Your dependencies cross-checked against the OSV vulnerability database.
-
Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
-
Worth fixing GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-69873). Fix: Update that package to its patched version.
-
Worth fixing GHSA-hmw2-7cc7-3qxx form-data: CRLF injection in form-data via unescaped multipart field names and filenames
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-12143). Fix: Update that package to its patched version.
-
Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
-
Worth fixing GHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-64718). Fix: Update that package to its patched version.
-
Worth fixing GHSA-h67p-54hq-rp68 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-53550). Fix: Update that package to its patched version.
-
Worth fixing GHSA-mh29-5h37-fv8m js-yaml has prototype pollution in merge (<<)
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-64718). Fix: Update that package to its patched version.
-
Worth fixing GHSA-869p-cjfg-cm3x auth0/node-jws Improperly Verifies HMAC Signature
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-65945). Fix: Update that package to its patched version.
-
Worth fixing GHSA-22p9-wv53-3rq4 LinkifyIt#match scan loop has quadratic algorithmic complexity
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-48801). Fix: Update that package to its patched version.
-
Worth fixing GHSA-38c4-r59v-3vqw markdown-it is has a Regular Expression Denial of Service (ReDoS)
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-2327). Fix: Update that package to its patched version.
-
Worth fixing GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-48988). Fix: Update that package to its patched version.
-
Worth fixing GHSA-6rw7-vpxm-498p qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-15284). Fix: Update that package to its patched version.
-
Worth fixing GHSA-q8mj-m7cp-5q26 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-8723). Fix: Update that package to its patched version.
-
Worth fixing GHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole. Fix: Update that package to its patched version.
-
Worth fixing GHSA-qj8w-gfj5-8c6v Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-34043). Fix: Update that package to its patched version.
-
Worth fixing GHSA-8cj5-5rvv-wf4v tar-fs can extract outside the specified dir with a specific tarball
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-48387). Fix: Update that package to its patched version.
-
Worth fixing GHSA-vj76-c3g6-qr5v tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-59343). Fix: Update that package to its patched version.
-
Worth fixing GHSA-ph9p-34f9-6g65 tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-44705). Fix: Update that package to its patched version.
-
Worth fixing GHSA-qpx9-hpmf-5gmw Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-27601). Fix: Update that package to its patched version.
-
Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
-
Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
-
Worth fixing GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-41907). Fix: Update that package to its patched version.
-
Minor GHSA-73rr-hh4g-fpgx jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-24001). Fix: Update that package to its patched version.
-
Minor GHSA-w7fw-mjwx-w883 qs's arrayLimit bypass in comma parsing allows denial of service
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2026-2391). Fix: Update that package to its patched version.
-
Minor GHSA-52f5-9888-hmc6 tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
/workdirs/scan-b8bbd42b-30c7-41b9-8c22-fa1223e206e6/package-lock.json
A package you depend on has a known security hole (CVE-2025-54798). Fix: Update that package to its patched version.