Skip to content

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) [rum-react-navigation]#83

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/rum-react-navigation/0-1781532304
Closed

fix(deps): vuln minor upgrades — 15 packages (minor: 7 · patch: 8) [rum-react-navigation]#83
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/rum-react-navigation/0-1781532304

Conversation

@gh-worker-campaigns-3e9aa4

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Copy link
Copy Markdown

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • rum-react-navigation (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
vm2 3.9.14 3.11.5 minor Transitive 31 CRITICAL, 5 HIGH, 7 MEDIUM, 1 LOW
fast-xml-parser 4.1.3 4.5.6 minor Transitive 2 CRITICAL, 6 HIGH, 3 MEDIUM, 2 LOW
simple-git 3.16.0 3.36.0 minor Transitive 2 CRITICAL, 2 HIGH
@babel/traverse 7.20.13 7.29.7 minor Transitive 2 CRITICAL
form-data 3.0.0 3.0.5 patch Transitive 2 CRITICAL
shell-quote 1.8.0 1.8.4 patch Transitive 1 CRITICAL
minimatch 3.1.2 3.1.5 patch Transitive 6 HIGH
flatted 3.2.7 3.4.2 minor Transitive 4 HIGH
picomatch 2.3.1 2.3.2 patch Transitive 2 HIGH, 2 MEDIUM
braces 3.0.2 3.0.3 patch Transitive 2 HIGH
cross-spawn 6.0.5 6.0.6 patch Transitive 2 HIGH
semver 6.3.0 6.3.1 patch Transitive 2 HIGH
ws 6.2.2 6.2.4 patch Transitive 2 HIGH
lodash 4.17.21 4.18.1 minor Transitive 1 HIGH, 3 MEDIUM
follow-redirects 1.15.2 1.16.0 minor Transitive 5 MEDIUM

