie McDoniel (@jmcdo29)

... (truncated)

Commits

32b5feb chore(@nestjs) publish v11.1.2 release
f262812 chore: update package.json
2cccff1 chore(@nestjs) publish v11.1.1 release
efd813d chore(deps): bump fastify from 5.3.2 to 5.3.3
cb6080e refactor(core,platform-fastify): drop useless optional signature
112450b chore(@nestjs) publish v11.1.0 release
729a9cd chore(@nestjs) publish v11.0.21 release
ed8df84 fix(deps): update dependency fastify to v5.3.2 [security]
929892a fix(deps): update dependency fastify to v5.3.1
d5bca88 chore(@nestjs) publish v11.0.20 release
Additional commits viewable in compare view

Updates @nestjs/swagger from 6.2.1 to 11.2.0

Release notes

Sourced from @nestjs/swagger's releases.

Release 11.2.0

11.2.0 (2025-05-05)

Enhancements

#3424 feat(document-builder): add support for setting extensions inside the info object (@daniseijo)

#3248 feat(swagger): add extension in SecuritySchemeObject (@mag123c)

Committers: 2

Daniel Seijo (@daniseijo)

JaeHo Jang (@mag123c)

Release 11.1.6

11.1.6 (2025-04-30)

Enhancements

#3423 feat(swagger-plugin): add skipDefaultValues option to omit unspecified default fields and corresponding test (@mag123c)

Committers: 1

JaeHo Jang (@mag123c)

Release 11.1.5

11.1.5 (2025-04-22)

Bug fixes

#3413 fix: type import syntax for ApiResponse in esmCompatible (@CatsMiaow)

Committers: 1

Meow (@CatsMiaow)

Release 11.1.4

What's Changed

feat(schema): add duplicate DTO detection in schema exploration by @Newbie012 in nestjs/swagger#3400

New Contributors

@Newbie012 made their first contribution in nestjs/swagger#3400

Full Changelog: nestjs/swagger@11.1.3...11.1.4

Release 11.1.3

11.1.3 (2025-04-14)

Bug fixes

#3399 fix: import handling for ESM compatibility (@CatsMiaow)

Dependencies

#3397 fix(deps): update dependency swagger-ui-dist to v5.21.0 (@renovate[bot])

Committers: 1

Meow (@CatsMiaow)

... (truncated)

Commits

e3f44bd chore(): release v11.2.0
2a4de7a Merge pull request #3424 from daniseijo/extensions-info-section
5943508 Merge pull request #3248 from mag123c/3179-security-scheme-extension
d4acd13 chore(deps): update dependency eslint-plugin-prettier to v5.3.1 (#3428)
592d617 chore(deps): update dependency release-it to v19.0.2 (#3427)
fb0ef34 chore(deps): update eslint monorepo to v9.26.0 (#3426)
a0c3ee2 chore(deps): update dependency class-validator to v0.14.2 (#3425)
9a0745e feat(document-builder): add support for setting extensions inside the info ob...
1f399f0 chore(): release v11.1.6
b7338cc Merge pull request #3417 from nestjs/renovate/cimg-node-22.x
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

…ify and @nestjs/swagger Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 8.2.0 and updates ancestor dependencies [path-to-regexp](https://github.com/pillarjs/path-to-regexp), [@nestjs/core](https://github.com/nestjs/nest/tree/HEAD/packages/core), [@nestjs/platform-fastify](https://github.com/nestjs/nest/tree/HEAD/packages/platform-fastify) and [@nestjs/swagger](https://github.com/nestjs/swagger). These dependencies need to be updated together. Updates `path-to-regexp` from 6.2.1 to 8.2.0 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v6.2.1...v8.2.0) Updates `@nestjs/core` from 9.3.9 to 11.1.3 - [Release notes](https://github.com/nestjs/nest/releases) - [Commits](https://github.com/nestjs/nest/commits/v11.1.3/packages/core) Updates `@nestjs/platform-fastify` from 9.3.9 to 11.1.2 - [Release notes](https://github.com/nestjs/nest/releases) - [Commits](https://github.com/nestjs/nest/commits/v11.1.2/packages/platform-fastify) Updates `@nestjs/swagger` from 6.2.1 to 11.2.0 - [Release notes](https://github.com/nestjs/swagger/releases) - [Changelog](https://github.com/nestjs/swagger/blob/master/.release-it.json) - [Commits](nestjs/swagger@6.2.1...11.2.0) --- updated-dependencies: - dependency-name: path-to-regexp dependency-version: 8.2.0 dependency-type: indirect - dependency-name: "@nestjs/core" dependency-version: 11.1.3 dependency-type: direct:production - dependency-name: "@nestjs/platform-fastify" dependency-version: 11.1.2 dependency-type: direct:production - dependency-name: "@nestjs/swagger" dependency-version: 11.2.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>

TheRedHatter · 2025-06-06T06:58:08Z

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

prisma-cloud-devsecops

Prisma Cloud has found errors in this PR ⬇️

prisma-cloud-devsecops · 2025-06-06T06:58:23Z

package.json

-    "@nestjs/platform-fastify": "^9.3.9",
-    "@nestjs/swagger": "^6.2.1",
+    "@nestjs/platform-fastify": "^11.1.2",
+    "@nestjs/swagger": "^11.2.0",


