Skip to content

fix(deps): vuln minor upgrades — 14 packages (minor: 5 · patch: 9) [pkg/fanal]#39

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/fanal/4-1776941448
Open

fix(deps): vuln minor upgrades — 14 packages (minor: 5 · patch: 9) [pkg/fanal]#39
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/fanal/4-1776941448

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • pkg/fanal (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
fast-xml-parser 4.5.1 4.5.6 patch Direct 2 CRITICAL, 4 HIGH, 3 MODERATE, 2 LOW
path-to-regexp 0.1.7 0.1.13 patch Direct 5 HIGH
rollup 2.70.1 2.80.0 minor Direct 4 HIGH
lodash 4.17.20 4.18.1 minor Direct 3 HIGH, 5 MODERATE
qs 6.5.2 6.5.5 patch Direct 2 HIGH, 2 MODERATE
qs 6.5.2 6.5.5 patch Direct 2 HIGH, 2 MODERATE
body-parser 1.18.3 1.20.4 minor Direct 2 HIGH
playwright 1.49.1 1.59.1 minor Direct 2 HIGH
nanoid 3.3.6 3.3.11 patch Direct 2 MODERATE
postcss 8.4.27 8.4.49 patch Direct 2 MODERATE
pug 3.0.2 3.0.4 patch Direct 2 MODERATE
esbuild 0.24.0 0.24.2 patch Direct 1 MODERATE
hbs 4.0.1 4.0.6 patch Direct 1 MODERATE
serve-static 1.13.2 1.16.3 minor Direct 2 LOW
diff 5.2.0 5.2.2 patch Direct 2 LOW

Security Details

🚨 Critical & High Severity (26 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.5.1 5.3.5
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.5.1 -
body-parser CVE-2024-45590 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.18.3 -
body-parser GHSA-qwcr-r2fm-qrc7 HIGH body-parser vulnerable to denial of service when url encoding is enabled 1.18.3 1.20.3
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.5.1 4.5.4
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.5.1 -
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.5.1 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.5.1 5.5.6
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.20 4.18.0
lodash CVE-2021-23337 HIGH - 4.17.20 -
lodash GHSA-35jh-r3h4-6jhm HIGH Command Injection in lodash 4.17.20 4.17.21
path-to-regexp GHSA-rhx6-c78j-4q9w HIGH path-to-regexp contains a ReDoS 0.1.7 0.1.12
path-to-regexp CVE-2024-45296 HIGH path-to-regexp outputs backtracking regular expressions 0.1.7 -
path-to-regexp GHSA-9wv6-86v2-598j HIGH path-to-regexp outputs backtracking regular expressions 0.1.7 1.9.0
path-to-regexp CVE-2024-52798 HIGH path-to-regexp Unpatched path-to-regexp ReDoS in 0.1.x 0.1.7 -
path-to-regexp GHSA-37ch-88jc-xwx2 HIGH path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters 0.1.7 0.1.13
playwright GHSA-7mvr-c777-76hp HIGH Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate 1.49.1 1.55.1
playwright CVE-2025-59288 HIGH - 1.49.1 -
qs CVE-2022-24999 HIGH - 6.5.2 -
qs GHSA-hrpp-h998-j3pp HIGH qs vulnerable to Prototype Pollution 6.5.2 6.10.3
qs CVE-2022-24999 HIGH - 6.5.2 -
qs GHSA-hrpp-h998-j3pp HIGH qs vulnerable to Prototype Pollution 6.5.2 6.10.3
rollup CVE-2024-47068 HIGH DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS 2.70.1 -
rollup GHSA-gcx4-mw62-g8wm HIGH DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS 2.70.1 3.29.5
rollup CVE-2026-27606 HIGH Rollup 4 has Arbitrary File Write via Path Traversal 2.70.1 -
rollup GHSA-mw96-cpmx-2vgc HIGH Rollup 4 has Arbitrary File Write via Path Traversal 2.70.1 2.80.0
ℹ️ Other Vulnerabilities (26)
Package CVE Severity Summary Unsafe Version Fixed In
esbuild GHSA-67mh-4wv8-2f99 MODERATE esbuild enables any website to send any requests to the development server and read the response 0.24.0 0.25.0
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.5.1 4.5.5
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.5.1 5.7.0
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.5.1 -
hbs GHSA-7f5c-rpf4-86p8 MODERATE Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs 4.0.1 -
lodash GHSA-29mw-wpgm-hmr9 MODERATE Regular Expression Denial of Service (ReDoS) in lodash 4.17.20 4.17.21
lodash CVE-2020-28500 MODERATE - 4.17.20 -
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.20 4.18.0
lodash CVE-2025-13465 MODERATE - 4.17.20 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.20 4.17.23
nanoid CVE-2024-55565 MODERATE - 3.3.6 -
nanoid GHSA-mwcw-c2x4-8c55 MODERATE Predictable results in nanoid generation when given non-integer values 3.3.6 5.0.9
postcss CVE-2023-44270 MODERATE - 8.4.27 -
postcss GHSA-7fh5-64p2-3v2j MODERATE PostCSS line return parsing error 8.4.27 8.4.31
pug CVE-2024-36361 MODERATE - 3.0.2 -
pug GHSA-3965-hpx2-q597 MODERATE Pug allows JavaScript code execution if an application accepts untrusted input 3.0.2 3.0.3
qs CVE-2025-15284 MODERATE - 6.5.2 -
qs GHSA-6rw7-vpxm-498p MODERATE qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion 6.5.2 6.14.1
qs CVE-2025-15284 MODERATE - 6.5.2 -
qs GHSA-6rw7-vpxm-498p MODERATE qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion 6.5.2 6.14.1
diff CVE-2026-24001 LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 5.2.0 -
diff GHSA-73rr-hh4g-fpgx LOW jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch 5.2.0 8.0.3
fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.5.1 -
fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.5.1 5.3.8
serve-static CVE-2024-43800 LOW serve-static affected by template injection that can lead to XSS 1.13.2 -
serve-static GHSA-cm22-4g7w-348p LOW serve-static vulnerable to template injection that can lead to XSS 1.13.2 1.16.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review April 23, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-custom-action-failed adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants