Skip to content

fix(muster): support per-user auth and address workflow plugin review feedback#1735

Merged
teemow merged 2 commits into
mainfrom
muster-followup-review-fixes
Jun 11, 2026
Merged

fix(muster): support per-user auth and address workflow plugin review feedback#1735
teemow merged 2 commits into
mainfrom
muster-followup-review-fixes

Conversation

@teemow

@teemow teemow commented Jun 11, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up to #1733, fixing the production blocker found while testing /muster on a real installation and addressing @marians' post-merge review feedback.

Per-user auth support (production blocker)

Real deployments configure the muster aiChat.mcp entry with authProvider (per-user OAuth via dex), which the muster-backend proxy rejected as "unconfigured" -- the Workflows page failed with a 503 ServiceUnavailableError. Now:

  • The muster frontend resolves the muster server's authProvider from config, fetches the user's token (same mechanism as ai-chat's MCPAuthProviders, wired via a new musterAuthProvidersApiRef overridden in the app with the gs auth providers), and forwards it in a backstage-muster-authorization header.
  • muster-backend opens per-user MCP sessions, cached per token via the shared McpClientCache, and returns a 401 when the token is missing.

No deployment config changes are needed; existing authProvider: mcp-muster entries start working.

Review feedback from #1733

  • Shared MCP client cache: McpClientCache + isClosedClientError moved from ai-chat-backend to @giantswarm/backstage-plugin-gs-node; both backends now import the single implementation instead of drifting copies. (The per-user cache requirement above made the hand-rolled single-entry cache in muster-backend obsolete anyway.)
  • getString('name') crash: readMusterServerFromConfig uses getOptionalString, so an unnamed aiChat.mcp entry no longer takes down plugin registration.
  • tool.execute! non-null assertion: replaced with an explicit check that throws a clean ServiceUnavailableError.
  • Error classes: muster-backend throws ServiceUnavailableError/AuthenticationError/InputError from @backstage/errors and the hand-rolled error middleware is gone (the backend's default error middleware maps them; tests mount MiddlewareFactory.error() to mirror that).
  • parseOptionalInt empty-value coercion: ?limit= is now rejected with a 400 instead of silently becoming 0.
  • Repeated status param: rejected with a clear 400 instead of a misleading enum error.
  • Swallowed query errors: execution-list failures render a ResponseErrorPanel in the history slot; selected-execution failures render an inline alert above the canvas.
  • formatDuration triplication: extracted to lib/formatDuration.ts.
  • Duplicate step ids: workflowToGraph suffixes colliding node ids so xyflow no longer silently drops nodes/edges.

Test plan

  • muster-backend, muster, gs-node test suites pass (25/10/12 tests), including new coverage for per-user tokens, missing-token 401, empty/repeated query params, executor-less tools, and duplicate step ids
  • repo tsc and per-package lint clean
  • After release: /muster on an installation with authProvider: mcp-muster lists workflows and renders executions

Made with Cursor

@teemow @cursoragent
fix(muster): support per-user auth and address workflow plugin review…
ced70a1 
… feedback

Co-authored-by: Cursor <cursoragent@cursor.com>
@teemow teemow requested a review from a team as a code owner June 11, 2026 07:15
@teemow @cursoragent
style: apply prettier formatting
d1201b0 
Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown

JS Dependency Audit

0 added · 0 removed · 287 total (0 vs base)

Projects audited
  • . (manager: yarn-berry)
  • ./packages/app (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./packages/backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./packages/backend-common (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./packages/backend-headless-service (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ai-chat (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ai-chat-backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ai-chat-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/auth-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/catalog-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/error-reporter-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/flux (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/flux-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs-backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs-common (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/gs-node (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/kubernetes-react (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/muster (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/muster-backend (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/scaffolder-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/techdocs-backend-module-gs (manager: unknown) — skipped on PR head: no recognized lockfile
  • ./plugins/ui-react (manager: unknown) — skipped on PR head: no recognized lockfile

No change in vulnerabilities compared to the base branch.