@nestjs/swagger 11.2.0 / package.json

Total vulnerabilities: 1

Critical: 0 High: 1 Medium: 0 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-21538 HIGH 7.5 - Open

prisma-cloud-devsecops · 2025-06-06T06:58:23Z

package.json

    "@nestjs/mercurius": "^11.0.3",
-    "@nestjs/platform-fastify": "^9.3.9",
-    "@nestjs/swagger": "^6.2.1",
+    "@nestjs/platform-fastify": "^11.1.2",


@nestjs/platform-fastify 11.1.2 / package.json

Total vulnerabilities: 1

Critical: 0 High: 1 Medium: 0 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-21538 HIGH 7.5 - Open

prisma-cloud-devsecops · 2025-06-06T06:58:23Z

package.json

    "@mikro-orm/nestjs": "^4.3.1",
    "@mikro-orm/postgresql": "^4.5.10",
    "@mikro-orm/sql-highlighter": "^1.0.1",
    "@nestjs/common": "^9.3.9",


@nestjs/common 9.3.9 / package.json

Total vulnerabilities: 1

Critical: 0 High: 0 Medium: 1 Low: 0

Vulnerability ID Severity CVSS Fixed in Status

CVE-2024-29409 MEDIUM 5.5 10.4.16 Open

socket-security · 2025-06-06T06:58:46Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Quality
	@nestjs/schematics@7.3.1
	libxmljs@0.19.7
	@types/axios@0.14.0
	@types/raw-body@2.3.0
	has@1.0.3
	is-unicode-supported@0.1.0
	has-proto@1.0.1
	fastify-multipart@5.4.0
	gopd@1.0.1
	globalthis@1.0.3
	has-property-descriptors@1.0.0
	has-tostringtag@1.0.0
	define-properties@1.2.0
	functions-have-names@1.2.3
	is-negative-zero@2.0.2
	available-typed-arrays@1.0.7 ⏵ 1.0.5	⁺¹	^-3
	indent-string@4.0.0
	minimalistic-assert@1.0.1
	get-symbol-description@1.0.0
	is-date-object@1.0.5
	has-symbols@1.0.3
	is-shared-array-buffer@1.0.2
See 357 more rows in the dashboard

View full report

socket-security · 2025-06-06T06:58:47Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		`[email protected]` has a Critical CVE. CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: < 6.6.1 Patched version: 6.6.1 From: package-lock.json → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`[email protected]` has a Critical CVE. CVE: GHSA-mg49-jqgw-gcj6 libxmljs vulnerable to type confusion when parsing specially crafted XML (CRITICAL) Affected versions: <= 1.0.11 Patched version: No patched versions From: package-lock.json → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`[email protected]` has a Critical CVE. CVE: GHSA-6433-x5p4-8jc7 libxmljs vulnerable to type confusion when parsing specially crafted XML (CRITICAL) Affected versions: <= 1.0.11 Patched version: No patched versions From: package-lock.json → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`[email protected]` has a Critical CVE. CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 0.2.4 From: package-lock.json → `npm/@nestjs/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

semgrep-code-therredhatter · 2025-06-06T07:00:47Z

Semgrep found 1 ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f finding:

package-lock.json
- L10808 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10808.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

Semgrep found 1 ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e finding:

package-lock.json
- L10808 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10808.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

Semgrep found 1 ssc-37ae9e0a-cbf0-4910-8f73-04f2275899a6 finding:

package-lock.json
- L16326 - Triage

Risk: webpack 5.x before 5.76.0 is vulnerable to Improper Access Control due to ImportParserPlugin.js mishandling the magic comment feature. Due to this, webpack does not avoid cross-realm object access and an attacker who controls a property of an untrusted object can obtain access to the real global object.

Manual Review Advice: A vulnerability from this advisory is reachable if you host an application utilizing webpack and an attacker can control a property of an untrusted object

Fix: Upgrade this library to at least version 5.76.0 at brokencrystals/package-lock.json:16326.

Reference(s): GHSA-hc6q-2mpp-qw7j, CVE-2023-28154

semgrep-code-theredhatter · 2025-06-06T07:00:48Z

Semgrep found 1 ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f finding:

package-lock.json
- L10808 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10808.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

Semgrep found 1 ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e finding:

package-lock.json
- L10808 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10808.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

Semgrep found 1 ssc-37ae9e0a-cbf0-4910-8f73-04f2275899a6 finding:

package-lock.json
- L16326 - Triage

Risk: webpack 5.x before 5.76.0 is vulnerable to Improper Access Control due to ImportParserPlugin.js mishandling the magic comment feature. Due to this, webpack does not avoid cross-realm object access and an attacker who controls a property of an untrusted object can obtain access to the real global object.

Manual Review Advice: A vulnerability from this advisory is reachable if you host an application utilizing webpack and an attacker can control a property of an untrusted object

Fix: Upgrade this library to at least version 5.76.0 at brokencrystals/package-lock.json:16326.

Reference(s): GHSA-hc6q-2mpp-qw7j, CVE-2023-28154

TheRedHatter · 2025-06-06T07:11:25Z

Checkmarx One – Scan Summary & Details – ac5cf96c-2e6d-4b5e-b183-a815f692ddf2

New Issues (118)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2004-0989	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: Multiple buffer overflows in libXML prior to 2.6.15 (libxml2), may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 37nIi97GqM4J8zVwgJOR8ubWpn44yrwUW5S%2Bekuiaxc%3D` Vulnerable Package
CVE-2017-8872	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: The "htmlParseTryOrFinish" function in "HTMLparser.c" in libxml2 versions prior to 2.9.4 allows attackers to cause a denial of service (buffer ove... Attack Vector: NETWORK Attack Complexity: LOW `ID: iXLZ3cHCcvK20v95933iHR20THzaU0eRqaQG4yHVUNk%3D` Vulnerable Package
CVE-2021-44906	Npm-minimist-1.2.5	details Recommended version: 1.2.6 Description: Minimist through 1.2.5 is vulnerable to Prototype Pollution via file "index.js", function "setKey()" (lines 69-95). Attack Vector: NETWORK Attack Complexity: LOW `ID: Etlm86ayu9N25uIIfElHHmf4owe1IMTV9qr%2FGB%2BkY80%3D` Vulnerable Package
CVE-2022-39353	Npm-xmldom-0.6.0	details Description: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-fo... Attack Vector: NETWORK Attack Complexity: LOW `ID: Wt4V7QafYxR3j0tJmJUxVyE36A95k8iyn%2BBITEviAFI%3D` Vulnerable Package
CVE-2023-26136	Npm-tough-cookie-2.5.0	details Recommended version: 4.1.3 Description: The package tough-cookie in versions prior to 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4psYLIidtSYJXnGDVtIpxC%2FumJjo9lZSS5iKtQHxy2I%3D` Vulnerable Package
CVE-2023-28154	Npm-webpack-5.28.0	details Recommended version: 5.94.0 Description: Webpack 5.0.0-alpha.0 through 5.75.0 does not avoid cross-realm object access. ''ImportParserPlugin.js'' mishandles the magic comment feature. An a... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4wcobckBW37Ua8oF%2F6oqUPB8XfU6Vhj5kIzomV46sGg%3D` Vulnerable Package
CVE-2023-42282	Npm-ip-2.0.0	details Description: An issue in NPM ip package 0.0.2 through 2.0.1 allows an attacker to execute arbitrary code and obtain sensitive information via the "isPublic()" f... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2FslAAGMeDWecBnUZpF4Gy%2B467aFLhnLcEwWX3f7QQUE%3D` Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: In the elliptic package, "ECDSA" signature malleability occurs because "BER-encoded" signatures are allowed which leads to Improper Verification of... Attack Vector: NETWORK Attack Complexity: LOW `ID: 535Q5hi4my48YWxPuilmoMTYo%2BBwtXOOXd2lb5NScKk%3D` Vulnerable Package
CVE-2024-48949	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The verify function in "lib/elliptic/eddsa/index.js" in the Elliptic versions 4.0.0 through 6.5.5 for Node.js omits "sig.S().gte(sig.eddsa.curve.n)... Attack Vector: NETWORK Attack Complexity: LOW `ID: v3JpQpyL6K0y%2F4tmS4t7pjl0u4pXWEUT2mP07t8GVZM%3D` Vulnerable Package
Cx88b46a98-47a5	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: bxNbivL3Qe5kPmosmocZnblQ5lCqtWsOO5ghXGNAOAU%3D` Vulnerable Package
CVE-2015-5312	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: The "xmlStringLenDecodeEntities" function in "parser.c" in libxml2 prior to 2.9.3 does not properly prevent entity expansion, which allows context-... Attack Vector: NETWORK Attack Complexity: MEDIUM `ID: Hz1Bcv5o6lBvaZfkKFHPalV%2BAyxtts8ylg4PW3u3uRY%3D` Vulnerable Package
CVE-2016-20018	Npm-knex-0.21.19	details Recommended version: 2.4.0 Description: Knex.js prior to 2.4.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query. Attack Vector: NETWORK Attack Complexity: LOW `ID: YiERqA3SnhFxvGQitjvSQsH31ScyXcIcGjbL41Y4cyA%3D` Vulnerable Package
CVE-2017-9048	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: libxml2 versions prior to v2.9.5-rc1 are vulnerable to a stack-based buffer overflow. The function "xmlSnprintfElementContent" in "valid.c" is supp... Attack Vector: NETWORK Attack Complexity: LOW `ID: PPzRUJTnTjb3%2FexSXJRU%2BZqg%2B85y70lO%2BfBpvIlG%2BB8%3D` Vulnerable Package
CVE-2018-14404	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: A NULL pointer dereference vulnerability exists in the "xpath.c:xmlXPathCompOpEval()" function of libxml2 through 2.9.8 when parsing an invalid XPa... Attack Vector: NETWORK Attack Complexity: LOW `ID: qjZ0orOlFUCKtlXIHBZ2eRL5nqnPdEHnf7AvcJXcyts%3D` Vulnerable Package
CVE-2021-3516	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: There's a flaw in libxml2's "xmllint" in versions prior to 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint coul... Attack Vector: LOCAL Attack Complexity: LOW `ID: AbXshwKq8pfI7EMfNEG4Y%2Bj9%2B7sJ2QSwpHfnHg750t4%3D` Vulnerable Package
