1 Critical
Critical-severity findings across all ecosystems.
Security Audit Report
Security Audit Report
Section titled “Security Audit Report”Severity Overview
Section titled “Severity Overview”34 High
High-severity findings across all ecosystems.
21 Medium
Medium-severity findings across all ecosystems.
10 Low
Low-severity findings across all ecosystems.
Ecosystem Breakdown
Section titled “Ecosystem Breakdown”npm
63 advisories
Cargo
31 advisories
Python
0 advisories
CodeQL
0 alerts
Dependabot
0 alerts
| Ecosystem | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
| npm | 1 | 34 | 18 | 10 | 63 |
| Cargo | 0 | 0 | 3 | 0 | 31 |
| Python | 0 | 0 | 0 | 0 | 0 |
| CodeQL | 0 | 0 | 0 | 0 | 0 |
| Dependabot | 0 | 0 | 0 | 0 | 0 |
| Total | 1 | 34 | 21 | 10 | 94 |
| Severity | Package | Advisory | Link |
|---|---|---|---|
| Critical | form-data | form-data uses unsafe random function in form-data for ch… | Details |
| High | axios | Server-Side Request Forgery in axios | Details |
| High | playwright | Playwright downloads and installs browsers without verify… | Details |
| High | glob | glob CLI: Command injection via -c/—cmd executes matches… | Details |
| High | axios | axios Requests Vulnerable To Possible SSRF and Credential… | Details |
| High | jws | auth0/node-jws Improperly Verifies HMAC Signature | Details |
| High | axios | Axios is vulnerable to DoS attack through lack of data si… | Details |
| High | validator | Validator is Vulnerable to Incomplete Filtering of One or… | Details |
| High | axios | Axios is Vulnerable to Denial of Service via proto Ke… | Details |
| High | minimatch | minimatch has a ReDoS via repeated wildcards with non-mat… | Details |
| High | minimatch | minimatch has a ReDoS via repeated wildcards with non-mat… | Details |
| High | minimatch | minimatch has a ReDoS via repeated wildcards with non-mat… | Details |
| High | minimatch | minimatch has a ReDoS via repeated wildcards with non-mat… | Details |
| High | minimatch | minimatch has a ReDoS via repeated wildcards with non-mat… | Details |
| High | rollup | Rollup 4 has Arbitrary File Write via Path Traversal | Details |
| High | minimatch | minimatch has ReDoS: matchOne() combinatorial backtrackin… | Details |
| High | minimatch | minimatch has ReDoS: matchOne() combinatorial backtrackin… | Details |
| High | minimatch | minimatch has ReDoS: matchOne() combinatorial backtrackin… | Details |
| High | minimatch | minimatch has ReDoS: matchOne() combinatorial backtrackin… | Details |
| High | minimatch | minimatch has ReDoS: matchOne() combinatorial backtrackin… | Details |
| High | minimatch | minimatch ReDoS: nested *() extglobs generate catastrophi… | Details |
| High | minimatch | minimatch ReDoS: nested *() extglobs generate catastrophi… | Details |
| High | minimatch | minimatch ReDoS: nested *() extglobs generate catastrophi… | Details |
| High | minimatch | minimatch ReDoS: nested *() extglobs generate catastrophi… | Details |
| High | minimatch | minimatch ReDoS: nested *() extglobs generate catastrophi… | Details |
| High | koa | Koa has Host Header Injection via ctx.hostname | Details |
| High | serialize-javascript | Serialize JavaScript is Vulnerable to RCE via RegExp.flag… | Details |
| High | svgo | SVGO DoS through entity expansion in DOCTYPE (Billion Lau… | Details |
| High | svgo | SVGO DoS through entity expansion in DOCTYPE (Billion Lau… | Details |
| High | immutable | Immutable is vulnerable to Prototype Pollution | Details |
| High | tar | tar has Hardlink Path Traversal via Drive-Relative Linkpath | Details |
| High | tar | node-tar Symlink Path Traversal via Drive-Relative Linkpath | Details |
| High | flatted | flatted vulnerable to unbounded recursion DoS in parse() … | Details |
| High | undici | Undici has Unbounded Memory Consumption in WebSocket perm… | Details |
| High | undici | Undici has Unhandled Exception in WebSocket Client Due to… | Details |
| Medium | got | Got allows a redirect to a UNIX socket | Details |
| Medium | validator | validator.js has a URL validation bypass vulnerability in… | Details |
| Medium | vue-template-compiler | vue-template-compiler vulnerable to client-side Cross-Sit… | Details |
