Skip to content

security: resolve critical and high severity vulnerabilities#76

Open
DeepDN wants to merge 2 commits into
credebl:mainfrom
DeepDN:security/fix-high-critical-vulnerabilities
Open

security: resolve critical and high severity vulnerabilities#76
DeepDN wants to merge 2 commits into
credebl:mainfrom
DeepDN:security/fix-high-critical-vulnerabilities

Conversation

@DeepDN
Copy link
Copy Markdown

@DeepDN DeepDN commented May 9, 2026

  • Add pnpm overrides to enforce secure package versions
  • Update @babel/core and @babel/traverse to fix CVE-2023-45133 (CRITICAL)
  • Update elliptic to 6.6.1 to fix GHSA-vjh7-7g9h-fjfh (CRITICAL)
  • Update fast-xml-parser to 4.5.5 to fix CVE-2026-25896 (CRITICAL)
  • Update form-data to 4.0.4 to fix CVE-2025-7783 (CRITICAL)
  • Update sha.js to 2.4.12 to fix CVE-2025-9288 (CRITICAL)
  • Update @xmldom/xmldom to 0.8.13 to fix multiple HIGH severity CVEs
  • Update axios to 1.8.2 to fix CVE-2025-27152 (HIGH)

All CRITICAL vulnerabilities resolved (0 remaining) HIGH vulnerabilities reduced from 61 to 39

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 9, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 6cbf7fe

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

DeepDN added 2 commits May 9, 2026 19:31
@DeepDN
security: resolve critical and high severity vulnerabilities
6920046 
- Add pnpm overrides to enforce secure package versions
- Update @babel/core and @babel/traverse to fix CVE-2023-45133 (CRITICAL)
- Update elliptic to 6.6.1 to fix GHSA-vjh7-7g9h-fjfh (CRITICAL)
- Update fast-xml-parser to 4.5.5 to fix CVE-2026-25896 (CRITICAL)
- Update form-data to 4.0.4 to fix CVE-2025-7783 (CRITICAL)
- Update sha.js to 2.4.12 to fix CVE-2025-9288 (CRITICAL)
- Update @xmldom/xmldom to 0.8.13 to fix multiple HIGH severity CVEs
- Update axios to 1.8.2 to fix CVE-2025-27152 (HIGH)

All CRITICAL vulnerabilities resolved (0 remaining)
HIGH vulnerabilities reduced from 61 to 39

Signed-off-by: DeepDN <nemadedeepak1111@gmail.com>
@DeepDN
fix: update dependencies to resolve 38 critical and high security vul…
6cbf7fe 
…nerabilities

- Update axios to 1.15.2 (fixes 6 CVEs)
- Update tar to 7.5.11 (fixes 9 CVEs)
- Update minimatch to 10.2.3 (fixes 6 CVEs)
- Update ws to 8.17.1 (fixes 2 CVEs)
- Update undici to 7.24.0 (fixes 2 CVEs)
- Update cross-spawn to 7.0.5 (fixes CVE-2024-21538)
- Update semver to 7.5.2 (fixes CVE-2022-25883)
- Update picomatch to 4.0.4 (fixes CVE-2026-33671)
- Update typeorm to 0.3.26 (fixes CVE-2025-60542)
- Update valibot to 1.2.0 (fixes CVE-2025-66020)
- Update validator to 13.15.22 (fixes CVE-2025-12758)
- Update Newtonsoft.Json to 13.0.1 (fixes CVE-2024-21907)
- Add ip override to 2.0.1 (CVE-2024-29415 remains - no fix available)

Signed-off-by: DeepDN <nemadedeepak1111@gmail.com>
@DeepDN DeepDN force-pushed the security/fix-high-critical-vulnerabilities branch from 42c31a1 to 6cbf7fe Compare May 9, 2026 14:01
@DeepakNemad DeepakNemad requested review from sairanjit and tusharbhayani and removed request for sairanjit May 11, 2026 06:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tusharbhayani tusharbhayani Awaiting requested review from tusharbhayani

Assignees

@DeepDN DeepDN

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DeepDN