CVE-2021-3517	Npm-libxmljs-0.19.7	details Recommended version: 0.19.8 Description: There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to ... Attack Vector: NETWORK Attack Complexity: LOW `ID: CWMgFtxBBvXcH7nXlOUxsas6CkFCfRAuqYsPNG5fhC8%3D` Vulnerable Package
CVE-2021-3518	Npm-libxmljs-0.19.7	details Recommended version: 0.19.8 Description: There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with... Attack Vector: NETWORK Attack Complexity: LOW `ID: u0VNZxG5mahZrIne2duKv8ymYmScGa1U8ugqJNT4QOk%3D` Vulnerable Package
CVE-2021-3803	Npm-nth-check-1.0.2	details Recommended version: 2.0.1 Description: nth-check prior to 2.0.1 is vulnerable to Inefficient Regular Expression Complexity Attack Vector: NETWORK Attack Complexity: LOW `ID: 7va7egTkIOkkToB3GGcVHKHvfiKITrf7GfTD8TA5uAc%3D` Vulnerable Package
CVE-2021-3807	Npm-ansi-regex-3.0.0	details Recommended version: 3.0.1 Description: The package ansi-regex versions 3.x prior to 3.0.1, 4.x prior to 4.1.1, 5.x prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Re... Attack Vector: NETWORK Attack Complexity: LOW `ID: FK7AkbUeQgZMliWI4a2X%2BPBFms2JQndM1JSVFUhRBaE%3D` Vulnerable Package
CVE-2021-3807	Npm-ansi-regex-2.1.1	details Recommended version: 3.0.1 Description: The package ansi-regex versions 3.x prior to 3.0.1, 4.x prior to 4.1.1, 5.x prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Re... Attack Vector: NETWORK Attack Complexity: LOW `ID: ZkChbVA5MdfwbQDQ3oVreMJER%2Bf74HlSXAHa%2FWSqGeQ%3D` Vulnerable Package
CVE-2022-0144	Npm-shelljs-0.8.4	details Recommended version: 0.8.5 Description: shelljs prior to 0.8.5 is vulnerable to Improper Privilege Management. Attack Vector: LOCAL Attack Complexity: LOW `ID: jdqgVfKON7nzuUGgU5HCzdaO7EASx2zP%2B8LQ3XDa5ek%3D` Vulnerable Package
CVE-2022-21144	Npm-libxmljs-0.19.7	details Recommended version: 0.19.8 Description: This affects versions prior to 0.19.8 of libxmljs package. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will... Attack Vector: NETWORK Attack Complexity: LOW `ID: FS7OwTeg4qucgVhU1P5FUm3zq0PBCWGcGYhNsIokiTM%3D` Vulnerable Package
CVE-2022-23308	Npm-libxmljs-0.19.7	details Description: "valid.c" in libxml2 prior to 2.9.13 has a use-after-free of ID and IDREF attributes. Attack Vector: NETWORK Attack Complexity: LOW `ID: rv5jjrauhO%2FX602SJDwTes6weMxgbNJlZxC%2FKs6b4cY%3D` Vulnerable Package
CVE-2022-23539	Npm-jsonwebtoken-8.5.1	details Recommended version: 9.0.0 Description: Versions prior to 9.0.0 `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For e... Attack Vector: NETWORK Attack Complexity: LOW `ID: cMZALAlK3pLMjT9IvY0mgtCPR6lvucpL8rHlUXdcImM%3D` Vulnerable Package
CVE-2022-23540	Npm-jsonwebtoken-8.5.1	details Recommended version: 9.0.0 Description: Versions prior to 9.0.0 of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation byp... Attack Vector: NETWORK Attack Complexity: LOW `ID: USWhLoNCoDh6Ynp1Mu%2BgUkFR%2BaJF84jFbJC4Knhi7IE%3D` Vulnerable Package
CVE-2022-24999	Npm-qs-6.5.2	details Recommended version: 6.5.3 Description: The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application becau... Attack Vector: NETWORK Attack Complexity: LOW `ID: ASldHOUTMldFcULLfmMmQ46LluRaGjk3Alm7750AGCU%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-7.0.0	details Recommended version: 7.5.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 0cuPL7ZXy2RaNqceMg%2BOn4cknTPHCUoKyL0Go8zCa3k%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-7.3.5	details Recommended version: 7.5.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: oLeouBweHHMUnNm6YN3uY6IYsdYJIce5Z%2FxLH%2B9aPZc%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-5.7.1	details Recommended version: 5.7.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: xV7Z%2BnLGLMtecu8cop8e%2FU516BJ7pMQeoRvE5sfkVZc%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-6.3.0	details Recommended version: 6.3.1 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: YCGp8PDCQFJ9Ka%2F7ZyW1yec8ViVWxUhTflEUj3smMkY%3D` Vulnerable Package
CVE-2022-31129	Npm-moment-2.29.2	details Recommended version: 2.29.4 Description: moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an i... Attack Vector: NETWORK Attack Complexity: LOW `ID: LhUur3cVFAaV76O4WLUi64RqQGo4UsDqUl1mbPFIFeA%3D` Vulnerable Package
CVE-2022-3517	Npm-minimatch-3.0.4	details Recommended version: 3.0.5 Description: A vulnerability was found in the minimatch package versions prior to 3.0.5. This flaw allows a Regular Expression Denial of Service (ReDoS) when ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: 5CMRClkbMTv5dZvieuWhRN33qzvJpv3gAaVB4nEhdHk%3D` Vulnerable Package
