Skip to content

Fix package lock #7162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vas3a merged 3 commits into from
Dec 16, 2025

update latest for core-library

f07cb6e
Select commit
Loading
Failed to load commit list.
Merged

Fix package lock #7162

update latest for core-library
f07cb6e
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / Trivy failed Dec 16, 2025 in 9s

123 new alerts including 6 critical severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 6 critical
  • 57 high
  • 51 medium
  • 9 low

Alerts not introduced by this pull request might have been detected because the code changes were too large.

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 16622 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

Multer vulnerable to Denial of Service from maliciously crafted requests High

Package: multer
Installed Version: 1.4.4
Vulnerability CVE-2025-47944
Severity: HIGH
Fixed Version: 2.0.0
Link: CVE-2025-47944

Check failure on line 16622 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

Multer vulnerable to Denial of Service via memory leaks from unclosed streams High

Package: multer
Installed Version: 1.4.4
Vulnerability CVE-2025-47935
Severity: HIGH
Fixed Version: 2.0.0
Link: CVE-2025-47935

Check failure on line 14945 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-semver: Regular expression denial of service High

Package: semver
Installed Version: 5.1.0
Vulnerability CVE-2022-25883
Severity: HIGH
Fixed Version: 7.5.2, 6.3.1, 5.7.2
Link: CVE-2022-25883

Check failure on line 14940 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-lodash: command injection via template High

Package: lodash
Installed Version: 4.17.11
Vulnerability CVE-2021-23337
Severity: HIGH
Fixed Version: 4.17.21
Link: CVE-2021-23337

Check failure on line 14940 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-lodash: prototype pollution in zipObjectDeep function High

Package: lodash
Installed Version: 4.17.11
Vulnerability CVE-2020-8203
Severity: HIGH
Fixed Version: 4.17.19
Link: CVE-2020-8203

Check failure on line 14940 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties Critical

Package: lodash
Installed Version: 4.17.11
Vulnerability CVE-2019-10744
Severity: CRITICAL
Fixed Version: 4.17.12
Link: CVE-2019-10744

Check failure on line 14827 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm High

Package: jws
Installed Version: 4.0.0
Vulnerability CVE-2025-65945
Severity: HIGH
Fixed Version: 3.2.3, 4.0.1
Link: CVE-2025-65945

Check failure on line 14701 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm High

Package: jws
Installed Version: 3.2.2
Vulnerability CVE-2025-65945
Severity: HIGH
Fixed Version: 3.2.3, 4.0.1
Link: CVE-2025-65945

Check failure on line 14708 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

jsonwebtoken: Unrestricted key type could lead to legacy keys usagen High

Package: jsonwebtoken
Installed Version: 8.5.1
Vulnerability CVE-2022-23539
Severity: HIGH
Fixed Version: 9.0.0
Link: CVE-2022-23539

Check failure on line 14631 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

json5: Prototype Pollution in JSON5 via Parse Method High

Package: json5
Installed Version: 0.5.1
Vulnerability CVE-2022-46175
Severity: HIGH
Fixed Version: 2.2.2, 1.0.2
Link: CVE-2022-46175

Check failure on line 12828 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string High

Package: is-svg
Installed Version: 3.0.0
Vulnerability CVE-2021-29059
Severity: HIGH
Fixed Version: 4.3.0
Link: CVE-2021-29059

Check failure on line 12828 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-is-svg: ReDoS via malicious string High

Package: is-svg
Installed Version: 3.0.0
Vulnerability CVE-2021-28092
Severity: HIGH
Fixed Version: 4.2.2
Link: CVE-2021-28092

Check failure on line 11344 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Axios DoS via lack of data size check High

Package: axios
Installed Version: 0.21.4
Vulnerability CVE-2025-58754
Severity: HIGH
Fixed Version: 1.12.0, 0.30.2
Link: CVE-2025-58754

Check failure on line 11344 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests High

Package: axios
Installed Version: 0.21.4
Vulnerability CVE-2025-27152
Severity: HIGH
Fixed Version: 1.8.2, 0.30.0
Link: CVE-2025-27152

Check failure on line 11324 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

node-forge: node-forge ASN.1 Unbounded Recursion High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2025-66031
Severity: HIGH
Fixed Version: 1.3.2
Link: CVE-2025-66031

Check failure on line 11324 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

node-forge: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2025-12816
Severity: HIGH
Fixed Version: 1.3.2
Link: CVE-2025-12816

Check failure on line 10180 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

form-data: Unsafe random function in form-data Critical

Package: form-data
Installed Version: 3.0.1
Vulnerability CVE-2025-7783
Severity: CRITICAL
Fixed Version: 2.5.4, 3.0.4, 4.0.4
Link: CVE-2025-7783

Check failure on line 23114 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

sharp vulnerability in libwebp dependency CVE-2023-4863 High

Package: sharp
Installed Version: 0.20.8
Vulnerability GHSA-54xq-cgqr-rpm3
Severity: HIGH
Fixed Version: 0.32.6
Link: GHSA-54xq-cgqr-rpm3

Check failure on line 22996 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js High

Package: serialize-javascript
Installed Version: 2.1.2
Vulnerability CVE-2020-7660
Severity: HIGH
Fixed Version: 3.1.0
Link: CVE-2020-7660

Check failure on line 22000 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

form-data: Unsafe random function in form-data Critical

Package: form-data
Installed Version: 2.3.3
Vulnerability CVE-2025-7783
Severity: CRITICAL
Fixed Version: 2.5.4, 3.0.4, 4.0.4
Link: CVE-2025-7783

Check failure on line 21452 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

prismjs: improperly escaped output allows a XSS High

Package: prismjs
Installed Version: 1.17.1
Vulnerability CVE-2022-23647
Severity: HIGH
Fixed Version: 1.27.0
Link: CVE-2022-23647

Check failure on line 21452 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

npm-prismjs: a malicious (long) string will take a long time to highlight may result in ReDoS High

Package: prismjs
Installed Version: 1.17.1
Vulnerability CVE-2021-32723
Severity: HIGH
Fixed Version: 1.24.0
Link: CVE-2021-32723

Check failure on line 21452 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-prismjs: Regular expression denial of service via prism-asciidoc prism-rest prism-tap and prism-eiffel components High

Package: prismjs
Installed Version: 1.17.1
Vulnerability CVE-2021-23341
Severity: HIGH
Fixed Version: 1.23.0
Link: CVE-2021-23341

Check failure on line 21452 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

nodejs-prismjs: xss vulnerability that allows attackers to execute arbitrary code High

Package: prismjs
Installed Version: 1.17.1
Vulnerability CVE-2020-15138
Severity: HIGH
Fixed Version: 1.21.0
Link: CVE-2020-15138

Check failure on line 20610 in package-lock.json

See this annotation in the file changed.

Code scanning / Trivy

path-to-regexp: Backtracking regular expressions cause ReDoS High

Package: path-to-regexp
Installed Version: 1.8.0
Vulnerability CVE-2024-45296
Severity: HIGH
Fixed Version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0
Link: CVE-2024-45296