[PM-32833] Remove Input Password Flag from SetInitialPasswordComponent

[rr-bw]

🎟️ Tracking

PM-32833

📔 Objective

This PR removes pm-27086-update-authentication-apis-for-input-password feature flag usage from the SetInitialPasswordComponent and related files.

Note

This PR is part of a larger group of PRs (split up for easier review) that will each get merged into a base branch for this flag removal work: auth/pm-32833/remove-input-password-flag-base. That base branch is the one that will get merged to main.

Breakdown of branching structure:

main
 └── auth/pm-32833/remove-input-password-flag-base  ← targets main; accumulates sub-PRs
     ├── auth/pm-32833/registration-finish            ← targets base
     ├── auth/pm-32833/set-initial-password           ← targets base [THIS PR 🟢]
     ├── auth/pm-32833/change-password                ← targets base
     ├── auth/pm-32833/emergency-access               ← targets base
     ├── auth/pm-32833/account-recovery               ← targets base
     └── auth/pm-32833/input-password-component       ← targets base; reviewed LAST

[codecov]

Codecov Report

❌ Patch coverage is 0% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.96%. Comparing base (f0f358c) to head (7a82280).
⚠️ Report is 1 commits behind head on auth/pm-32833/remove-input-password-flag-base.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...initial-password/set-initial-password.component.ts	0.00%	11 Missing ⚠️

Additional details and impacted files

@@                              Coverage Diff                               @@
##           auth/pm-32833/remove-input-password-flag-base   #20246   +/-   ##
==============================================================================
  Coverage                                          46.95%   46.96%           
==============================================================================
  Files                                               3911     3911           
  Lines                                             118349   118308   -41     
  Branches                                           18109    18102    -7     
==============================================================================
- Hits                                               55572    55562   -10     
+ Misses                                             58604    58573   -31     
  Partials                                            4173     4173           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 729cd202-d0d2-46a8-a721-aee235de1bcb