Full current vulnerability list (287)
  • 🔴 critical basic-ftp (<5.2.0) — Basic FTP has Path Traversal Vulnerability in its downloadToDir() method advisory
  • 🔴 critical cipher-base (<=1.0.4) — cipher-base is missing type checks, leading to hash rewind and passing on crafted data advisory
  • 🔴 critical elliptic (<=6.6.0) — Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) advisory
  • 🔴 critical fast-xml-parser (>=4.1.3 <4.5.4) — fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names advisory
  • 🔴 critical form-data (<2.5.4) — form-data uses unsafe random function in form-data for choosing boundary advisory
  • 🔴 critical handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion advisory
  • 🔴 critical jsonpath-plus (<10.2.0) — JSONPath Plus Remote Code Execution (RCE) Vulnerability advisory
  • 🔴 critical pbkdf2 (>=3.0.10 <=3.1.2) — pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos advisory
  • 🔴 critical pbkdf2 (>=1.0.0 <=3.1.2) — pbkdf2 silently disregards Uint8Array input, returning static keys advisory
  • 🔴 critical protobufjs (<7.5.5) — Arbitrary code execution in protobufjs advisory
  • 🔴 critical sha.js (<=2.4.11) — sha.js is missing type checks leading to hash rewind and passing on crafted data advisory
  • 🔴 critical shell-quote (>=1.1.0 <=1.8.3) — shell-quote quote() does not escape newlines in object .op values advisory
  • 🔴 critical vm2 (<=3.10.1) — vm2 has a Sandbox Escape advisory
  • 🔴 critical vm2 (<=3.10.4) — VM2 Has a Sandbox Escape Issue via SuppressedError advisory
  • 🔴 critical vm2 (<=3.10.3) — VM2 Has Sandbox Breakout Through Inspect Function advisory
  • 🔴 critical vm2 (<=3.10.3) — VM2 Has Sandbox Breakout Through Promise Species advisory
  • 🔴 critical vm2 (<=3.10.4) — VM2 Sandbox Breakout Through lookupGetter advisory
  • 🔴 critical vm2 (<3.11.2) — vm2 has Sandbox Breakout Through Null Proto Exception advisory
  • 🔴 critical vm2 (<=3.11.1) — vm2 has sandbox breakout via neutralizeArraySpeciesBatch advisory
  • 🔴 critical vm2 (<=3.11.0) — vm2 NodeVM nesting: true bypasses require: false allowing sandbox escape and arbitrary OS command execution advisory
  • 🔴 critical vm2 (>=3.9.6 <=3.10.5) — vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape advisory
  • 🔴 critical vm2 (<=3.10.5) — vm2 Access to Host Object Enables Sandbox Escape advisory
  • 🔴 critical vm2 (<=3.10.5) — vm2 has a Sandbox Escape Vulnerability advisory
  • 🔴 critical vm2 (<=3.11.2) — vm2 Has a Sandbox Breakout Using Async Generator advisory
  • 🔴 critical vm2 (<=3.11.3) — NodeVM builtin denylist bypass via process and inspector/promises allows host code execution advisory
  • 🔴 critical vm2 (<=3.11.3) — vm2 sandbox escape via JSPI-backed Promise .finally() species bypass advisory
  • 🔴 critical vm2 (<=3.11.3) — vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE advisory
  • 🔴 critical vm2 (<=3.11.3) — vm2 is Vulnerable to Sandbox Breakout Through Promise Species advisory
  • 🔴 critical vm2 (<=3.11.3) — vm2 has a Sandbox Escape issue advisory
  • 🔴 critical vm2 (<=3.10.4) — VM2 Has a WASM Sandbox Escape advisory
  • 🟠 high @backstage/backend-defaults (<0.12.2) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
  • 🟠 high @backstage/plugin-scaffolder-node (>=0.12.0 <0.12.3) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
  • 🟠 high @backstage/plugin-scaffolder-node (<0.11.2) — Backstage has a Possible Symlink Path Traversal in Scaffolder Actions advisory
  • 🟠 high @hono/node-server (<1.19.10) — @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware advisory
  • 🟠 high axios (<0.30.0) — axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL advisory
  • 🟠 high axios (>=1.0.0 <1.8.2) — axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL advisory
  • 🟠 high axios (>=1.0.0 <1.12.0) — Axios is vulnerable to DoS attack through lack of data size check advisory
  • 🟠 high axios (<=0.31.0) — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 advisory
  • 🟠 high axios (>=1.0.0 <1.15.1) — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 advisory
  • 🟠 high axios (<=0.31.0) — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking advisory
  • 🟠 high axios (>=1.0.0 <1.15.1) — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking advisory
  • 🟠 high axios (<=0.31.0) — Axios: Header Injection via Prototype Pollution advisory