CVE-2022-40303	Npm-libxmljs-0.19.7	details Description: An issue was discovered in libxml2 prior to 2.10.3. When parsing a multi-gigabyte XML document with the "XML_PARSE_HUGE" parser option enabled, sev... Attack Vector: NETWORK Attack Complexity: LOW `ID: SDuWDhlFFwUGGiwSopLjMoMiLiBk0nfw8cozXrphJPU%3D` Vulnerable Package
CVE-2022-40304	Npm-libxmljs-0.19.7	details Description: An issue was discovered in libxml2 prior to 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to sub... Attack Vector: LOCAL Attack Complexity: LOW `ID: lv7817Dk8VePUKuWMbcoA5C94MW3DMIW8bX9khSdnAw%3D` Vulnerable Package
CVE-2022-46175	Npm-json5-2.2.0	details Recommended version: 2.2.2 Description: JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` met... Attack Vector: NETWORK Attack Complexity: LOW `ID: bxHRfFKa0koERiAeKX%2Bd6V0ji41FTBSg7W7F3XJ12SE%3D` Vulnerable Package
CVE-2023-26115	Npm-word-wrap-1.2.3	details Recommended version: 1.2.4 Description: Versions prior to 1.24 of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regu... Attack Vector: NETWORK Attack Complexity: LOW `ID: tG4SRFgk4Q0XiA5kc1TozFraOwlmcIhF0lENSvnHejg%3D` Vulnerable Package
CVE-2023-45133	Npm-@babel/traverse-7.16.3	details Recommended version: 7.23.2 Description: Babel is a compiler for writing JavaScript. In `@babel/traverse` versions prior to 7.23.2 and 8.0.x prior to 8.0.0-alpha.4, using Babel to compile ... Attack Vector: LOCAL Attack Complexity: LOW `ID: nTz7M8Zh9EvpNJ81Eeo6NzXxry%2FQuPtMaJe8ablOwIY%3D` Vulnerable Package
CVE-2024-21536	Npm-http-proxy-middleware-2.0.6	details Recommended version: 2.0.9 Description: The http-proxy-middleware versions through 2.0.7-beta.0 and 3.0.0-beta.0 through 3.0.2 are vulnerable to Denial of Service (DoS) due to an "Unhandl... Attack Vector: NETWORK Attack Complexity: LOW `ID: e6AskX7F9wNLTjdBCyRg2PtJ%2Bp%2B0RHrO5bNP%2BsbWnLk%3D` Vulnerable Package
CVE-2024-21538	Npm-cross-spawn-6.0.5	details Recommended version: 6.0.6 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW `ID: bdPzE96tBRVUtTMJImu%2BdrzCJOux0F5ipMtBbnTmEus%3D` Vulnerable Package
CVE-2024-21538	Npm-cross-spawn-7.0.3	details Recommended version: 7.0.5 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW `ID: U1%2BE4UL%2Fm1F37VWA%2B%2BPJgagY%2BxIT7HzWSSqvq9YCa0g%3D` Vulnerable Package
CVE-2024-29415	Npm-ip-2.0.0	details Description: The ip package 0.0.2 through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, a... Attack Vector: NETWORK Attack Complexity: HIGH `ID: IoCzW65m%2FcvxOe%2Bu7CasouXlPM97zj1fQZm14r6RjTw%3D` Vulnerable Package
CVE-2024-35220	Npm-@fastify/session-10.1.1	details Recommended version: 10.9.0 Description: The module @fastify/session is a session plugin for fastify that requires the @fastify/cookie plugin. When restoring the cookie from the session st... Attack Vector: NETWORK Attack Complexity: LOW `ID: bcPmOuro%2F6rFuS1WS%2FoY2UDbKYxormEKtZYo6YZKaXo%3D` Vulnerable Package
CVE-2024-37890	Npm-ws-8.12.1	details Recommended version: 8.17.1 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW `ID: clR%2FX81Ve04b6vAcs%2FWiOX29EhY63GaVJMMY95E3H0w%3D` Vulnerable Package
CVE-2024-37890	Npm-ws-8.12.0	details Recommended version: 8.17.1 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW `ID: THPv7UqYpyNxU7LmHGLjb3x7BAHcqfzmWYP2fXPXlxA%3D` Vulnerable Package
CVE-2024-37890	Npm-ws-7.5.9	details Recommended version: 7.5.10 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW `ID: zwdlzaRs1jCHuciPfE5c3FMqbVP%2F4EELKRQvnAl2LW8%3D` Vulnerable Package
CVE-2024-4068	Npm-braces-2.3.2	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW `ID: 5mxgtUgGyqjtJ2nMKkPPCcrUT3cUCvTHdbbTCbNczfE%3D` Vulnerable Package
CVE-2024-4068	Npm-braces-3.0.2	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW `ID: DcfoBt92PPLF6IrcCuJeGR%2Bw8Ayayq1nkAn7RSE0OW4%3D` Vulnerable Package
CVE-2024-45296	Npm-path-to-regexp-1.8.0	details Recommended version: 1.9.0 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW `ID: S5QXVSbVdORaxcBsvyy%2FDFlUakg4LEeSSHxYmeia2Gs%3D` Vulnerable Package
CVE-2024-52798	Npm-path-to-regexp-0.1.10	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW `ID: SLbowRuSaxbkPLTWmGhe%2BSX4YXwX4YO%2BnpYmrJFRL%2FI%3D` Vulnerable Package
CVE-2025-24033	Npm-@fastify/multipart-7.4.1	details Recommended version: 8.3.1 Description: The package @fastify/multipart is a Fastify plugin for parsing the multipart content-type. Prior to versions 8.3.1, and 9.0.x prior to 9.0.3, the `... Attack Vector: NETWORK Attack Complexity: LOW `ID: pV0%2FwIQ38KIrdex4LK0o6FZVW0rGHML2P613Icd2TCI%3D` Vulnerable Package
CVE-2025-27152	Npm-axios-0.26.1	details Recommended version: 0.30.0 Description: Axios is a promise-based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to... Attack Vector: NETWORK Attack Complexity: LOW `ID: DrpjYcdweo6yYt5DdKiPgmZ%2F0krQNYeuZ%2BEtY4i7PHE%3D` Vulnerable Package