---

New Issues (193)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2024-40643	Npm-htmlparser2-3.10.1	details Recommended version: 5.0.0 Description: Joplin is a free, open-source note-taking and to-do application. Joplin fails to consider that "<" followed by a non-letter character will not be c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-0905	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Insufficient policy enforcement in the Network in Google Chrome prior to 144.0.7559.59 allowed an attacker who obtained a network log file to poten... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-0906	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-0907	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-1525	Npm-undici-7.16.0	details Recommended version: 7.24.0 Description: Undici versions prior to 6.24.0 and 7.0.x prior to 7.24.0 allow duplicate HTTPContent-Length headers when they are provided in an array with case-v... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-25547	Npm-@isaacs/brace-expansion-5.0.0	details Recommended version: 5.0.1 Description: @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-3061	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Out-of-bounds Read in Media in Google Chrome prior to 145.0.7632.116 allowed a remote attacker to perform an out of bounds memory read via a crafte... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-3062	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Out-of-bounds Read and write in Tint in Google Chrome on Mac prior to 145.0.7632.116 allowed a remote attacker to perform out of bounds memory acce... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-33896	Npm-node-forge-1.3.2	details Recommended version: 1.4.0 Description: `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2026-3545	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Insufficient data validation in Navigation in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform a sandbox esca... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2026-3916	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Out-of-bounds Read in Web Speech in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to potentially perform a sandbox escape via a cr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2026-4800	Npm-lodash-4.17.21	details Recommended version: 4.18.0 Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13		CVE-2026-5288	Npm-electron-39.8.5	details Recommended version: 41.2.0 Description: Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		Absolute_Path_Traversal	apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
15		Absolute_Path_Traversal	apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
16		Absolute_Path_Traversal	apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
17		Absolute_Path_Traversal	apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
18		CVE-2025-13630	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2025-14174	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory acce... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		CVE-2025-14765	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Use after free in WebGPU in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2025-14766	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22		CVE-2025-59343	Npm-tar-fs-2.1.3	details Recommended version: 2.1.4 Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23		CVE-2025-64756	Npm-glob-11.0.3	details Recommended version: 11.1.0 Description: Glob matches files using patterns the shell uses. In versions 10.2.0 prior to 10.5.0 and 11.0.0 prior to 11.1.0, the glob CLI contains a command in... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
24		CVE-2025-64756	Npm-glob-10.4.5	details Recommended version: 10.5.0 Description: Glob matches files using patterns the shell uses. In versions 10.2.0 prior to 10.5.0 and 11.0.0 prior to 11.1.0, the glob CLI contains a command in... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
25		CVE-2025-66414	Npm-@modelcontextprotocol/sdk-1.17.3	details Recommended version: 1.26.0 Description: MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP)... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
26		CVE-2026-0621	Npm-@modelcontextprotocol/sdk-1.17.3	details Recommended version: 1.26.0 Description: Anthropic's MCP TypeScript SDK versions through 1.25.1 contain a Regular Expression Denial-of-Service (ReDoS) vulnerability in the "UriTemplate" cl... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
27		CVE-2026-0899	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
28		CVE-2026-0900	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
29		CVE-2026-0902	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
30		CVE-2026-0908	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Use-after-free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
31		CVE-2026-1526	Npm-undici-7.16.0	details Recommended version: 7.24.0 Description: The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. W... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
32		CVE-2026-1528	Npm-undici-7.16.0	details Recommended version: 7.24.0 Description: ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
33		CVE-2026-1862	Npm-electron-39.8.5	details Recommended version: 40.9.1 Description: Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML p... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
34		CVE-2026-22036	Npm-undici-7.16.0	details Recommended version: 7.24.0 Description: Undici is an HTTP/1.1 client for Node.js. In Undici versions prior to 6.23.0 and 7.x prior to 7.18.2, the number of links in the decompression chai... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
35		CVE-2026-2229	Npm-undici-7.16.0	details Recommended version: 7.24.0 Description: Impact: The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of theserver_max_window_bitsparameter in... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
36		CVE-2026-2313	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Use After Free in CSS in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML p... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
37		CVE-2026-2314	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Heap Buffer Overflow in Codecs in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially exploit heap corruption via a craft... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
38		CVE-2026-2315	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Inappropriate implementation in WebGPU in Google Chrome prior to 145.0.7632.45 allowed a remote attacker to potentially perform out of bounds memor... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
39		CVE-2026-2319	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Race in DevTools in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures and insta... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
40		CVE-2026-2321	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Use after free in Ozone in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
41		CVE-2026-23745	Npm-tar-7.4.3	details Recommended version: 7.5.11 Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
42		CVE-2026-23745	Npm-tar-6.2.1	details Recommended version: 7.5.11 Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
43		CVE-2026-23745	Npm-tar-7.5.2	details Recommended version: 7.5.11 Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
44		CVE-2026-2441	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Use After Free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
45		CVE-2026-24842	Npm-tar-7.4.3	details Recommended version: 7.5.11 Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
46		CVE-2026-24842	Npm-tar-6.2.1	details Recommended version: 7.5.11 Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
47		CVE-2026-24842	Npm-tar-7.5.2	details Recommended version: 7.5.11 Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