  • 🟠 high axios (>=1.0.0 <1.15.1) — Axios: Header Injection via Prototype Pollution advisory
  • 🟠 high axios (<=0.30.2) — Axios is Vulnerable to Denial of Service via proto Key in mergeConfig advisory
  • 🟠 high axios (>=1.0.0 <=1.13.4) — Axios is Vulnerable to Denial of Service via proto Key in mergeConfig advisory
  • 🟠 high axios (>=1.0.0 <1.15.2) — Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking advisory
  • 🟠 high axios (<=0.31.1) — axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) advisory
  • 🟠 high axios (>=1.0.0 <1.16.0) — axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) advisory
  • 🟠 high axios (>=0.19.0 <0.31.1) — axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge advisory
  • 🟠 high axios (>=1.0.0 <1.15.2) — axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge advisory
  • 🟠 high axios (>=1.0.0 <1.16.0) — axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy advisory
  • 🟠 high axios (<=0.31.1) — Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection advisory
  • 🟠 high axios (>=1.0.0 <1.16.0) — Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection advisory
  • 🟠 high axios (>=1.7.0 <1.16.0) — Allocation of Resources Without Limits or Throttling in Axios advisory
  • 🟠 high axios (<=0.31.1) — Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter advisory
  • 🟠 high axios (>=1.0.0 <1.16.0) — Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter advisory
  • 🟠 high axios (<=0.31.1) — Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection advisory
  • 🟠 high axios (>=1.0.0 <1.16.0) — Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection advisory
  • 🟠 high basic-ftp (<=5.2.1) — basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands advisory
  • 🟠 high basic-ftp (<=5.2.2) — basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() advisory
  • 🟠 high basic-ftp (<=5.3.0) — basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering advisory
  • 🟠 high fast-uri (<=3.1.0) — fast-uri vulnerable to path traversal via percent-encoded dot segments advisory
  • 🟠 high fast-uri (<=3.1.1) — fast-uri vulnerable to host confusion via percent-encoded authority delimiters advisory
  • 🟠 high fast-xml-builder (<=1.1.6) — fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes advisory
  • 🟠 high fast-xml-parser (>=4.1.3 <4.5.4) — fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) advisory
  • 🟠 high fast-xml-parser (>=4.0.0-beta.3 <4.5.5) — fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) advisory
  • 🟠 high fast-xml-parser (>=5.0.0 <5.5.6) — fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) advisory
  • 🟠 high flatted (<3.4.0) — flatted vulnerable to unbounded recursion DoS in parse() revive phase advisory
  • 🟠 high flatted (<=3.4.1) — Prototype Pollution via parse() in NodeJS flatted advisory
  • 🟠 high glob (>=10.2.0 <10.5.0) — glob CLI: Command injection via -c/--cmd executes matches with shell:true advisory
  • 🟠 high glob (>=11.0.0 <11.1.0) — glob CLI: Command injection via -c/--cmd executes matches with shell:true advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation advisory
  • 🟠 high handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options advisory
  • 🟠 high immutable (<3.8.3) — Immutable is vulnerable to Prototype Pollution advisory
  • 🟠 high js-cookie (<=3.0.5) — JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection advisory
  • 🟠 high jsonpath-plus (<10.3.0) — JSONPath Plus allows Remote Code Execution advisory
  • 🟠 high jws (=4.0.0) — auth0/node-jws Improperly Verifies HMAC Signature advisory
  • 🟠 high jws (<3.2.3) — auth0/node-jws Improperly Verifies HMAC Signature advisory
  • 🟠 high linkifyjs (<4.3.2) — Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) advisory
  • 🟠 high lodash (>=4.0.0 <=4.17.23) — lodash vulnerable to Code Injection via _.template imports key names advisory
  • 🟠 high lodash-es (>=4.0.0 <=4.17.23) — lodash vulnerable to Code Injection via _.template imports key names advisory
  • 🟠 high minimatch (<3.1.3) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
  • 🟠 high minimatch (>=5.0.0 <5.1.7) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
  • 🟠 high minimatch (>=7.0.0 <7.4.7) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
  • 🟠 high minimatch (>=9.0.0 <9.0.6) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
  • 🟠 high minimatch (>=10.0.0 <10.2.1) — minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern advisory
  • 🟠 high minimatch (<3.1.3) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
  • 🟠 high minimatch (>=5.0.0 <5.1.8) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
  • 🟠 high minimatch (>=7.0.0 <7.4.8) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
  • 🟠 high minimatch (>=9.0.0 <9.0.7) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
  • 🟠 high minimatch (>=10.0.0 <10.2.3) — minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments advisory
  • 🟠 high minimatch (<3.1.4) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
  • 🟠 high minimatch (>=5.0.0 <5.1.8) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
  • 🟠 high minimatch (>=7.0.0 <7.4.8) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
  • 🟠 high minimatch (>=9.0.0 <9.0.7) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
  • 🟠 high minimatch (>=10.0.0 <10.2.3) — minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions advisory
  • 🟠 high multer (<2.1.0) — Multer vulnerable to Denial of Service via incomplete cleanup advisory
  • 🟠 high multer (<2.1.0) — Multer vulnerable to Denial of Service via resource exhaustion advisory
  • 🟠 high multer (<2.1.1) — Multer Vulnerable to Denial of Service via Uncontrolled Recursion advisory
  • 🟠 high node-forge (<=1.3.3) — Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) advisory
  • 🟠 high node-forge (<1.4.0) — Forge has signature forgery in Ed25519 due to missing S > L check advisory
  • 🟠 high node-forge (<1.4.0) — Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input advisory
  • 🟠 high node-forge (<1.4.0) — Forge has signature forgery in RSA-PKCS due to ASN.1 extra field advisory
  • 🟠 high path-to-regexp (<0.1.13) — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters advisory
  • 🟠 high path-to-regexp (>=8.0.0 <8.4.0) — path-to-regexp vulnerable to Denial of Service via sequential optional groups advisory
  • 🟠 high picomatch (<2.3.2) — Picomatch has a ReDoS vulnerability via extglob quantifiers advisory
  • 🟠 high picomatch (>=4.0.0 <4.0.4) — Picomatch has a ReDoS vulnerability via extglob quantifiers advisory
  • 🟠 high protobufjs (<=7.5.5) — protobuf.js: Code injection through bytes field defaults in generated toObject code advisory
  • 🟠 high protobufjs (<=7.5.5) — protobuf.js: Code generation gadget after prototype pollution advisory
  • 🟠 high protobufjs (<=7.5.5) — protobuf.js: Process-wide denial of service through unsafe option paths advisory
  • 🟠 high protobufjs (<=7.5.5) — protobuf.js: Denial of service through unbounded protobuf recursion advisory
  • 🟠 high tar (<7.5.7) — node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal advisory
  • 🟠 high tar (<=7.5.2) — node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization advisory
  • 🟠 high tar (<7.5.8) — Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction advisory
  • 🟠 high tar (<=7.5.9) — tar has Hardlink Path Traversal via Drive-Relative Linkpath advisory
  • 🟠 high tar (<=7.5.10) — node-tar Symlink Path Traversal via Drive-Relative Linkpath advisory
  • 🟠 high tar (<=7.5.3) — Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS advisory
  • 🟠 high tmp (<0.2.6) — tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape advisory
  • 🟠 high underscore (<=1.13.7) — Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack advisory
  • 🟠 high undici (>=7.0.0 <7.24.0) — Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client advisory
  • 🟠 high undici (>=7.0.0 <7.24.0) — Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression advisory
  • 🟠 high undici (<6.24.0) — Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression advisory
  • 🟠 high undici (>=7.0.0 <7.24.0) — Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation advisory
  • 🟠 high undici (<6.24.0) — Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation advisory
  • 🟠 high vm2 (<=3.10.5) — vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion advisory
  • 🟠 high vm2 (<=3.10.5) — vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) advisory
  • 🟠 high vm2 (<=3.11.3) — vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain advisory
  • 🟠 high vm2 (<=3.11.3) — vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks advisory