| Medium | lodash-es | Lodash has Prototype Pollution Vulnerability in _.unset… | Details |
| Medium | lodash | Lodash has Prototype Pollution Vulnerability in _.unset… | Details |
| Medium | undici | Undici has an unbounded decompression chain in HTTP respo… | Details |
| Medium | js-yaml | js-yaml has prototype pollution in merge (<<) | Details |
| Medium | mdast-util-to-hast | mdast-util-to-hast has unsanitized class attribute | Details |
| Medium | ajv | ajv has ReDoS when using $data option | Details |
| Medium | ajv | ajv has ReDoS when using $data option | Details |
| Medium | qs | qs’s arrayLimit bypass in its bracket notation allows DoS… | Details |
| Medium | dompurify | DOMPurify contains a Cross-site Scripting vulnerability | Details |
| Medium | dompurify | DOMPurify contains a Cross-site Scripting vulnerability | Details |
| Medium | file-type | file-type affected by infinite loop in ASF parser on malf… | Details |
| Medium | devalue | devalue has prototype pollution in devalue.parse and deva… | Details |
| Medium | undici | Undici has an HTTP Request/Response Smuggling issue | Details |
| Medium | undici | Undici has CRLF Injection in undici via upgrade option | Details |
| Medium | yauzl | yauzl contains an off-by-one error | Details |
| Low | brace-expansion | brace-expansion Regular Expression Denial of Service vuln… | Details |
| Low | brace-expansion | brace-expansion Regular Expression Denial of Service vuln… | Details |
| Low | on-headers | on-headers is vulnerable to http response header manipula… | Details |
| Low | diff | jsdiff has a Denial of Service vulnerability in parsePatc… | Details |
| Low | diff | jsdiff has a Denial of Service vulnerability in parsePatc… | Details |
| Low | qs | qs’s arrayLimit bypass in comma parsing allows denial of … | Details |
| Low | devalue | devalue affected by CPU and memory amplification from spa… | Details |
| Low | devalue | devalue unevaled code can create objects with polluted … | Details |
| Low | @tootallnate/once | @tootallnate/once vulnerable to Incorrect Control Flow Sc… | Details |
| Low | devalue | Sveltejs devalue’s devalue.parse and `devalue.unflatten… | Details |
| Severity | Package | Advisory | Link |
|---|---|---|---|
| Medium | curve25519-dalek | Timing variability in curve25519-dalek’s `Scalar29::sub… | Details |
| Medium | ed25519-dalek | Double Public Key Signing Function Oracle Attack on `ed25… | Details |
| Medium | rsa | Marvin Attack: potential key recovery through timing side… | Details |
| Info | atk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | atk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | atty | atty is unmaintained | Details |
| Info | bincode | Bincode is unmaintained | Details |
| Info | bincode | Bincode is unmaintained | Details |
| Info | derivative | derivative is unmaintained; consider using an alternative | Details |
| Info | fxhash | fxhash - no longer maintained | Details |
| Info | gdk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkwayland-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkx11 | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gdkx11-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk-sys | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | gtk3-macros | gtk-rs GTK3 bindings - no longer maintained | Details |
| Info | number_prefix | number_prefix crate is unmaintained | Details |
| Info | paste | paste - no longer maintained | Details |
| Info | proc-macro-error | proc-macro-error is unmaintained | Details |
| Info | rustls-pemfile | rustls-pemfile is unmaintained | Details |
| Info | rustls-pemfile | rustls-pemfile is unmaintained | Details |
| Info | serde_cbor | serde_cbor is unmaintained | Details |
| Info | unic-char-property | unic-char-property is unmaintained | Details |
| Info | unic-char-range | unic-char-range is unmaintained | Details |
| Info | unic-common | unic-common is unmaintained | Details |
| Info | unic-ucd-ident | unic-ucd-ident is unmaintained | Details |
| Info | unic-ucd-version | unic-ucd-version is unmaintained | Details |
| Info | atty | Potential unaligned read | Details |
| Info | glib | Unsoundness in Iterator and DoubleEndedIterator impls… | Details |
Auto-generated by ci-nx-security.yml