Security Details

🚨 Critical & High Severity (74 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
@babel/traverse CVE-2023-45133 CRITICAL Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code 7.20.13 -
@babel/traverse GHSA-67hx-6x53-jw92 CRITICAL Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code 7.20.13 7.23.2
fast-xml-parser GHSA-m7jm-9gc2-mpf2 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.1.3 5.3.5
fast-xml-parser CVE-2026-25896 CRITICAL fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 4.1.3 -
form-data CVE-2025-7783 CRITICAL - 3.0.0 -
form-data GHSA-fjxv-7rqg-78g4 CRITICAL form-data uses unsafe random function in form-data for choosing boundary 3.0.0 2.5.4
shell-quote GHSA-w7jw-789q-3m8p CRITICAL shell-quote quote() does not escape newlines in object .op values 1.8.0 1.8.4
simple-git GHSA-r275-fr43-pm7q CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 3.32.3
simple-git CVE-2026-28292 CRITICAL simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE 3.16.0 -
vm2 GHSA-47x8-96vw-5wg6 CRITICAL vm2 Access to Host Object Enables Sandbox Escape 3.9.14 3.11.0
vm2 GHSA-cchq-frgv-rjh5 CRITICAL vm2 Sandbox Escape vulnerability 3.9.14 3.10.0
vm2 GHSA-55hx-c926-fr95 CRITICAL VM2 Has a Sandbox Escape Issue via SuppressedError 3.9.14 3.11.0
vm2 GHSA-6j2x-vhqr-qr7q CRITICAL vm2 sandbox escape via JSPI-backed Promise .finally() species bypass 3.9.14 3.11.4
vm2 GHSA-qvjj-29qf-hp7p CRITICAL VM2 Has Sandbox Breakout Through Promise Species 3.9.14 3.10.5
vm2 CVE-2023-37903 CRITICAL Sandbox Escape in vm2 3.9.14 -
vm2 CVE-2026-22709 CRITICAL vm2 has a Sandbox Escape 3.9.14 -
vm2 GHSA-99p7-6v5w-7xg8 CRITICAL vm2 has a Sandbox Escape 3.9.14 3.10.2
vm2 GHSA-8hg8-63c5-gwmx CRITICAL vm2 NodeVM nesting: true bypasses require: false allowing sandbox escape and arbitrary OS command execution 3.9.14 3.11.1
vm2 GHSA-9vg3-4rfj-wgcm CRITICAL vm2 has Sandbox Breakout Through Null Proto Exception 3.9.14 3.11.2
vm2 GHSA-vwrp-x96c-mhwq CRITICAL vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape 3.9.14 3.11.0
vm2 GHSA-76w7-j9cq-rx2j CRITICAL vm2 is Vulnerable to Sandbox Breakout Through Promise Species 3.9.14 3.11.4
vm2 GHSA-v6mx-mf47-r5wg CRITICAL vm2 has a Sandbox Escape issue 3.9.14 3.11.4
vm2 CVE-2023-29017 CRITICAL vm2 Sandbox Escape vulnerability 3.9.14 -
vm2 GHSA-7jxr-cg7f-gpgv CRITICAL vm2 vulnerable to sandbox escape 3.9.14 3.9.15
vm2 GHSA-rp36-8xq3-r6c4 CRITICAL NodeVM builtin denylist bypass via process and inspector/promises allows host code execution 3.9.14 3.11.4
vm2 CVE-2023-37466 CRITICAL vm2 Sandbox Escape vulnerability 3.9.14 -
vm2 GHSA-xj72-wvfv-8985 CRITICAL vm2 Sandbox Escape vulnerability 3.9.14 3.9.16
vm2 GHSA-m4wx-m65x-ghrr CRITICAL vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE 3.9.14 3.11.4
vm2 CVE-2023-32314 CRITICAL Sandbox Escape 3.9.14 -
vm2 CVE-2023-30547 CRITICAL Sandbox Escape in vm2 3.9.14 -
vm2 GHSA-ch3r-j5x3-6q2m CRITICAL vm2 Sandbox Escape vulnerability 3.9.14 3.9.17
vm2 GHSA-v37h-5mfm-c47c CRITICAL VM2 Has Sandbox Breakout Through Inspect Function 3.9.14 3.11.0
vm2 GHSA-whpj-8f3w-67p5 CRITICAL vm2 Sandbox Escape vulnerability 3.9.14 3.9.18
vm2 GHSA-grj5-jjm8-h35p CRITICAL VM2 Sandbox Breakout Through lookupGetter 3.9.14 3.11.0
vm2 GHSA-9qj6-qjgg-37qq CRITICAL vm2 has sandbox breakout via neutralizeArraySpeciesBatch 3.9.14 3.11.2
vm2 GHSA-248r-7h7q-cr24 CRITICAL vm2 Has a Sandbox Breakout Using Async Generator 3.9.14 3.11.3
vm2 GHSA-qcp4-v2jj-fjx8 CRITICAL vm2 has a Sandbox Escape Vulnerability 3.9.14 3.11.0
vm2 GHSA-ffh4-j6h5-pg66 CRITICAL VM2 Has a WASM Sandbox Escape 3.9.14 3.10.5
vm2 CVE-2023-29199 CRITICAL vm2 Sandbox escape vulnerability 3.9.14 -
vm2 GHSA-g644-9gfx-q4q4 CRITICAL vm2 Sandbox Escape vulnerability 3.9.14 -
braces GHSA-grv7-fg5c-xmjg HIGH Uncontrolled resource consumption in braces 3.0.2 3.0.3
braces CVE-2024-4068 HIGH - 3.0.2 -
cross-spawn GHSA-3xgq-45jj-v275 HIGH Regular Expression Denial of Service (ReDoS) in cross-spawn 6.0.5 7.0.5
cross-spawn CVE-2024-21538 HIGH - 6.0.5 -
fast-xml-parser GHSA-8gc5-j5rx-235r HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.1.3 5.5.6
fast-xml-parser GHSA-6w63-h3fj-q4vw HIGH fast-xml-parser vulnerable to Regex Injection via Doctype Entities 4.1.3 4.2.4
fast-xml-parser CVE-2023-34104 HIGH Regex Injection via Doctype Entities 4.1.3 -
fast-xml-parser CVE-2026-26278 HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.1.3 -
fast-xml-parser CVE-2026-33036 HIGH fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) 4.1.3 -
fast-xml-parser GHSA-jmr7-xgp7-cmfj HIGH fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) 4.1.3 4.5.4
flatted GHSA-rf6f-7fwh-wjgh HIGH Prototype Pollution via parse() in NodeJS flatted 3.2.7 3.4.2
flatted CVE-2026-32141 HIGH flatted: Unbounded recursion DoS in parse() revive phase 3.2.7 -
flatted CVE-2026-33228 HIGH flatted: Prototype Pollution via parse() 3.2.7 -
