Update dependency yauzl to ^3.3.0 (main) #152
Security Report
❌ New vulnerabilities:
Partial results (95 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
| Vulnerability | Severity |  CVSS Score |
Vulnerable Library | Direct Library | Suggested Fix | Issue |
|---|---|---|---|---|---|---|
CVE-2026-40175Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
 Critical |
10.0 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version axios - 0.31.0 or greater |
None |
CVE-2026-40175Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
Critical |
10.0 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | Upgrade to version axios - 0.31.0 or greater | None |
CVE-2025-62718Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
Critical |
9.9 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version axios - 1.15.0 or greater |
None |
CVE-2025-62718Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
Critical |
9.9 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | Upgrade to version axios - 1.15.0 or greater | None |
CVE-616547-419802Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> ❌ parseurl-1.3.3.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive parseurl-1.3.3.tgz |
sdk-1.13.2.tgz | None | |
CVE-607537-903744Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> ❌ ajv-6.12.6.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive ajv-6.12.6.tgz |
sdk-1.13.2.tgz | None | |
CVE-398484-724968Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> debug-4.3.7.tgz -> ❌ ms-2.1.3.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive ms-2.1.3.tgz |
bump-cli-2.8.4.tgz | None | |
CVE-398484-724968Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> elastic-apm-node-4.13.0.tgz (Root Library) -> agentkeepalive-4.2.1.tgz -> humanize-ms-1.2.1.tgz -> ❌ ms-2.1.3.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive ms-2.1.3.tgz |
elastic-apm-node-4.13.0.tgz | None | |
CVE-398484-724968Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> jsonwebtoken-9.0.2.tgz (Root Library) -> ❌ ms-2.1.3.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive ms-2.1.3.tgz |
jsonwebtoken-9.0.2.tgz | None | |
CVE-398484-724968Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> elasticsearch-9.1.1.tgz (Root Library) -> transport-9.0.1.tgz -> ❌ ms-2.1.3.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive ms-2.1.3.tgz |
elasticsearch-9.1.1.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> inquirer-8.2.7.tgz (Root Library) -> ora-5.4.1.tgz -> bl-4.1.0.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
inquirer-8.2.7.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> wellknown-0.5.0.tgz (Root Library) -> concat-stream-1.5.2.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
wellknown-0.5.0.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> server-11.11.0.tgz (Root Library) -> multipipe-1.0.2.tgz -> duplexer2-0.1.4.tgz -> readable-stream-2.3.8.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
server-11.11.0.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> glob-7.2.3.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
cli-1.34.5.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> openpgp-5.11.3.tgz (Root Library) -> asn1.js-5.4.1.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
openpgp-5.11.3.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> del-6.1.1.tgz (Root Library) -> rimraf-3.0.2.tgz -> glob-7.2.3.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
del-6.1.1.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> borc-3.0.0.tgz (Root Library) -> readable-stream-3.6.2.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
borc-3.0.0.tgz | None | |
CVE-289561-266276Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> http-errors-2.0.0.tgz -> ❌ inherits-2.0.4.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive inherits-2.0.4.tgz |
