Your dependencies cross-checked against the OSV vulnerability database.
-
Serious GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-27699). Fix: Update that package to its patched version.
-
Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
-
Serious GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2025-7783). Fix: Update that package to its patched version.
-
Serious GHSA-248r-7h7q-cr24 vm2 Has a Sandbox Breakout Using Async Generator
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-45411). Fix: Update that package to its patched version.
-
Serious GHSA-47x8-96vw-5wg6 vm2 Access to Host Object Enables Sandbox Escape
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-43997). Fix: Update that package to its patched version.
-
Serious GHSA-55hx-c926-fr95 VM2 Has a Sandbox Escape Issue via SuppressedError
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-26332). Fix: Update that package to its patched version.
-
Serious GHSA-6j2x-vhqr-qr7q vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-47210). Fix: Update that package to its patched version.
-
Serious GHSA-76w7-j9cq-rx2j vm2 is Vulnerable to Sandbox Breakout Through Promise Species
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-47208). Fix: Update that package to its patched version.
-
Serious GHSA-8hg8-63c5-gwmx vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-44007). Fix: Update that package to its patched version.
-
Serious GHSA-99p7-6v5w-7xg8 vm2 has a Sandbox Escape
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-22709). Fix: Update that package to its patched version.
-
Serious GHSA-9qj6-qjgg-37qq vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-44008). Fix: Update that package to its patched version.
-
Serious GHSA-9vg3-4rfj-wgcm vm2 has Sandbox Breakout Through Null Proto Exception
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-44009). Fix: Update that package to its patched version.
-
Serious GHSA-cchq-frgv-rjh5 vm2 Sandbox Escape vulnerability
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2023-37466). Fix: Update that package to its patched version.
-
Serious GHSA-ffh4-j6h5-pg66 VM2 Has a WASM Sandbox Escape
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-26956). Fix: Update that package to its patched version.
-
Serious GHSA-g644-9gfx-q4q4 vm2 Sandbox Escape vulnerability
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2023-37903). Fix: Update that package to its patched version.
-
Serious GHSA-grj5-jjm8-h35p VM2 Sandbox Breakout Through __lookupGetter__
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-24118). Fix: Update that package to its patched version.
-
Serious GHSA-m4wx-m65x-ghrr vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-47137). Fix: Update that package to its patched version.
-
Serious GHSA-qcp4-v2jj-fjx8 vm2 has a Sandbox Escape Vulnerability
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-44006). Fix: Update that package to its patched version.
-
Serious GHSA-qvjj-29qf-hp7p VM2 Has Sandbox Breakout Through Promise Species
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-24120). Fix: Update that package to its patched version.
-
Serious GHSA-rp36-8xq3-r6c4 NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-47140). Fix: Update that package to its patched version.
-
Serious GHSA-v37h-5mfm-c47c VM2 Has Sandbox Breakout Through Inspect Function
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-24781). Fix: Update that package to its patched version.
-
Serious GHSA-v6mx-mf47-r5wg vm2 has a Sandbox Escape issue
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-47131). Fix: Update that package to its patched version.
-
Serious GHSA-vwrp-x96c-mhwq vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-44005). Fix: Update that package to its patched version.
-
Worth fixing GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2025-27789). Fix: Update that package to its patched version.
-
Worth fixing GHSA-fv7c-fp4j-7gwp @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
/workdirs/scan-2ba84c8b-5dc5-43e3-96f4-f1907ef5cb2d/package-lock.json
A package you depend on has a known security hole (CVE-2026-44728). Fix: Update that package to its patched version.