CVE-2025-27152	Npm-axios-0.21.4	details Recommended version: 0.30.0 Description: Axios is a promise-based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to... Attack Vector: NETWORK Attack Complexity: LOW `ID: VD55HnIz2A5zHvf5Yiv4K1l3OeMLL7XVJOxZMgVUVeo%3D` Vulnerable Package
Cx10578cb2-c0fc	Npm-cypress-6.9.1	details Recommended version: 10.3.0 Description: The Cypress package in versions prior to 10.3.0 contains a memory leak in the "CdpAutomation" class that stores Data URLs as requests in the "pendi... Attack Vector: NETWORK Attack Complexity: LOW `ID: 1xEemLn1G%2BDuuVL9eV%2BwgMzOcRRUI9TYFKwb6%2F%2Fd2ac%3D` Vulnerable Package
Cx62f5bb1b-fa5e	Npm-moment-2.29.2	details Recommended version: 2.29.4 Description: A Regular Expression Denial of Service (ReDoS) in moment 2.18 through 2.29.3 makes the server unavailable when a specially crafted input is provide... Attack Vector: NETWORK Attack Complexity: LOW `ID: iTqV1IRfJQqlo9gUiCSFwWMIBWyXT0Y14AOKRDyuWLw%3D` Vulnerable Package
Cxc7705965-e0f0	Npm-@babel/core-7.12.3	details Recommended version: 7.18.6 Description: The @babel/core package versions prior to 7.18.6 were discovered to contain a memory leak vulnerability. Attack Vector: NETWORK Attack Complexity: LOW `ID: X0gNHa67oaVqHynANHeeuH08FNAge3AEeBTq%2BOpDBnM%3D` Vulnerable Package
Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW `ID: AjV%2Fa0LdvUdyQ0hrV0Vw0ZMRthh8ZkrV1eBuoJgU2aw%3D` Vulnerable Package
CVE-2018-14567	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: libxml2 prior to v2.9.9-rc1, if "--with-lzma" is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file ... Attack Vector: NETWORK Attack Complexity: LOW `ID: PtWAJMaiP5ihcr5hjnSIc1iZLmxEb3SiIMC121gN9W8%3D` Vulnerable Package
CVE-2018-9251	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: The "xz_decomp" function in "xzlib.c" in libxml2 prior to v2.9.9-rc1, if --with-lzma is used, allows remote attackers to cause a Denial of Service ... Attack Vector: NETWORK Attack Complexity: HIGH `ID: pe4VXg3TDAEdIFdY3XJxa9cTdNOvmMF1f2PiQFJVCms%3D` Vulnerable Package
CVE-2020-24977	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: GNOME project libxml2 prior to version 2.9.11 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at "libxml2/entities.c". Attack Vector: NETWORK Attack Complexity: LOW `ID: nEmnZwTK8KPoEQxA6l4frOKJT6mrhBtzIEaAZkQPidA%3D` Vulnerable Package
CVE-2021-32796	Npm-xmldom-0.6.0	details Description: The xmldom package is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom does not ... Attack Vector: NETWORK Attack Complexity: LOW `ID: oNGXWRs47Jq%2FEc6BBJWc4FonRlGIMQBD99Jr%2BWUmy3w%3D` Vulnerable Package
CVE-2021-3537	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: A vulnerability found in libxml2 in versions prior to 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL... Attack Vector: NETWORK Attack Complexity: HIGH `ID: j%2FovoJdGbJr8yLHgv37UA5lAt%2BZMvO2ovKSLK4Ma01U%3D` Vulnerable Package
CVE-2021-3541	Npm-libxmljs-0.19.7	details Recommended version: 1.0.0 Description: A flaw was found in libxml2 before 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leadin... Attack Vector: NETWORK Attack Complexity: LOW `ID: zJO5lJ3gy1Rl54dV0OKjZoKcr9uc0uNlmRBU0ksPNEs%3D` Vulnerable Package
CVE-2022-23541	Npm-jsonwebtoken-8.5.1	details Recommended version: 9.0.0 Description: jsonwebtoken is an implementation of JSON Web Tokens. Versions prior to 9.0.0 of `jsonwebtoken` library can be misconfigured so that passing a poor... Attack Vector: NETWORK Attack Complexity: LOW `ID: tmSoVFm4p97LP7Ky%2Fjz%2FfoxCDpdB9pg8iU9zrPVIAnM%3D` Vulnerable Package
CVE-2022-29622	Npm-formidable-2.1.2	details Recommended version: 2.1.3 Description: An arbitrary file upload vulnerability in formidable versions prior to 3.2.4, allows attackers to execute arbitrary code via a crafted "filename". ... Attack Vector: NETWORK Attack Complexity: HIGH `ID: VI1RI%2Bafc3NfPjR5xYfVyZggfTv3SwnlXmwnXbHoeKQ%3D` Vulnerable Package
CVE-2022-29824	Npm-libxmljs-0.19.7	details Description: In libxml2 prior to 2.9.14, several buffer handling functions in "buf.c" (xmlBuf) and tree.c (xmlBuffer) don't check for integer overflows. This ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4bRjzhNlc8fVzUA3AqMQeesRVt7O9OV6WpaBjuj1RGM%3D` Vulnerable Package
CVE-2022-36313	Npm-file-type-16.5.3	details Recommended version: 16.5.4 Description: An issue was discovered in the file-type package versions prior to 16.5.4 and 17.0.x prior to 17.1.3 for "Node.js". A malformed MKV file could caus... Attack Vector: LOCAL Attack Complexity: LOW `ID: MMuMyVhEUMwGoqBN3VBoqoPirq1M6nTklNKmz2jrxz8%3D` Vulnerable Package