sdk-1.13.2.tgz | None | |
| Critical |
9.8 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None | |
CVE-2026-1615Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ jsonpath-1.1.1.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive jsonpath-1.1.1.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version jsonpath - 1.3.0 or greater |
None |
CVE-2025-12735Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ expr-eval-2.0.2.tgz (Vulnerable Library) |
Critical |
9.8 | Direct expr-eval-2.0.2.tgz |
expr-eval-2.0.2.tgz | expr-eval-fork - 3.0.0,expr-eval-fork - 3.0.1 | None |
CVE-154062-641864Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> on-finished-2.4.1.tgz -> ❌ ee-first-1.1.1.tgz (Vulnerable Library) |
Critical |
9.8 | Transitive ee-first-1.1.1.tgz |
sdk-1.13.2.tgz | None | |
CVE-121740-819191Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ lodash-4.17.21.tgz (Vulnerable Library) |
Critical |
9.8 | Direct lodash-4.17.21.tgz |
lodash-4.17.21.tgz | None | |
CVE-105163-391686Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ jquery-3.7.1.tgz (Vulnerable Library) |
Critical |
9.8 | Direct jquery-3.7.1.tgz |
jquery-3.7.1.tgz | None | |
CVE-2026-25896Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> respect-core-1.34.5.tgz -> openapi-sampler-1.6.1.tgz -> ❌ fast-xml-parser-4.5.3.tgz (Vulnerable Library) |
Critical |
9.3 | Transitive fast-xml-parser-4.5.3.tgz |
cli-1.34.5.tgz | Transitive https://github.com/naturalintelligence/fast-xml-parser.git - v5.3.5 |
None |
CVE-2026-25896Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> client-bedrock-runtime-3.883.0.tgz (Root Library) -> core-3.883.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
Critical |
9.3 | Transitive fast-xml-parser-5.2.5.tgz |
client-bedrock-runtime-3.883.0.tgz | Transitive https://github.com/naturalintelligence/fast-xml-parser.git - v5.3.5 |
None |
CVE-2022-1227Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> redoc-2.5.0.tgz -> ❌ prismjs-1.29.0.tgz (Vulnerable Library) |
 High |
8.8 | Transitive prismjs-1.29.0.tgz |
cli-1.34.5.tgz | Transitive github.com/containers/psgo - v1.7.2,react - 15.0.1,https://github.com/containers/psgo.git - no_fix,https://github.com/containers/podman.git - no_fix |
None |
CVE-2025-68665Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ langchain-0.3.35.tgz (Vulnerable Library) |
High |
8.6 | Direct langchain-0.3.35.tgz |
langchain-0.3.35.tgz | langchain - 0.3.37,@langchain/core - 1.1.8,langchain - 1.2.3,@langchain/core - 0.3.80 | None |
CVE-2025-68665Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ core-0.3.78.tgz (Vulnerable Library) |
High |
8.6 | Direct core-0.3.78.tgz |
core-0.3.78.tgz | langchain - 0.3.37,@langchain/core - 1.1.8,langchain - 1.2.3,@langchain/core - 0.3.80 | None |
CVE-2025-12816Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
8.6 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | node-forge - 1.3.2 | None |
| High |
8.2 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None | |
CVE-2026-4800Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ lodash-4.17.21.tgz (Vulnerable Library) |
High |
8.1 | Direct lodash-4.17.21.tgz |
lodash-4.17.21.tgz | Upgrade to version lodash-amd - 4.18.0 or greater | None |
CVE-2026-4800Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> formik-2.4.6.tgz (Root Library) -> ❌ lodash-es-4.17.21.tgz (Vulnerable Library) |
High |
8.1 | Transitive lodash-es-4.17.21.tgz |
formik-2.4.6.tgz | Transitive Upgrade to version lodash-amd - 4.18.0 or greater |
None |
| High |
8.1 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None | |
| High |
8.1 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None | |
CVE-2025-68154Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> opentelemetry-node-1.2.0.tgz (Root Library) -> host-metrics-0.36.0.tgz -> ❌ systeminformation-5.23.8.tgz (Vulnerable Library) |
