npm audit report
@protobufjs/utf8 <=1.1.0
Severity: moderate
protobufjs has overlong UTF-8 decoding - GHSA-q6x5-8v7m-xcrf
fix available via npm audit fix
node_modules/@protobufjs/utf8
ajv <6.14.0
Severity: moderate
ajv has ReDoS when using $data option - GHSA-2g4f-4pwh-qvx6
fix available via npm audit fix
node_modules/ajv
axios 1.0.0 - 1.15.1
Severity: high
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - GHSA-3p68-rc4w-qgx5
Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy - GHSA-w9j2-pvgh-6h63
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 - GHSA-pmwg-cvhr-8vh7
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver - GHSA-3w6x-2g7m-8v23
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - GHSA-xhjh-pmcv-23jw
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - GHSA-445q-vr5w-6q77
Axios: no_proxy bypass via IP alias allows SSRF - GHSA-m7pr-hjqh-92cm
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - GHSA-62hf-57xw-28j9
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - GHSA-5c9x-8gcm-mpgx
Axios: HTTP adapter streamed responses bypass maxContentLength - GHSA-vf2m-468p-8v99
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - GHSA-pf86-5x62-jrwf
Axios: Header Injection via Prototype Pollution - GHSA-6chq-wfr3-2hj9
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion - GHSA-xx6v-rp6x-q39c
Axios is Vulnerable to Denial of Service via proto Key in mergeConfig - GHSA-43fc-jf86-j433
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - GHSA-q8qp-cvcw-x6jj
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - GHSA-fvcv-3m26-pcqx
fix available via npm audit fix
node_modules/axios
brace-expansion <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
fix available via npm audit fix
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint-plugin-import/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
defu <=6.1.4
Severity: high
defu: Prototype pollution via __proto__ key in defaults argument - GHSA-737v-mqg7-c878
fix available via npm audit fix
node_modules/defu
dompurify <=3.3.3
Severity: moderate
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation - GHSA-39q2-94rc-95cp
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) - GHSA-h7mw-gpvr-xq4m
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode - GHSA-crv5-9vww-q3g8
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback - GHSA-v9jr-rg53-9pgp
fix available via npm audit fix
node_modules/dompurify
flatted <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - GHSA-rf6f-7fwh-wjgh
fix available via npm audit fix
node_modules/flatted
follow-redirects <=1.15.11
Severity: moderate
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - GHSA-r4q5-vmmm-2653
fix available via npm audit fix
node_modules/follow-redirects
lodash <=4.17.23
Severity: high
Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions - GHSA-xxjr-mmjv-4gpg
lodash vulnerable to Code Injection via _.template imports key names - GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit - GHSA-f23m-r3pf-42rh
fix available via npm audit fix
node_modules/lodash
lodash-es <=4.17.23
Severity: high
lodash vulnerable to Code Injection via _.template imports key names - GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit - GHSA-f23m-r3pf-42rh
fix available via npm audit fix
node_modules/lodash-es
minimatch <=3.1.3 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
fix available via npm audit fix
node_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/eslint-plugin-import/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/minimatch
picomatch <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via npm audit fix
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - GHSA-qx2v-qp2m-jg93
fix available via npm audit fix
node_modules/postcss
protobufjs <=7.5.7
Severity: critical
Arbitrary code execution in protobufjs - GHSA-xq3m-2v4x-88gg
protobuf.js: Code injection through bytes field defaults in generated toObject code - GHSA-66ff-xgx4-vchm
protobuf.js: Denial of service from crafted field names in generated code - GHSA-2pr8-phx7-x9h3
protobuf.js: Prototype injection in generated message constructors - GHSA-fx83-v9x8-x52w
protobuf.js: Code generation gadget after prototype pollution - GHSA-75px-5xx7-5xc7
protobuf.js: Process-wide denial of service through unsafe option paths - GHSA-jvwf-75h9-cwgg
protobuf.js: Denial of service through unbounded protobuf recursion - GHSA-685m-2w69-288q
protobufjs has overlong UTF-8 decoding - GHSA-q6x5-8v7m-xcrf
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion - GHSA-jggg-4jg4-v7c6
fix available via npm audit fix
node_modules/protobufjs
protocol-buffers-schema <3.6.1
Severity: moderate
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution - GHSA-j452-xhg8-qg39
fix available via npm audit fix
node_modules/protocol-buffers-schema
rollup 4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - GHSA-mw96-cpmx-2vgc
fix available via npm audit fix
node_modules/rollup
socket.io-parser 4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - GHSA-677m-j7p3-52f9
fix available via npm audit fix
node_modules/socket.io-parser
vite 7.0.0 - 7.3.1
Severity: high
Vite Vulnerable to Path Traversal in Optimized Deps .map Handling - GHSA-4w7w-66w2-5vf9
Vite: server.fs.deny bypassed with queries - GHSA-v2wj-q39q-566r
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - GHSA-p9ff-h696-f583
fix available via npm audit fix
node_modules/vite
ws 8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - GHSA-58qx-3vcg-4xpx
fix available via npm audit fix
node_modules/ws
engine.io-client 0.7.0 || 0.7.8 - 0.7.9 || 6.0.0 - 6.6.4
Depends on vulnerable versions of ws
node_modules/engine.io-client
20 vulnerabilities (9 moderate, 10 high, 1 critical)
To address all issues, run:
npm audit fix
npm audit report
@protobufjs/utf8 <=1.1.0
Severity: moderate
protobufjs has overlong UTF-8 decoding - GHSA-q6x5-8v7m-xcrf
fix available via
npm audit fixnode_modules/@protobufjs/utf8
ajv <6.14.0
Severity: moderate
ajv has ReDoS when using
$dataoption - GHSA-2g4f-4pwh-qvx6fix available via
npm audit fixnode_modules/ajv
axios 1.0.0 - 1.15.1
Severity: high
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - GHSA-3p68-rc4w-qgx5
Axios: Authentication Bypass via Prototype Pollution Gadget in
validateStatusMerge Strategy - GHSA-w9j2-pvgh-6h63Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 - GHSA-pmwg-cvhr-8vh7
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in
parseReviver- GHSA-3w6x-2g7m-8v23Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - GHSA-xhjh-pmcv-23jw
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - GHSA-445q-vr5w-6q77
Axios: no_proxy bypass via IP alias allows SSRF - GHSA-m7pr-hjqh-92cm
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - GHSA-62hf-57xw-28j9
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - GHSA-5c9x-8gcm-mpgx
Axios: HTTP adapter streamed responses bypass maxContentLength - GHSA-vf2m-468p-8v99
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - GHSA-pf86-5x62-jrwf
Axios: Header Injection via Prototype Pollution - GHSA-6chq-wfr3-2hj9
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in
withXSRFTokenBoolean Coercion - GHSA-xx6v-rp6x-q39cAxios is Vulnerable to Denial of Service via proto Key in mergeConfig - GHSA-43fc-jf86-j433
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - GHSA-q8qp-cvcw-x6jj
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - GHSA-fvcv-3m26-pcqx
fix available via
npm audit fixnode_modules/axios
brace-expansion <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
fix available via
npm audit fixnode_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint-plugin-import/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
defu <=6.1.4
Severity: high
defu: Prototype pollution via
__proto__key in defaults argument - GHSA-737v-mqg7-c878fix available via
npm audit fixnode_modules/defu
dompurify <=3.3.3
Severity: moderate
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation - GHSA-39q2-94rc-95cp
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) - GHSA-h7mw-gpvr-xq4m
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode - GHSA-crv5-9vww-q3g8
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback - GHSA-v9jr-rg53-9pgp
fix available via
npm audit fixnode_modules/dompurify
flatted <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - GHSA-rf6f-7fwh-wjgh
fix available via
npm audit fixnode_modules/flatted
follow-redirects <=1.15.11
Severity: moderate
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - GHSA-r4q5-vmmm-2653
fix available via
npm audit fixnode_modules/follow-redirects
lodash <=4.17.23
Severity: high
Lodash has Prototype Pollution Vulnerability in
_.unsetand_.omitfunctions - GHSA-xxjr-mmjv-4gpglodash vulnerable to Code Injection via
_.templateimports key names - GHSA-r5fr-rjxr-66jclodash vulnerable to Prototype Pollution via array path bypass in
_.unsetand_.omit- GHSA-f23m-r3pf-42rhfix available via
npm audit fixnode_modules/lodash
lodash-es <=4.17.23
Severity: high
lodash vulnerable to Code Injection via
_.templateimports key names - GHSA-r5fr-rjxr-66jclodash vulnerable to Prototype Pollution via array path bypass in
_.unsetand_.omit- GHSA-f23m-r3pf-42rhfix available via
npm audit fixnode_modules/lodash-es
minimatch <=3.1.3 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
fix available via
npm audit fixnode_modules/@eslint/config-array/node_modules/minimatch
node_modules/@eslint/eslintrc/node_modules/minimatch
node_modules/eslint-plugin-import/node_modules/minimatch
node_modules/eslint/node_modules/minimatch
node_modules/minimatch
picomatch <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via
npm audit fixnode_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - GHSA-qx2v-qp2m-jg93
fix available via
npm audit fixnode_modules/postcss
protobufjs <=7.5.7
Severity: critical
Arbitrary code execution in protobufjs - GHSA-xq3m-2v4x-88gg
protobuf.js: Code injection through bytes field defaults in generated toObject code - GHSA-66ff-xgx4-vchm
protobuf.js: Denial of service from crafted field names in generated code - GHSA-2pr8-phx7-x9h3
protobuf.js: Prototype injection in generated message constructors - GHSA-fx83-v9x8-x52w
protobuf.js: Code generation gadget after prototype pollution - GHSA-75px-5xx7-5xc7
protobuf.js: Process-wide denial of service through unsafe option paths - GHSA-jvwf-75h9-cwgg
protobuf.js: Denial of service through unbounded protobuf recursion - GHSA-685m-2w69-288q
protobufjs has overlong UTF-8 decoding - GHSA-q6x5-8v7m-xcrf
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion - GHSA-jggg-4jg4-v7c6
fix available via
npm audit fixnode_modules/protobufjs
protocol-buffers-schema <3.6.1
Severity: moderate
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution - GHSA-j452-xhg8-qg39
fix available via
npm audit fixnode_modules/protocol-buffers-schema
rollup 4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - GHSA-mw96-cpmx-2vgc
fix available via
npm audit fixnode_modules/rollup
socket.io-parser 4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - GHSA-677m-j7p3-52f9
fix available via
npm audit fixnode_modules/socket.io-parser
vite 7.0.0 - 7.3.1
Severity: high
Vite Vulnerable to Path Traversal in Optimized Deps
.mapHandling - GHSA-4w7w-66w2-5vf9Vite:
server.fs.denybypassed with queries - GHSA-v2wj-q39q-566rVite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - GHSA-p9ff-h696-f583
fix available via
npm audit fixnode_modules/vite
ws 8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - GHSA-58qx-3vcg-4xpx
fix available via
npm audit fixnode_modules/ws
engine.io-client 0.7.0 || 0.7.8 - 0.7.9 || 6.0.0 - 6.6.4
Depends on vulnerable versions of ws
node_modules/engine.io-client
20 vulnerabilities (9 moderate, 10 high, 1 critical)
To address all issues, run:
npm audit fix