  • 🟠 high vm2 (<=3.11.3) — NodeVM network builtin exclusions bypass via internal _http_client and _http_server advisory
  • 🟡 moderate @babel/runtime (<7.26.10) — Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups advisory
  • 🟡 moderate @backstage/backend-common (0.25.0) — This package is deprecated, please follow the deprecation instructions for the exports you still use
  • 🟡 moderate @backstage/cli-common (<=0.1.16) — @backstage/cli-common has a possible resolveSafeChildPath Symlink Chain Bypass advisory
  • 🟡 moderate @backstage/plugin-circleci (0.3.35) — This package has been moved to the to the https://github.com/CircleCI-Public/backstage-plugin repository. You should migrate to using that instead.
  • 🟡 moderate @fortawesome/react-fontawesome (0.2.6) — v0.2.x is no longer supported. Unless you are still using FontAwesome 5, please update to v3.1.1 or greater.
  • 🟡 moderate @hono/node-server (<1.19.13) — @hono/node-server: Middleware bypass via repeated slashes in serveStatic advisory
  • 🟡 moderate @humanwhocodes/config-array (0.13.0) — Use @eslint/config-array instead
  • 🟡 moderate @humanwhocodes/object-schema (2.0.3) — Use @eslint/object-schema instead
  • 🟡 moderate @material-ui/core (4.12.4) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
  • 🟡 moderate @material-ui/lab (4.0.0-alpha.61) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
  • 🟡 moderate @material-ui/pickers (3.3.11) — This package no longer supported. It has been relaced by @mui/x-date-pickers
  • 🟡 moderate @material-ui/styles (4.11.5) — Material UI v4 doesn't receive active development since September 2021. See the guide https://mui.com/material-ui/migration/migration-v4/ to upgrade to v5.
  • 🟡 moderate @octokit/endpoint (>=9.0.5 <9.0.6) — @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/plugin-paginate-rest (>=1.0.0 <9.2.2) — @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/plugin-paginate-rest (>=9.3.0-beta.1 <11.4.1) — @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/request (>=1.0.0 <8.4.1) — @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @octokit/request-error (>=1.0.0 <5.1.1) — @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking advisory
  • 🟡 moderate @protobufjs/utf8 (<=1.1.0) — protobufjs has overlong UTF-8 decoding advisory
  • 🟡 moderate @react-hookz/deep-equal (1.0.4) — PACKAGE IS DEPRECATED AND WILL BE DETED SOON, USE @ver0/deep-equal INSTEAD
  • 🟡 moderate @rjsf/material-ui (5.24.13) — Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
  • 🟡 moderate @sentry/browser (<7.119.1) — Sentry SDK Prototype Pollution gadget in JavaScript SDKs advisory
  • 🟡 moderate @types/http-proxy-middleware (1.0.0) — This is a stub types definition. http-proxy-middleware provides its own type definitions, so you do not need this installed.
  • 🟡 moderate @types/keyv (4.2.0) — This is a stub types definition. keyv provides its own type definitions, so you do not need this installed.
  • 🟡 moderate @ungap/structured-clone (1.3.0) — Potential CWE-502 - Update to 1.3.1 or higher
  • 🟡 moderate atlassian-openapi (1.0.19) — DEPRECATED: atlassian-openapi has moved to @atlassian/atlassian-openapi. The latest version is 1.0.6. Please update your dependency.
  • 🟡 moderate axios (>=0.8.1 <0.28.0) — Axios Cross-Site Request Forgery Vulnerability advisory
  • 🟡 moderate axios (<0.31.0) — Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.0) — Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF advisory
  • 🟡 moderate axios (<=0.31.0) — Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.2) — Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream advisory
  • 🟡 moderate axios (<=0.31.0) — Axios: no_proxy bypass via IP alias allows SSRF advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: no_proxy bypass via IP alias allows SSRF advisory
  • 🟡 moderate axios (<=0.31.0) — Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 advisory
  • 🟡 moderate axios (<=0.31.0) — Axios: HTTP adapter streamed responses bypass maxContentLength advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: HTTP adapter streamed responses bypass maxContentLength advisory
  • 🟡 moderate axios (<=0.31.0) — Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion advisory
  • 🟡 moderate axios (<0.31.0) — Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.0) — Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain advisory