48		CVE-2026-25536	Npm-@modelcontextprotocol/sdk-1.17.3	details Recommended version: 1.26.0 Description: MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 through 1.25.3, cross-client ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
49		CVE-2026-25639	Npm-axios-1.13.2	details Recommended version: 1.15.0 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
50		CVE-2026-2648	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Heap Buffer Overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a cr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
51		CVE-2026-2649	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Integer Overflow in V8 in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
52		CVE-2026-2650	Npm-electron-39.8.5	details Recommended version: 39.8.8 Description: Heap Buffer Overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a craft... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
53		CVE-2026-26960	Npm-tar-6.2.1	details Recommended version: 7.5.11 Description: "tar.extract()" in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outsid... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
54		CVE-2026-26960	Npm-tar-7.4.3	details Recommended version: 7.5.11 Description: "tar.extract()" in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outsid... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
55		CVE-2026-26960	Npm-tar-7.5.2	details Recommended version: 7.5.11 Description: "tar.extract()" in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outsid... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
56		CVE-2026-26996	Npm-minimatch-10.0.3	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
57		CVE-2026-26996	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
58		CVE-2026-26996	Npm-minimatch-5.1.6	details Recommended version: 5.1.8 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
59		CVE-2026-26996	Npm-minimatch-10.1.1	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
60		CVE-2026-27606	Npm-rollup-4.52.3	details Recommended version: 4.59.0 Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
61		CVE-2026-27903	Npm-minimatch-5.1.6	details Recommended version: 5.1.8 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
62		CVE-2026-27903	Npm-minimatch-10.1.1	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
63		CVE-2026-27903	Npm-minimatch-10.0.3	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
64		CVE-2026-27903	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
65		CVE-2026-27904	Npm-minimatch-10.1.1	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
66		CVE-2026-27904	Npm-minimatch-10.0.3	details Recommended version: 10.2.3 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
67		CVE-2026-27904	Npm-minimatch-5.1.6	details Recommended version: 5.1.8 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
68		CVE-2026-27904	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
69		CVE-2026-29063	Npm-immutable-5.1.3	details Recommended version: 5.1.5 Description: Immutable.js provides many Persistent Immutable data structures. 3.x prior to versions 3.8.3, 4.x prior to versions 4.3.7, and 5.x prior to versio... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
70		CVE-2026-29074	Npm-svgo-3.3.2	details Recommended version: 3.3.3 Description: SVGO is a Node.js library and command-line application for optimizing SVG files. Versions 2.1.0 through 2.8.0, 3.0.0 through 3.3.2, and versions pr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
71		CVE-2026-29786	Npm-tar-7.5.9	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extractio... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
72		CVE-2026-29786	Npm-tar-7.5.2	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extractio... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
73		CVE-2026-29786	Npm-tar-6.2.1	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extractio... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
74		CVE-2026-29786	Npm-tar-7.4.3	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extractio... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
75		CVE-2026-31802	Npm-tar-7.5.9	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extr... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
76		CVE-2026-31802	Npm-tar-7.5.2	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extr... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
77		CVE-2026-31802	Npm-tar-7.4.3	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extr... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
78		CVE-2026-31802	Npm-tar-6.2.1	details Recommended version: 7.5.11 Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extr... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
79		CVE-2026-32141	Npm-flatted-3.3.3	details Recommended version: 3.4.2 Description: flatted is a circular JSON parser. Prior to 3.4.0, flatted's "parse()" function uses a recursive "revive()" phase to resolve circular references in... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
80		CVE-2026-33228	Npm-flatted-3.3.3	details Recommended version: 3.4.2 Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
81		CVE-2026-33671	Npm-picomatch-4.0.2	details Recommended version: 4.0.4 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
82		CVE-2026-33671	Npm-picomatch-2.3.1	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
83		CVE-2026-33671	Npm-picomatch-4.0.3	details Recommended version: 4.0.4 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
84		CVE-2026-33891	Npm-node-forge-1.3.2	details Recommended version: 1.4.0 Description: A Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the "BigInteger.modInverse()" function (inherit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
85		CVE-2026-33894	Npm-node-forge-1.3.2	details Recommended version: 1.4.0 Description: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
86		CVE-2026-33895	Npm-node-forge-1.3.2	details Recommended version: 1.4.0 Description: Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
87		CVE-2026-34043	Npm-serialize-javascript-7.0.4	details Recommended version: 7.0.5 Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
88		CVE-2026-34043	Npm-serialize-javascript-6.0.2	details Recommended version: 7.0.5 Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
89		CVE-2026-34601	Npm-@xmldom/xmldom-0.7.13	details Recommended version: 0.8.12 Description: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions through 0.6.0 and ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
90		CVE-2026-34601	Npm-@xmldom/xmldom-0.8.11	details Recommended version: 0.8.12 Description: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions through 0.6.0 and ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
91		CVE-2026-3536	Npm-electron-39.8.5	details Recommended version: 41.1.1 Description: Integer overflow in ANGLE in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

More results are available on the CxOne platform

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR removes the pm-27086-update-authentication-apis-for-input-password feature flag from SetInitialPasswordComponent, deletes the deprecated setInitialPasswordTdeOffboardingOld method and its SetInitialPasswordTdeOffboardingCredentialsOld interface, and refreshes deprecation JSDoc comments to point to their successor methods. The component now unconditionally calls the new setInitialPasswordTdeUserWithPermission and setInitialPasswordTdeOffboarding flows, while retaining the JIT MP user branch that still depends on newMasterKey/newServerMasterKeyHash until PM-32526 migrates that flow to MasterPasswordAuthenticationData/MasterPasswordUnlockData. I confirmed that InputPasswordComponent emits newPassword, salt, kdfConfig, and newPasswordHint in both the flag-on and flag-off emission paths, so the TDE and Offboarding flows are safe across flag states, and a codebase-wide search confirmed no remaining references to the deleted old symbols.

Code Review Details

No findings.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud