Skip to content

chore(monorepo): update pnpm.catalog.default minimatch to v10.2.3 [security]#210

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-minimatch-vulnerability
Open

chore(monorepo): update pnpm.catalog.default minimatch to v10.2.3 [security]#210
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-minimatch-vulnerability

chore(monorepo): update pnpm.catalog.default minimatch to v10.2.3 [se…

ef90e24
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / Trivy failed Jun 11, 2026 in 3s

168 new alerts including 3 critical severity security vulnerabilities

New alerts in code changed by this pull request

Security Alerts:

  • 3 critical
  • 81 high
  • 67 medium
  • 17 low

Alerts not introduced by this pull request might have been detected because the code changes were too large.

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

Vite: Vite: Information disclosure via WebSocket connection bypasses access control High

Package: vite
Installed Version: 6.3.6
Vulnerability CVE-2026-39363
Severity: HIGH
Fixed Version: 8.0.5, 7.3.2, 6.4.2
Link: CVE-2026-39363

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2026-33896
Severity: HIGH
Fixed Version: 1.4.0
Link: CVE-2026-33896

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-forge: Forge: Authentication bypass via forged Ed25519 cryptographic signatures High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2026-33895
Severity: HIGH
Fixed Version: 1.4.0
Link: CVE-2026-33895

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2026-33894
Severity: HIGH
Fixed Version: 1.4.0
Link: CVE-2026-33894

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-forge: node-forge: Denial of Service via infinite loop in BigInteger.modInverse() High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2026-33891
Severity: HIGH
Fixed Version: 1.4.0
Link: CVE-2026-33891

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-forge: node-forge ASN.1 Unbounded Recursion High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2025-66031
Severity: HIGH
Fixed Version: 1.3.2
Link: CVE-2025-66031

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-forge: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications High

Package: node-forge
Installed Version: 1.3.1
Vulnerability CVE-2025-12816
Severity: HIGH
Fixed Version: 1.3.2
Link: CVE-2025-12816

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions High

Package: minimatch
Installed Version: 5.1.6
Vulnerability CVE-2026-27904
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
Link: CVE-2026-27904

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns High

Package: minimatch
Installed Version: 5.1.6
Vulnerability CVE-2026-27903
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
Link: CVE-2026-27903

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service via specially crafted glob patterns High

Package: minimatch
Installed Version: 5.1.6
Vulnerability CVE-2026-26996
Severity: HIGH
Fixed Version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
Link: CVE-2026-26996

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions High

Package: minimatch
Installed Version: 3.1.2
Vulnerability CVE-2026-27904
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
Link: CVE-2026-27904

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns High

Package: minimatch
Installed Version: 3.1.2
Vulnerability CVE-2026-27903
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
Link: CVE-2026-27903

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service via specially crafted glob patterns High

Package: minimatch
Installed Version: 3.1.2
Vulnerability CVE-2026-26996
Severity: HIGH
Fixed Version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
Link: CVE-2026-26996

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions High

Package: minimatch
Installed Version: 10.0.3
Vulnerability CVE-2026-27904
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
Link: CVE-2026-27904

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns High

Package: minimatch
Installed Version: 10.0.3
Vulnerability CVE-2026-27903
Severity: HIGH
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
Link: CVE-2026-27903

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

minimatch: minimatch: Denial of Service via specially crafted glob patterns High

Package: minimatch
Installed Version: 10.0.3
Vulnerability CVE-2026-26996
Severity: HIGH
Fixed Version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
Link: CVE-2026-26996

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

lodash: lodash: Arbitrary code execution via untrusted input in template imports High

Package: lodash
Installed Version: 4.17.21
Vulnerability CVE-2026-4800
Severity: HIGH
Fixed Version: 4.18.0
Link: CVE-2026-4800

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-jws: auth0/node-jws: Improper signature verification in HS256 algorithm High

Package: jws
Installed Version: 3.2.2
Vulnerability CVE-2025-65945
Severity: HIGH
Fixed Version: 3.2.3, 4.0.1
Link: CVE-2025-65945

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw High

Package: handlebars
Installed Version: 4.7.8
Vulnerability CVE-2026-33941
Severity: HIGH
Fixed Version: 4.7.9
Link: CVE-2026-33941

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements High

Package: validator
Installed Version: 13.12.0
Vulnerability CVE-2025-12758
Severity: HIGH
Fixed Version: 13.15.22
Link: CVE-2025-12758

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter High

Package: undici
Installed Version: 7.16.0
Vulnerability CVE-2026-2229
Severity: HIGH
Fixed Version: 6.24.0, 7.24.0
Link: CVE-2026-2229

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

undici: undici: Denial of Service via crafted WebSocket frame with large length High

Package: undici
Installed Version: 7.16.0
Vulnerability CVE-2026-1528
Severity: HIGH
Fixed Version: 6.24.0, 7.24.0
Link: CVE-2026-1528

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression High

Package: undici
Installed Version: 7.16.0
Vulnerability CVE-2026-1526
Severity: HIGH
Fixed Version: 6.24.0, 7.24.0
Link: CVE-2026-1526

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

tar: tar: File overwrite via drive-relative symlink traversal High

Package: tar
Installed Version: 6.2.1
Vulnerability CVE-2026-31802
Severity: HIGH
Fixed Version: 7.5.11
Link: CVE-2026-31802

Check failure on line 1 in pnpm-lock.yaml

See this annotation in the file changed.

Code scanning / Trivy

node-tar: hardlink path traversal via drive-relative linkpath High

Package: tar
Installed Version: 6.2.1
Vulnerability CVE-2026-29786
Severity: HIGH
Fixed Version: 7.5.10
Link: CVE-2026-29786