  • 🟡 moderate axios (<=0.31.1) — axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions advisory
  • 🟡 moderate axios (>=1.0.0 <1.16.0) — axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions advisory
  • 🟡 moderate axios (<=0.31.0) — Axios: unbounded recursion in toFormData causes DoS via deeply nested request data advisory
  • 🟡 moderate axios (>=1.0.0 <1.15.1) — Axios: unbounded recursion in toFormData causes DoS via deeply nested request data advisory
  • 🟡 moderate bn.js (>=5.0.0 <5.2.3) — bn.js affected by an infinite loop advisory
  • 🟡 moderate bn.js (<4.12.3) — bn.js affected by an infinite loop advisory
  • 🟡 moderate boolean (3.2.0) — Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
  • 🟡 moderate brace-expansion (<1.1.13) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
  • 🟡 moderate brace-expansion (>=2.0.0 <2.0.3) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
  • 🟡 moderate brace-expansion (>=4.0.0 <5.0.5) — brace-expansion: Zero-step sequence causes process hang and memory exhaustion advisory
  • 🟡 moderate brace-expansion (>=5.0.0 <5.0.6) — brace-expansion: Large numeric range defeats documented max DoS protection advisory
  • 🟡 moderate core-js (2.6.12) — core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
  • 🟡 moderate dompurify (>=3.1.3 <3.2.7) — DOMPurify contains a Cross-site Scripting vulnerability advisory
  • 🟡 moderate dompurify (>=3.1.3 <=3.3.1) — DOMPurify contains a Cross-site Scripting vulnerability advisory
  • 🟡 moderate dompurify (<=3.3.1) — DOMPurify ADD_ATTR predicate skips URI validation advisory
  • 🟡 moderate dompurify (<=3.3.1) — DOMPurify USE_PROFILES prototype pollution allows event handlers advisory
  • 🟡 moderate dompurify (<=3.3.3) — DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation advisory
  • 🟡 moderate dompurify (<3.4.0) — DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) advisory
  • 🟡 moderate dompurify (>=1.0.10 <3.4.0) — DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode advisory
  • 🟡 moderate dompurify (>=3.0.1 <3.4.0) — DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback advisory
  • 🟡 moderate dompurify (<3.3.2) — DOMPurify is vulnerable to mutation-XSS via Re-Contextualization advisory
  • 🟡 moderate eslint (8.57.1) — This version is no longer supported. Please see https://eslint.org/version-support for other options.
  • 🟡 moderate fast-xml-parser (>=5.0.0 <5.5.7) — Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser advisory
  • 🟡 moderate fast-xml-parser (>=4.0.0-beta.3 <4.5.5) — Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser advisory
  • 🟡 moderate fast-xml-parser (<5.7.0) — fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters advisory
  • 🟡 moderate file-type (>=13.0.0 <21.3.1) — file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header advisory
  • 🟡 moderate follow-redirects (<=1.15.11) — follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets advisory
  • 🟡 moderate glob (7.2.3) — Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
  • 🟡 moderate handlebars (>=4.0.0 <4.7.9) — Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection advisory
  • 🟡 moderate handlebars (>=4.6.0 <=4.7.8) — Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry advisory
  • 🟡 moderate har-validator (5.1.5) — this library is no longer supported
  • 🟡 moderate hono (<4.12.12) — Hono missing validation of cookie name on write path in setCookie() advisory
  • 🟡 moderate hono (<4.12.12) — Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() advisory
  • 🟡 moderate hono (>=4.0.0 <=4.12.11) — Hono: Path traversal in toSSG() allows writing files outside the output directory advisory
  • 🟡 moderate hono (<4.12.12) — Hono: Middleware bypass via repeated slashes in serveStatic advisory
  • 🟡 moderate hono (<4.12.14) — hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR advisory
  • 🟡 moderate hono (<4.12.12) — Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses advisory
  • 🟡 moderate hono (<4.12.18) — Hono has CSS Declaration Injection via Style Object Values in JSX SSR advisory
  • 🟡 moderate hono (<4.12.18) — Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage advisory
  • 🟡 moderate hono (<4.12.16) — Hono: bodyLimit() can be bypassed for chunked / unknown-length requests advisory