CVE-2023-26144	Npm-graphql-16.6.0	details Recommended version: 16.8.1 Description: The package graphql is in version 16.3.x prior to 16.8.1, and 17.0.x prior to 17.0.0-alpha.3 are vulnerable to Denial of Service (DoS) due to insuf... Attack Vector: NETWORK Attack Complexity: LOW `ID: vvwLT76QTk3fAgjI9ZL5L30ZGnwPhHsWceo20Dk8m9Q%3D` Vulnerable Package
CVE-2023-26159	Npm-follow-redirects-1.14.8	details Recommended version: 1.15.6 Description: The package follow-redirects versions prior to 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the "url.... Attack Vector: NETWORK Attack Complexity: LOW `ID: SyGbQ2og7s3mPDWpRbi1SXq4HTOfeOm3mMtV22U0D9E%3D` Vulnerable Package
CVE-2023-28155	Npm-request-2.88.2	details Description: The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-c... Attack Vector: NETWORK Attack Complexity: LOW `ID: gUZSmbyG1Tq6wcLr6XVD8NSUL8sivpjDeKZfQFrldxo%3D` Vulnerable Package
CVE-2023-28155	Npm-@cypress/request-2.88.10	details Recommended version: 3.0.0 Description: The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-c... Attack Vector: NETWORK Attack Complexity: LOW `ID: IrJ1w%2BnzpiOwPdZDKvS%2FxibTfSQ08ylQW3tcSVVB0IA%3D` Vulnerable Package
CVE-2023-28484	Npm-libxmljs-0.19.7	details Description: In libxml2 versions prior to 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL Pointer Dereference and subsequently a segfault. Thi... Attack Vector: NETWORK Attack Complexity: LOW `ID: DctebZJ6Y6anY0Cazn%2BUeYYWZY6INpagPRmF1qFOSJs%3D` Vulnerable Package
CVE-2023-29469	Npm-libxmljs-0.19.7	details Description: An issue was discovered in libxml2 in versions prior to 2.10.4. When hashing empty dict strings in a crafted XML document, "xmlDictComputeFastKey" ... Attack Vector: NETWORK Attack Complexity: LOW `ID: IBX9VMBT%2ByoqCHRtOQ64LtLaEhmGbYETde%2FAaE9G%2BGA%3D` Vulnerable Package
CVE-2023-44270	Npm-postcss-7.0.39	details Recommended version: 8.4.31 Description: An issue was discovered in postcss versions prior to 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An at... Attack Vector: NETWORK Attack Complexity: LOW `ID: IBJaPriyfkQum346sWE8LvLHR5eizUbnNRiz%2FD9O93I%3D` Vulnerable Package
CVE-2023-45857	Npm-axios-0.21.4	details Recommended version: 0.30.0 Description: An issue discovered in Axios, inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN f... Attack Vector: NETWORK Attack Complexity: LOW `ID: fpw6k9u1%2BE5jbPuaUfpLdXzXFE2UsRM32xXfBvNHKhg%3D` Vulnerable Package
CVE-2023-45857	Npm-axios-0.26.1	details Recommended version: 0.30.0 Description: An issue discovered in Axios, inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN f... Attack Vector: NETWORK Attack Complexity: LOW `ID: n%2FWKj4WiS1A4Q8YreIuhtyQFw2wphtYj1nbEE0on36c%3D` Vulnerable Package
CVE-2024-11831	Npm-serialize-javascript-6.0.1	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW `ID: KsbNzE5r4u49z0D6jLZF35twEbqq1mNX9i7ESXtFD3k%3D` Vulnerable Package
CVE-2024-11831	Npm-serialize-javascript-4.0.0	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW `ID: tk%2F%2BSACUk1uYKru4IN%2BG1PUFVCH2kU7s5mfcxwtce0M%3D` Vulnerable Package
CVE-2024-24758	Npm-undici-5.21.0	details Recommended version: 5.29.0 Description: Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not... Attack Vector: NETWORK Attack Complexity: LOW `ID: 13muANBRFNYHk6JhF8nmmrhqIdDFJUsZJMzg%2F2nDK3Q%3D` Vulnerable Package
CVE-2024-28176	Npm-jose-4.13.1	details Recommended version: 4.15.5 Description: The package jose is a JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JW... Attack Vector: NETWORK Attack Complexity: LOW `ID: smpMO23%2BdhnBKg5dnyzYTG%2FOCS5Wu6HC0SfhURpY9e8%3D` Vulnerable Package
CVE-2024-28849	Npm-follow-redirects-1.14.8	details Recommended version: 1.15.6 Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected ver... Attack Vector: NETWORK Attack Complexity: LOW `ID: GqL4F6hIEMBCghOzddpuec21RsD6WSQlXPi2A9e%2F1s0%3D` Vulnerable Package
CVE-2024-28849	Npm-follow-redirects-1.15.4	details Recommended version: 1.15.6 Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected ver... Attack Vector: NETWORK Attack Complexity: LOW `ID: RzM5Jw93qlPRZGXv%2FUkcXd4ISCcqcR534%2F8VpkPsqvg%3D` Vulnerable Package
CVE-2024-28863	Npm-tar-4.4.19	details Recommended version: 6.2.1 Description: node-tar is a Tar for Node.js. tar versions prior to 6.2.1 have no limit on the number of sub-folders created in the folder creation process. An at... Attack Vector: NETWORK Attack Complexity: LOW `ID: H%2F9Z8yYHpya9P2ORogBQXM4QJlUGBTOy6CBXGnxuMVs%3D` Vulnerable Package
CVE-2024-28863	Npm-tar-6.1.13	details Recommended version: 6.2.1 Description: node-tar is a Tar for Node.js. tar versions prior to 6.2.1 have no limit on the number of sub-folders created in the folder creation process. An at... Attack Vector: NETWORK Attack Complexity: LOW `ID: w1ku18C0588MHq5PYzHYHTiyuFAptWFCy65VBUpx6fg%3D` Vulnerable Package