flatted GHSA-25h7-pfq9-p65f HIGH flatted vulnerable to unbounded recursion DoS in parse() revive phase 3.2.7 3.4.0
lodash GHSA-r5fr-rjxr-66jc HIGH lodash vulnerable to Code Injection via _.template imports key names 4.17.21 4.18.0
minimatch GHSA-3ppc-4f35-3m26 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 10.2.1
minimatch GHSA-23c5-xmqv-rm74 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 10.2.3
minimatch CVE-2026-27904 HIGH minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions 3.1.2 -
minimatch GHSA-7r86-cg39-jmmj HIGH minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 10.2.3
minimatch CVE-2026-27903 HIGH minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments 3.1.2 -
minimatch CVE-2026-26996 HIGH minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 3.1.2 -
picomatch GHSA-c2c7-rcm5-vvqj HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 4.0.4
picomatch CVE-2026-33671 HIGH Picomatch has a ReDoS vulnerability via extglob quantifiers 2.3.1 -
semver GHSA-c2qf-rxjj-qqgw HIGH semver vulnerable to Regular Expression Denial of Service 6.3.0 7.5.2
semver CVE-2022-25883 HIGH - 6.3.0 -
simple-git GHSA-hffm-xvc3-vprc HIGH simple-git is vulnerable to Remote Code Execution 3.16.0 3.36.0
simple-git GHSA-jcxm-m3jx-f287 HIGH simple-git Affected by Command Execution via Option-Parsing Bypass 3.16.0 3.32.0
vm2 GHSA-6785-pvv7-mvg7 HIGH vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion 3.9.14 3.11.0
vm2 GHSA-hw58-p9xv-2mjh HIGH vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) 3.9.14 3.11.0
vm2 GHSA-m5q2-4fm3-vfqp HIGH vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks 3.9.14 3.11.4
vm2 GHSA-c4cf-2hgv-2qv6 HIGH vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain 3.9.14 3.11.4
vm2 GHSA-r9pm-gxmw-wv6p HIGH NodeVM network builtin exclusions bypass via internal _http_client and _http_server 3.9.14 3.11.4
ws GHSA-3h5v-q93c-6h6q HIGH ws affected by a DoS when handling a request with many HTTP headers 6.2.2 5.2.4
ws CVE-2024-37890 HIGH Denial of service when handling a request with many HTTP headers in ws 6.2.2 -
ℹ️ Other Vulnerabilities (23)
Package CVE Severity Summary Unsafe Version Fixed In
fast-xml-parser CVE-2026-33349 MODERATE fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation 4.1.3 -
fast-xml-parser GHSA-jp2q-39xq-3w4g MODERATE Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser 4.1.3 4.5.5
fast-xml-parser GHSA-gh4j-gqv2-49f6 MODERATE fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters 4.1.3 5.7.0
follow-redirects CVE-2023-26159 MODERATE - 1.15.2 -
follow-redirects GHSA-r4q5-vmmm-2653 MODERATE follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets 1.15.2 1.16.0
follow-redirects GHSA-cxjh-pqwp-8mfp MODERATE follow-redirects' Proxy-Authorization header kept across hosts 1.15.2 1.15.6
follow-redirects GHSA-jchw-25xp-jwwc MODERATE Follow Redirects improperly handles URLs in the url.parse() function 1.15.2 1.15.4
follow-redirects CVE-2024-28849 MODERATE Proxy-Authorization header kept across hosts in follow-redirects 1.15.2 -
lodash GHSA-xxjr-mmjv-4gpg MODERATE Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions 4.17.21 4.17.23
lodash GHSA-f23m-r3pf-42rh MODERATE lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit 4.17.21 4.18.0
lodash CVE-2025-13465 MODERATE - 4.17.21 -
picomatch CVE-2026-33672 MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 -
picomatch GHSA-3v7f-55p6-f55p MODERATE Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching 2.3.1 4.0.4
vm2 GHSA-wp5r-2gw5-m7q7 MODERATE vm2's Transformer Fast-Path Bypass Exposes Internal State Variable 3.9.14 3.11.0
vm2 GHSA-mpf8-4hx2-7cjg MODERATE vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary 3.9.14 3.11.0
vm2 GHSA-2cm2-m3w5-gp2f MODERATE vm2 has access to VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL 3.9.14 3.11.2
vm2 GHSA-v27g-jcqj-v8rw MODERATE vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak 3.9.14 3.11.0
vm2 GHSA-9g8x-92q2-p28f MODERATE NodeVM observability builtins leak host process and HTTP request data 3.9.14 3.11.4
vm2 CVE-2023-32313 MODERATE Inspect method manipulation in vm2 3.9.14 -
vm2 GHSA-p5gc-c584-jj6v MODERATE vm2 vulnerable to Inspect Manipulation 3.9.14 3.9.18
fast-xml-parser CVE-2026-27942 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.1.3 -
fast-xml-parser GHSA-fj3w-jwp8-x2g3 LOW fast-xml-parser has stack overflow in XMLBuilder with preserveOrder 4.1.3 5.3.8
vm2 GHSA-q3fm-4wcw-g57x LOW vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter 3.9.14 3.11.4

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review June 16, 2026 12:12
@campaigner-prod campaigner-prod Bot requested a review from a team as a code owner June 16, 2026 12:12
@sbarrio sbarrio closed this Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-custom-action-failed adms-dependency-update campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sbarrio