  • 🟡 moderate hono (<4.12.16) — hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection advisory
  • 🟡 moderate hono (<4.12.21) — Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 advisory
  • 🟡 moderate hono (<4.12.21) — Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection advisory
  • 🟡 moderate hono (<4.12.21) — Hono: JWT middleware accepts any Authorization scheme, not only Bearer advisory
  • 🟡 moderate hono (<4.12.21) — Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths advisory
  • 🟡 moderate http-proxy-middleware (>=3.0.0 <3.0.5) — http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed advisory
  • 🟡 moderate http-proxy-middleware (>=3.0.0 <3.0.4) — http-proxy-middleware can call writeBody twice because "else if" is not used advisory
  • 🟡 moderate inflight (1.0.6) — This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
  • 🟡 moderate ip-address (<=10.1.0) — ip-address has XSS in Address6 HTML-emitting methods advisory
  • 🟡 moderate lodash (<=4.17.23) — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit advisory
  • 🟡 moderate lodash-es (<=4.17.23) — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit advisory
  • 🟡 moderate lodash-es (>=4.0.0 <=4.17.22) — Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions advisory
  • 🟡 moderate lodash.get (4.4.2) — This package is deprecated. Use the optional chaining (?.) operator instead.
  • 🟡 moderate lodash.isequal (4.5.0) — This package is deprecated. Use require('node:util').isDeepStrictEqual instead.
  • 🟡 moderate markdown-it (>=13.0.0 <14.1.1) — markdown-it is has a Regular Expression Denial of Service (ReDoS) advisory
  • 🟡 moderate nanoid (<3.3.8) — Predictable results in nanoid generation when given non-integer values advisory
  • 🟡 moderate node-domexception (1.0.0) — Use your platform's native DOMException instead
  • 🟡 moderate path-to-regexp (>=8.0.0 <8.4.0) — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards advisory
  • 🟡 moderate picomatch (<2.3.2) — Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching advisory
  • 🟡 moderate picomatch (>=4.0.0 <4.0.4) — Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching advisory
  • 🟡 moderate postcss (<8.5.10) — PostCSS has XSS via Unescaped </style> in its CSS Stringify Output advisory
  • 🟡 moderate prebuild-install (7.1.3) — No longer maintained. Please contact the author of the relevant native addon; alternatives are available.
  • 🟡 moderate prismjs (<1.30.0) — PrismJS DOM Clobbering vulnerability advisory
  • 🟡 moderate protobufjs (<=7.5.5) — protobuf.js: Denial of service from crafted field names in generated code advisory
  • 🟡 moderate protobufjs (<=7.5.5) — protobuf.js: Prototype injection in generated message constructors advisory
  • 🟡 moderate protobufjs (<=7.5.5) — protobufjs has overlong UTF-8 decoding advisory
  • 🟡 moderate protobufjs (<=7.5.7) — protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion advisory
  • 🟡 moderate qs (<6.14.1) — qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion advisory
  • 🟡 moderate qs (>=6.11.1 <=6.15.1) — qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set advisory
  • 🟡 moderate react-beautiful-dnd (13.1.1) — react-beautiful-dnd is now deprecated. Context and options: react-beautiful-dnd is now deprecated atlassian/react-beautiful-dnd#2672
  • 🟡 moderate react-router (>=6.7.0 <6.30.4) — React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation advisory
  • 🟡 moderate request (<=2.88.2) — Server-Side Request Forgery in Request advisory
  • 🟡 moderate rimraf (3.0.2) — Rimraf versions prior to v4 are no longer supported
  • 🟡 moderate stable (0.1.8) — Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
  • 🟡 moderate superagent (8.1.2) — Please upgrade to superagent v10.2.2+, see release notes at https://github.com/forwardemail/superagent/releases/tag/v10.2.2 - maintenance is supported by Forward Email @ https://forwardemail.net
  • 🟡 moderate supertest (6.3.4) — Please upgrade to supertest v7.1.3+, see release notes at https://github.com/forwardemail/supertest/releases/tag/v7.1.3 - maintenance is supported by Forward Email @ https://forwardemail.net
  • 🟡 moderate tough-cookie (<4.1.3) — tough-cookie Prototype Pollution vulnerability advisory
  • 🟡 moderate undici (<6.23.0) — Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion advisory