High |
8.1 | Transitive systeminformation-5.23.8.tgz |
opentelemetry-node-1.2.0.tgz | Transitive systeminformation - 5.27.14 |
None |
CVE-2025-65110Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> vega-5.33.0.tgz (Root Library) -> vega-functions-5.18.0.tgz -> ❌ vega-selections-5.6.0.tgz (Vulnerable Library) |
High |
8.1 | Transitive vega-selections-5.6.0.tgz |
vega-5.33.0.tgz | Transitive vega-selections - 5.6.3,vega-selections - 6.1.2 |
None |
CVE-2025-59840Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ vega-5.33.0.tgz (Vulnerable Library) |
High |
8.1 | Direct vega-5.33.0.tgz |
vega-5.33.0.tgz | vega-interpreter - 2.2.1,vega-interpreter - 1.2.1,vega-expression - 5.2.1,vega-expression - 6.1.0,vega - 6.2.0,vega - 6.2.0 | None |
MSC-2025-10528Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ jquery-3.7.1.tgz (Vulnerable Library) |
High |
7.8 | Direct jquery-3.7.1.tgz |
jquery-3.7.1.tgz | None | |
WS-2026-0003Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> on-finished-2.4.1.tgz -> ❌ ee-first-1.1.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive ee-first-1.1.1.tgz |
sdk-1.13.2.tgz | Transitive https://github.com/virtio-win/kvm-guest-drivers-windows.git - mm316 |
None |
CVE-2026-4926Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> oas-28.1.0.tgz (Root Library) -> ❌ path-to-regexp-8.2.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive path-to-regexp-8.2.0.tgz |
oas-28.1.0.tgz | Transitive Upgrade to version path-to-regexp - 8.4.0 or greater |
None |
CVE-2026-4926Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> router-2.1.0.tgz -> ❌ path-to-regexp-8.2.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive path-to-regexp-8.2.0.tgz |
sdk-1.13.2.tgz | Transitive Upgrade to version path-to-regexp - 8.4.0 or greater |
None |
CVE-2026-35525Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
High |
7.5 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | Upgrade to version liquidjs - 10.25.3 or greater | None |
CVE-2026-35213Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> hapi-21.4.3.tgz (Root Library) -> subtext-8.1.1.tgz -> ❌ content-6.0.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive content-6.0.0.tgz |
hapi-21.4.3.tgz | Transitive Upgrade to version @hapi/content - 6.0.1 or greater |
None |
| High |
7.5 | Direct handlebars-4.7.8.tgz |
handlebars-4.7.8.tgz | Upgrade to version handlebars - 4.7.9 or greater | None | |
CVE-2026-33895Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
CVE-2026-33894Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
CVE-2026-33891Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
CVE-2026-33671Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> styled-components-5.3.11.tgz (Root Library) -> babel-plugin-styled-components-2.1.4.tgz -> ❌ picomatch-2.3.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive picomatch-2.3.1.tgz |
styled-components-5.3.11.tgz | Transitive Upgrade to version picomatch - 4.0.4 or greater |
None |
CVE-2026-33671Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json,/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> chokidar-3.6.0.tgz -> anymatch-3.1.3.tgz -> ❌ picomatch-2.3.1.tgz (Vulnerable Library) |
High |
7.5 | Transitive picomatch-2.3.1.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version picomatch - 4.0.4 or greater |
None |
CVE-2026-33287Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
High |
7.5 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | None | |
CVE-2026-33285Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ liquidjs-10.22.0.tgz (Vulnerable Library) |
High |
7.5 | Direct liquidjs-10.22.0.tgz |
liquidjs-10.22.0.tgz | None | |