More results are available on the CxOne platform

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 6, 2025

prisma-cloud-devsecops bot reviewed Jun 6, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump path-to-regexp, @nestjs/core, @nestjs/platform-fastify and @nestjs/swagger #210

build(deps): bump path-to-regexp, @nestjs/core, @nestjs/platform-fastify and @nestjs/swagger #210

Uh oh!

dependabot bot commented on behalf of github Jun 6, 2025

Uh oh!

TheRedHatter commented Jun 6, 2025 •

edited

Loading

Uh oh!

prisma-cloud-devsecops bot left a comment

Uh oh!

prisma-cloud-devsecops bot Jun 6, 2025

Uh oh!

prisma-cloud-devsecops bot Jun 6, 2025

Uh oh!

prisma-cloud-devsecops bot Jun 6, 2025

Uh oh!

socket-security bot commented Jun 6, 2025

Uh oh!

socket-security bot commented Jun 6, 2025

Uh oh!

semgrep-code-therredhatter bot commented Jun 6, 2025

Uh oh!

semgrep-code-theredhatter bot commented Jun 6, 2025

Uh oh!

TheRedHatter commented Jun 6, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

build(deps): bump path-to-regexp, @nestjs/core, @nestjs/platform-fastify and @nestjs/swagger #210

Are you sure you want to change the base?

build(deps): bump path-to-regexp, @nestjs/core, @nestjs/platform-fastify and @nestjs/swagger #210

Uh oh!

Conversation

dependabot bot commented on behalf of github Jun 6, 2025

8.2.0

v8.1.0

Simpler API

Support array inputs (again)

v11.1.2 (2025-05-26)

Bug fixes

Dependencies

Committers: 2

v11.1.1 (2025-05-14)

Bug fixes

Enhancements

Dependencies

Committers: 7

v11.1.2 (2025-05-26)

Bug fixes

Dependencies

Committers: 2

v11.1.1 (2025-05-14)

Bug fixes

Enhancements

Dependencies

Committers: 7

Release 11.2.0

11.2.0 (2025-05-05)

Enhancements

Committers: 2

Release 11.1.6

11.1.6 (2025-04-30)

Enhancements

Committers: 1

Release 11.1.5

11.1.5 (2025-04-22)

Bug fixes

Committers: 1

Release 11.1.4

What's Changed

New Contributors

Release 11.1.3

11.1.3 (2025-04-14)

Bug fixes

Dependencies

Committers: 1

Uh oh!

TheRedHatter commented Jun 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🎉 Snyk checks have passed. No issues have been found so far.

Uh oh!

prisma-cloud-devsecops bot left a comment

Choose a reason for hiding this comment

Uh oh!

prisma-cloud-devsecops bot Jun 6, 2025

Choose a reason for hiding this comment

@nestjs/swagger 11.2.0 / package.json

Total vulnerabilities: 1

Uh oh!

prisma-cloud-devsecops bot Jun 6, 2025

Choose a reason for hiding this comment

@nestjs/platform-fastify 11.1.2 / package.json

Total vulnerabilities: 1

Uh oh!

prisma-cloud-devsecops bot Jun 6, 2025

Choose a reason for hiding this comment

@nestjs/common 9.3.9 / package.json

Total vulnerabilities: 1

Uh oh!

socket-security bot commented Jun 6, 2025

Uh oh!

socket-security bot commented Jun 6, 2025

Uh oh!

semgrep-code-therredhatter bot commented Jun 6, 2025

Uh oh!

semgrep-code-theredhatter bot commented Jun 6, 2025

Uh oh!

TheRedHatter commented Jun 6, 2025

TheRedHatter commented Jun 6, 2025 •

edited

Loading