  • 🟡 moderate undici (>=7.0.0 <7.18.2) — Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion advisory
  • 🟡 moderate undici (>=7.0.0 <7.24.0) — Undici has an HTTP Request/Response Smuggling issue advisory
  • 🟡 moderate undici (<6.24.0) — Undici has an HTTP Request/Response Smuggling issue advisory
  • 🟡 moderate undici (>=7.0.0 <7.24.0) — Undici has CRLF Injection in undici via upgrade option advisory
  • 🟡 moderate undici (<6.24.0) — Undici has CRLF Injection in undici via upgrade option advisory
  • 🟡 moderate undici (>=7.17.0 <7.24.0) — Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS advisory
  • 🟡 moderate uuid (<11.1.1) — uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided advisory
  • 🟡 moderate vm2 (<3.11.2) — vm2 has access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL advisory
  • 🟡 moderate vm2 (<=3.10.5) — vm2's Transformer Fast-Path Bypass Exposes Internal State Variable advisory
  • 🟡 moderate vm2 (<=3.10.5) — vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak advisory
  • 🟡 moderate vm2 (<=3.10.5) — vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary advisory
  • 🟡 moderate vm2 (<=3.11.3) — NodeVM observability builtins leak host process and HTTP request data advisory
  • 🟡 moderate webpack-dev-server (<=5.2.3) — webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins advisory
  • 🟡 moderate ws (>=8.0.0 <8.20.1) — ws: Uninitialized memory disclosure advisory
  • 🟡 moderate yaml (>=1.0.0 <1.10.3) — yaml is vulnerable to Stack Overflow via deeply nested YAML collections advisory
  • 🟡 moderate yaml (>=2.0.0 <2.8.3) — yaml is vulnerable to Stack Overflow via deeply nested YAML collections advisory
  • 🔵 low @backstage/backend-defaults (<0.12.2) — Backstage has a Possible SSRF when reading from allowed URL's in backend.reading.allow advisory
  • 🔵 low @backstage/integration (<=1.20.0) — Backstage vulnerable to potential reading of SCM URLs using built in token advisory
  • 🔵 low @smithy/config-resolver (<4.4.0) — AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value advisory
  • 🔵 low @tootallnate/once (<2.0.1) — @tootallnate/once vulnerable to Incorrect Control Flow Scoping advisory
  • 🔵 low axios (<=0.31.0) — Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams advisory
  • 🔵 low axios (>=1.0.0 <1.15.1) — Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams advisory
  • 🔵 low brace-expansion (>=1.0.0 <=1.1.11) — brace-expansion Regular Expression Denial of Service vulnerability advisory
  • 🔵 low brace-expansion (>=2.0.0 <=2.0.1) — brace-expansion Regular Expression Denial of Service vulnerability advisory
  • 🔵 low cookie (<0.7.0) — cookie accepts cookie name, path, and domain with out of bounds characters advisory
  • 🔵 low diff (>=4.0.0 <4.0.4) — jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch advisory
  • 🔵 low diff (>=5.0.0 <5.2.2) — jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch advisory
  • 🔵 low elliptic (<6.6.0) — Valid ECDSA signatures erroneously rejected in Elliptic advisory
  • 🔵 low elliptic (<=6.6.1) — Elliptic Uses a Cryptographic Primitive with a Risky Implementation advisory
  • 🔵 low fast-xml-parser (>=4.0.0-beta.0 <4.5.4) — fast-xml-parser has stack overflow in XMLBuilder with preserveOrder advisory
  • 🔵 low handlebars (>=4.0.0 <=4.7.8) — Handlebars.js has a Property Access Validation Bypass in container.lookup advisory
  • 🔵 low hono (<4.12.18) — Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() advisory
  • 🔵 low on-headers (<1.1.0) — on-headers is vulnerable to http response header manipulation advisory
  • 🔵 low tmp (<=0.2.3) — tmp allows arbitrary temporary file / directory write via symbolic link dir parameter advisory
  • 🔵 low undici (>=7.0.0 <7.5.0) — undici Denial of Service attack via bad certificate data advisory
  • 🔵 low vm2 (<=3.11.3) — vm2 setup-sandbox.js violates Defense Invariant Disable anonymous access #11 in stack-trace formatter advisory

@teemow teemow merged commit c117a5e into main Jun 11, 2026
10 checks passed
@teemow teemow deleted the muster-followup-review-fixes branch June 11, 2026 07:43
This was referenced Jun 11, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@QuentinBisson QuentinBisson QuentinBisson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@teemow @QuentinBisson