Skip to content

fix(security): Bump packages that can be bumped without breakage.#489

Merged
cafuego merged 1 commit intodevfrom
cafuego/HID-2444-prod-deploy-2026-01
Jan 7, 2026
Merged

fix(security): Bump packages that can be bumped without breakage.#489
cafuego merged 1 commit intodevfrom
cafuego/HID-2444-prod-deploy-2026-01

Conversation

@cafuego
Copy link
Contributor

@cafuego cafuego commented Jan 7, 2026 

$ npm audit

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob

nodemailer  <=7.0.10
Severity: moderate
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict - https://github.com/advisories/GHSA-mm7p-fcc7-pg87
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls - https://github.com/advisories/GHSA-rcmh-qjqh-p98v
Nodemailer is vulnerable to DoS through Uncontrolled Recursion - https://github.com/advisories/GHSA-46j5-6fg5-4gv3
fix available via `npm audit fix --force`
Will install email-templates@13.0.1, which is a breaking change
node_modules/email-templates/node_modules/nodemailer
node_modules/mailparser/node_modules/nodemailer
node_modules/preview-email/node_modules/nodemailer
  email-templates  >=3.0.0
  Depends on vulnerable versions of nodemailer
  Depends on vulnerable versions of preview-email
  node_modules/email-templates
  mailparser  2.3.1 - 3.9.0
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  preview-email  *
  Depends on vulnerable versions of nodemailer
  node_modules/preview-email

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
No fix available
node_modules/request/node_modules/qs
  request  *
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of tough-cookie
  node_modules/request
    recaptcha2  *
    Depends on vulnerable versions of request
    node_modules/recaptcha2

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
No fix available
node_modules/tmp
  useragent  *
  Depends on vulnerable versions of tmp
  node_modules/useragent
    @hapi/scooter  *
    Depends on vulnerable versions of useragent
    node_modules/@hapi/scooter

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

validator  <=13.15.20
Severity: high
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
validator.js has a URL validation bypass vulnerability in its isURL function - https://github.com/advisories/GHSA-9965-vmph-33xx
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - https://github.com/advisories/GHSA-vghf-hv5q-vc2g
fix available via `npm audit fix --force`
Will install mongoose-validator@1.3.1, which is a breaking change
node_modules/mongoose-validator/node_modules/validator
  mongoose-validator  <=1.2.6 || >=1.3.2
  Depends on vulnerable versions of validator
  node_modules/mongoose-validator

14 vulnerabilities (4 low, 5 moderate, 5 high)

$ npm audit fix

...

12 vulnerabilities (3 low, 5 moderate, 4 high)

Refs: HID-2444

@cafuego
fix(security): Bump packages that can be bumped without breakage.
bd7708c 
```
$ npm audit

glob  10.2.0 - 10.4.5
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/glob
node_modules/jest-config/node_modules/glob
node_modules/jest-runtime/node_modules/glob

nodemailer  <=7.0.10
Severity: moderate
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict - GHSA-mm7p-fcc7-pg87
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls - GHSA-rcmh-qjqh-p98v
Nodemailer is vulnerable to DoS through Uncontrolled Recursion - GHSA-46j5-6fg5-4gv3
fix available via `npm audit fix --force`
Will install email-templates@13.0.1, which is a breaking change
node_modules/email-templates/node_modules/nodemailer
node_modules/mailparser/node_modules/nodemailer
node_modules/preview-email/node_modules/nodemailer
  email-templates  >=3.0.0
  Depends on vulnerable versions of nodemailer
  Depends on vulnerable versions of preview-email
  node_modules/email-templates
  mailparser  2.3.1 - 3.9.0
  Depends on vulnerable versions of nodemailer
  node_modules/mailparser
  preview-email  *
  Depends on vulnerable versions of nodemailer
  node_modules/preview-email

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - GHSA-6rw7-vpxm-498p
No fix available
node_modules/request/node_modules/qs
  request  *
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of tough-cookie
  node_modules/request
    recaptcha2  *
    Depends on vulnerable versions of request
    node_modules/recaptcha2

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - GHSA-52f5-9888-hmc6
No fix available
node_modules/tmp
  useragent  *
  Depends on vulnerable versions of tmp
  node_modules/useragent
    @hapi/scooter  *
    Depends on vulnerable versions of useragent
    node_modules/@hapi/scooter

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

validator  <=13.15.20
Severity: high
Inefficient Regular Expression Complexity in validator.js - GHSA-qgmg-gppg-76g5
validator.js has a URL validation bypass vulnerability in its isURL function - GHSA-9965-vmph-33xx
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - GHSA-vghf-hv5q-vc2g
fix available via `npm audit fix --force`
Will install mongoose-validator@1.3.1, which is a breaking change
node_modules/mongoose-validator/node_modules/validator
  mongoose-validator  <=1.2.6 || >=1.3.2
  Depends on vulnerable versions of validator
  node_modules/mongoose-validator

14 vulnerabilities (4 low, 5 moderate, 5 high)

$ npm audit fix

...

12 vulnerabilities (3 low, 5 moderate, 4 high)
```

Refs: HID-2444
@cafuego cafuego merged commit baba11d into dev Jan 7, 2026
1 check passed
@cafuego cafuego deleted the cafuego/HID-2444-prod-deploy-2026-01 branch January 7, 2026 04:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cafuego