CVE-2026-33036Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> respect-core-1.34.5.tgz -> openapi-sampler-1.6.1.tgz -> ❌ fast-xml-parser-4.5.3.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-4.5.3.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version fast-xml-parser - 5.5.6 or greater |
None |
CVE-2026-33036Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> client-bedrock-runtime-3.883.0.tgz (Root Library) -> core-3.883.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-5.2.5.tgz |
client-bedrock-runtime-3.883.0.tgz | Transitive Upgrade to version fast-xml-parser - 5.5.6 or greater |
None |
| High |
7.5 | Direct minimatch-3.1.2.tgz |
minimatch-3.1.2.tgz | 10.2.1 | None | |
CVE-2026-26996Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> core-1.20.4.tgz -> ejs-3.1.10.tgz -> jake-10.9.2.tgz -> filelist-1.0.4.tgz -> ❌ minimatch-5.1.6.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-5.1.6.tgz |
bump-cli-2.8.4.tgz | Transitive 10.2.1 |
None |
CVE-2026-26996Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> openapi-core-1.34.5.tgz -> ❌ minimatch-5.1.6.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-5.1.6.tgz |
cli-1.34.5.tgz | Transitive 10.2.1 |
None |
CVE-2026-26996Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> readdir-glob-1.1.3.tgz -> ❌ minimatch-5.1.6.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-5.1.6.tgz |
archiver-7.0.1.tgz | Transitive 10.2.1 |
None |
CVE-2026-26996Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> archiver-utils-5.0.2.tgz -> glob-10.4.5.tgz -> ❌ minimatch-9.0.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive minimatch-9.0.5.tgz |
archiver-7.0.1.tgz | Transitive 10.2.1 |
None |
CVE-2026-26278Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> respect-core-1.34.5.tgz -> openapi-sampler-1.6.1.tgz -> ❌ fast-xml-parser-4.5.3.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-4.5.3.tgz |
cli-1.34.5.tgz | Transitive 5.3.6 |
None |
CVE-2026-26278Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> client-bedrock-runtime-3.883.0.tgz (Root Library) -> core-3.883.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-xml-parser-5.2.5.tgz |
client-bedrock-runtime-3.883.0.tgz | Transitive 5.3.6 |
None |
CVE-2026-25639Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
High |
7.5 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive https://github.com/axios/axios.git - v1.13.5 |
None |
CVE-2026-25639Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
High |
7.5 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | https://github.com/axios/axios.git - v1.13.5 | None |
CVE-2026-0621Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ sdk-1.13.2.tgz (Vulnerable Library) |
High |
7.5 | Direct sdk-1.13.2.tgz |
sdk-1.13.2.tgz | @modelcontextprotocol/sdk - 1.25.2 | None |
CVE-2025-66031Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.5 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | node-forge - 1.3.2 | None |
CVE-2025-65945Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> google-auth-library-9.10.0.tgz (Root Library) -> ❌ jws-4.0.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive jws-4.0.0.tgz |
google-auth-library-9.10.0.tgz | Transitive jws - 3.2.3,jws - 4.0.1 |
None |
CVE-2025-65945Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> jsonwebtoken-9.0.2.tgz (Root Library) -> ❌ jws-3.2.2.tgz (Vulnerable Library) |
High |
7.5 | Transitive jws-3.2.2.tgz |
jsonwebtoken-9.0.2.tgz | Transitive jws - 3.2.3,jws - 4.0.1 |
None |
CVE-2025-64756Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> tar-7.4.3.tgz (Root Library) -> minizlib-3.0.1.tgz -> rimraf-5.0.10.tgz -> ❌ glob-10.4.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive glob-10.4.5.tgz |
tar-7.4.3.tgz | Transitive glob - 11.1.0,glob - 10.5.0 |
None |
CVE-2025-64756Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> archiver-utils-5.0.2.tgz -> ❌ glob-10.4.5.tgz (Vulnerable Library) |
High |
7.5 | Transitive glob-10.4.5.tgz |
archiver-7.0.1.tgz | Transitive glob - 11.1.0,glob - 10.5.0 |
None |
CVE-2025-58754Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
High |
7.5 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive 1.12.0 |
None |
CVE-2025-57319Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> elastic-apm-node-4.13.0.tgz (Root Library) -> pino-8.15.1.tgz -> ❌ fast-redact-3.1.2.tgz (Vulnerable Library) |
High |
7.5 | Transitive fast-redact-3.1.2.tgz |
elastic-apm-node-4.13.0.tgz | None | |
CVE-2025-14874Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ nodemailer-7.0.9.tgz (Vulnerable Library) |
High |
7.5 | Direct nodemailer-7.0.9.tgz |
nodemailer-7.0.9.tgz | 7.0.11 | None |
CVE-2025-11362Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ pdfmake-0.2.15.tgz (Vulnerable Library) |
High |
7.5 | Direct pdfmake-0.2.15.tgz |
pdfmake-0.2.15.tgz | pdfmake - 0.3.0-beta.17,pdfmake - 0.3.0-beta.17 | None |
CVE-2024-21538Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> core-1.20.4.tgz -> password-prompt-1.1.3.tgz -> ❌ cross-spawn-7.0.3.tgz (Vulnerable Library) |
High |
7.5 | Transitive cross-spawn-7.0.3.tgz |
bump-cli-2.8.4.tgz | Transitive https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,org.webjars.npm:cross-spawn:6.0.6 |
None |
CVE-2012-3412Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> redoc-2.5.0.tgz -> ❌ prismjs-1.29.0.tgz (Vulnerable Library) |
High |
7.5 | Transitive prismjs-1.29.0.tgz |
cli-1.34.5.tgz | Transitive 3.2.30 |
None |
CVE-2026-33896Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ node-forge-1.3.1.tgz (Vulnerable Library) |
High |
7.4 | Direct node-forge-1.3.1.tgz |
node-forge-1.3.1.tgz | Upgrade to version node-forge - 1.4.0 or greater | None |
CVE-2025-13204Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ expr-eval-2.0.2.tgz (Vulnerable Library) |
High |
7.3 | Direct expr-eval-2.0.2.tgz |
expr-eval-2.0.2.tgz | None | |
CVE-2025-66648Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> vega-5.33.0.tgz (Root Library) -> ❌ vega-functions-5.18.0.tgz (Vulnerable Library) |
High |
7.2 | Transitive vega-functions-5.18.0.tgz |
vega-5.33.0.tgz | Transitive vega-functions - 6.1.1 |
None |
CVE-2026-33750Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> minimatch-3.1.2.tgz (Root Library) -> ❌ brace-expansion-1.1.12.tgz (Vulnerable Library) |
 Medium |
6.5 | Transitive brace-expansion-1.1.12.tgz |
minimatch-3.1.2.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
CVE-2026-33750Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> core-1.20.4.tgz -> ejs-3.1.10.tgz -> jake-10.9.2.tgz -> filelist-1.0.4.tgz -> minimatch-5.1.6.tgz -> ❌ brace-expansion-2.0.1.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-2.0.1.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
CVE-2026-33750Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> glob-7.2.3.tgz -> minimatch-3.1.2.tgz -> ❌ brace-expansion-1.1.11.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-1.1.11.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
CVE-2026-33750Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> openapi-core-1.34.5.tgz -> minimatch-5.1.6.tgz -> ❌ brace-expansion-2.0.1.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-2.0.1.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
CVE-2026-33750Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> archiver-7.0.1.tgz (Root Library) -> readdir-glob-1.1.3.tgz -> minimatch-5.1.6.tgz -> ❌ brace-expansion-2.0.2.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive brace-expansion-2.0.2.tgz |
archiver-7.0.1.tgz | Transitive Upgrade to version brace-expansion - 2.0.3 or greater |
None |
CVE-2026-2950Path to dependency file: /package.json Path to vulnerable library: /package.json,/oas_docs/package.json Dependency Hierarchy: -> ❌ lodash-4.17.21.tgz (Vulnerable Library) |
Medium |
6.5 | Direct lodash-4.17.21.tgz |
lodash-4.17.21.tgz | Upgrade to version lodash.unset - 4.18.0 or greater | None |
CVE-2026-2950Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> formik-2.4.6.tgz (Root Library) -> ❌ lodash-es-4.17.21.tgz (Vulnerable Library) |
Medium |
6.5 | Transitive lodash-es-4.17.21.tgz |
formik-2.4.6.tgz | Transitive Upgrade to version lodash.unset - 4.18.0 or greater |
None |
CVE-2025-9910Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ai-4.3.19.tgz (Root Library) -> ❌ jsondiffpatch-0.6.0.tgz (Vulnerable Library) |
Medium |
6.1 | Transitive jsondiffpatch-0.6.0.tgz |
ai-4.3.19.tgz | Transitive 0.7.2 |
None |
CVE-2015-9251Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ jquery-3.7.1.tgz (Vulnerable Library) |
Medium |
6.1 | Direct jquery-3.7.1.tgz |
jquery-3.7.1.tgz | jquery - 3.0.0,org.webjars.npm:jquery:1.12.2,jQuery - 3.0.0,jquery-rails - 4.2.0,jquery - 1.12.2,org.webjars.npm:jquery:3.0.0,jQuery - 1.12.2,jQuery - 3.0.0,org.webjars.npm:jquery:1.12.2,org.webjars.npm:jquery:3.0.0,jquery - 3.0.0,jquery - 1.12.2,jQuery - 1.12.2,jquery-rails - 4.2.0 | None |
CVE-2026-4923Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> oas-28.1.0.tgz (Root Library) -> ❌ path-to-regexp-8.2.0.tgz (Vulnerable Library) |
Medium |
5.9 | Transitive path-to-regexp-8.2.0.tgz |
oas-28.1.0.tgz | Transitive Upgrade to version path-to-regexp - 8.4.0 or greater |
None |
CVE-2026-4923Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> router-2.1.0.tgz -> ❌ path-to-regexp-8.2.0.tgz (Vulnerable Library) |
Medium |
5.9 | Transitive path-to-regexp-8.2.0.tgz |
sdk-1.13.2.tgz | Transitive Upgrade to version path-to-regexp - 8.4.0 or greater |
None |
CVE-2026-39865Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> bump-cli-2.8.4.tgz (Root Library) -> ❌ axios-1.7.7.tgz (Vulnerable Library) |
Medium |
5.9 | Transitive axios-1.7.7.tgz |
bump-cli-2.8.4.tgz | Transitive Upgrade to version axios - 1.13.2 or greater |
None |
CVE-2026-39865Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ axios-1.12.1.tgz (Vulnerable Library) |
Medium |
5.9 | Direct axios-1.12.1.tgz |
axios-1.12.1.tgz | Upgrade to version axios - 1.13.2 or greater | None |
CVE-2026-33349Path to dependency file: /oas_docs/package.json Path to vulnerable library: /oas_docs/package.json Dependency Hierarchy: -> cli-1.34.5.tgz (Root Library) -> respect-core-1.34.5.tgz -> openapi-sampler-1.6.1.tgz -> ❌ fast-xml-parser-4.5.3.tgz (Vulnerable Library) |
Medium |
5.9 | Transitive fast-xml-parser-4.5.3.tgz |
cli-1.34.5.tgz | Transitive Upgrade to version fast-xml-parser - 5.5.7 or greater |
None |
CVE-2026-33349Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> client-bedrock-runtime-3.883.0.tgz (Root Library) -> core-3.883.0.tgz -> ❌ fast-xml-parser-5.2.5.tgz (Vulnerable Library) |
Medium |
5.9 | Transitive fast-xml-parser-5.2.5.tgz |
client-bedrock-runtime-3.883.0.tgz | Transitive Upgrade to version fast-xml-parser - 5.5.7 or greater |
None |
CVE-2025-13466Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> sdk-1.13.2.tgz (Root Library) -> express-5.0.1.tgz -> ❌ body-parser-2.2.0.tgz (Vulnerable Library) |
Medium |
5.8 | Transitive body-parser-2.2.0.tgz |
sdk-1.13.2.tgz | Transitive body-parser - 2.2.1 |
None |
CVE-2026-40190Path to dependency file: /package.json Path to vulnerable library: /package.json Dependency Hierarchy: -> ❌ langsmith-0.3.72.tgz (Vulnerable Library) |
Medium |
5.6 | Direct langsmith-0.3.72.tgz |
langsmith-0.3.72.tgz | Upgrade to version langsmith - 0.5.18 or greater | None |
Base branch total remaining vulnerabilities: 0
Base branch commit: 0d4c439f850955161bb80b25f879aa3be0fbc60d
Total libraries scanned: 3092
Scan token: 7e08436959ee475b820894542cb0c437