Skip to content

fix(deps): vuln minor upgrades — 13 packages (minor: 3 · patch: 10) [src/currencyservice]#53

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/currencyservice/1-1781532572
Open

fix(deps): vuln minor upgrades — 13 packages (minor: 3 · patch: 10) [src/currencyservice]#53
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/currencyservice/1-1781532572

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: High-severity security update — 13 packages upgraded (MINOR changes included)

Manifests changed:

  • src/currencyservice (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
node-forge 1.3.1 1.4.0 minor Transitive 12 HIGH, 2 MEDIUM
minimatch 5.1.1 5.1.9 patch Transitive 6 HIGH
protobufjs-cli 1.0.2 1.3.3 minor Transitive 2 HIGH
jws 4.0.0 4.0.1 patch Transitive 2 HIGH
semver 5.7.1 5.7.2 patch Transitive 2 HIGH
underscore 1.13.6 1.13.8 patch Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
tmp 0.2.1 0.2.7 patch Transitive 1 HIGH, 2 LOW
brace-expansion 2.0.1 2.0.3 patch Transitive 2 MEDIUM, 2 LOW
word-wrap 1.2.3 1.2.5 patch Transitive 2 MEDIUM
@protobufjs/utf8 1.1.0 1.1.1 patch Transitive 1 MEDIUM
uuid 9.0.0 9.0.1 patch Transitive 1 MEDIUM
@tootallnate/once 2.0.0 2.0.1 patch Transitive 2 LOW

Security Details

🚨 Critical & High Severity (28 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
jws GHSA-869p-cjfg-cm3x HIGH auth0/node-jws Improperly Verifies HMAC Signature 4.0.0 3.2.3
jws CVE-2025-65945 HIGH auth0/node-jws improper HMAC signature verification vulnerability 4.0.0 -
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 5.1.1 -
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 5.1.1 10.2.1
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 5.1.1 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 5.1.1 10.2.3
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 5.1.1 -
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 5.1.1 10.2.3
node-forge CVE-2026-33896 HIGH Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) 1.3.1 -
node-forge GHSA-554w-wpv2-vw27 HIGH node-forge has ASN.1 Unbounded Recursion 1.3.1 1.3.2
node-forge GHSA-5gfm-wpxj-wjgq HIGH node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization 1.3.1 1.3.2
node-forge GHSA-q67f-28xg-22rw HIGH Forge has signature forgery in Ed25519 due to missing S > L check 1.3.1 1.4.0
node-forge CVE-2026-33895 HIGH Forge has signature forgery in Ed25519 due to missing S > L check 1.3.1 -
node-forge GHSA-ppp5-5v6c-4jwp HIGH Forge has signature forgery in RSA-PKCS due to ASN.1 extra field 1.3.1 1.4.0
node-forge CVE-2026-33894 HIGH Forge has signature forgery in RSA-PKCS due to ASN.1 extra field 1.3.1 -
node-forge CVE-2025-12816 HIGH - 1.3.1 -
node-forge CVE-2025-66031 HIGH node-forge ASN.1 Unbounded Recursion 1.3.1 -
node-forge CVE-2026-33891 HIGH Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input 1.3.1 -
node-forge GHSA-5m6q-g25r-mvwx HIGH Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input 1.3.1 1.4.0
node-forge GHSA-2328-f5f3-gj25 HIGH Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) 1.3.1 1.4.0
protobufjs-cli GHSA-6r35-46g8-jcw9 HIGH protobuf.js: Code injection in pbjs static output from crafted schema names 1.0.2 1.2.1
protobufjs-cli GHSA-f84p-cvgm-xgjj HIGH protobuf.js is Vulnerable to OS Command Injection in the CLI 1.0.2 1.2.1
semver CVE-2022-25883 HIGH - 5.7.1 -
semver GHSA-c2qf-rxjj-qqgw HIGH semver vulnerable to Regular Expression Denial of Service 5.7.1 7.5.2
tmp GHSA-ph9p-34f9-6g65 HIGH tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape 0.2.1 0.2.6
underscore GHSA-qpx9-hpmf-5gmw HIGH Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.6 1.13.8
underscore CVE-2026-27601 HIGH Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack 1.13.6 -
ℹ️ Other Vulnerabilities (17)
Package CVE Severity Summary Unsafe Version Fixed In
@protobufjs/utf8 GHSA-q6x5-8v7m-xcrf MODERATE protobufjs has overlong UTF-8 decoding 1.1.0 1.1.1
brace-expansion CVE-2026-33750 MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 2.0.1 -
brace-expansion GHSA-f886-m6hf-6m8v MODERATE brace-expansion: Zero-step sequence causes process hang and memory exhaustion 2.0.1 5.0.5
lodash CVE-2025-13465 MODERATE - 4.17.21 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
node-forge CVE-2025-66030 MODERATE node-forge ASN.1 OID Integer Truncation 1.3.1 -
node-forge GHSA-65ch-62r8-g69g MODERATE node-forge is vulnerable to ASN.1 OID Integer Truncation 1.3.1 1.3.2
uuid GHSA-w5hq-g745-h8pq MODERATE uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided 9.0.0 11.1.1
word-wrap CVE-2023-26115 MODERATE - 1.2.3 -
word-wrap GHSA-j8xg-fqg3-53r7 MODERATE word-wrap vulnerable to Regular Expression Denial of Service 1.2.3 1.2.4
@tootallnate/once CVE-2026-3449 LOW - 2.0.0 -
@tootallnate/once GHSA-vpq2-c234-7xj6 LOW @tootallnate/once vulnerable to Incorrect Control Flow Scoping 2.0.0 3.0.1
brace-expansion CVE-2025-5889 LOW - 2.0.1 -
brace-expansion GHSA-v6h2-p8h4-qcjw LOW brace-expansion Regular Expression Denial of Service vulnerability 2.0.1 2.0.2
tmp CVE-2025-54798 LOW tmp does not restrict arbitrary temporary file / directory write via symbolic link dir parameter 0.2.1 -
tmp GHSA-52f5-9888-hmc6 LOW tmp allows arbitrary temporary file / directory write via symbolic link dir parameter 0.2.1 0.2.4

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review June 16, 2026 12:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-custom-action-failed adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants