chore(deps-dev): bump commander from 12.1.0 to 14.0.2 #9188

dependabot · 2025-10-27T04:11:27Z

Bumps commander from 12.1.0 to 14.0.2.

Release notes

v14.0.2

Changed

improve negative number auto-detection test (#2428)

update (dev) dependencies

v14.0.1

Fixed

broken markdown link in README (#2369)

Changed

improve code readability by using optional chaining (#2394)

use more idiomatic code with object spread instead of Object.assign() (#2395)

improve code readability using string.endsWith() instead of string.slice() (#2396)

refactor .parseOptions() to process args array in-place (#2409)

change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)

update (dev) dependencies

v14.0.0

Added

support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher -level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following option s/commands (#2328)

support for unescaped negative numbers as option-arguments and command-arguments (#2339)

TypeScript: add parseArg property to Argument class (#2359)

Fixed

remove bogus leading space in help when option has default value but not a description (#2348)

.configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

Breaking: Commander 14 requires Node.js v20 or higher

internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)

v13.1.0

Added

support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)

v13.0.0

Added

support multiple calls to .parse() with default settings (#2299)

add .saveStateBeforeParse() and .restoreStateBeforeParse() for use by subclasses (#2299)

style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)

... (truncated)

Changelog

Sourced from commander's changelog.

[14.0.2] (2025-10-25)

Changed

improve negative number auto-detection test (#2428)

update (dev) dependencies

[14.0.1] (2025-09-12)

Fixed

broken markdown link in README (#2369)

Changed

improve code readability by using optional chaining (#2394)

use more idiomatic code with object spread instead of Object.assign() (#2395)

improve code readability using string.endsWith() instead of string.slice() (#2396)

refactor .parseOptions() to process args array in-place (#2409)

change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)

update (dev) dependencies

[14.0.0] (2025-05-18)

Added

support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher-level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following options/commands (#2328)

support for unescaped negative numbers as option-arguments and command-arguments (#2339)

TypeScript: add parseArg property to Argument class (#2359)

Fixed

remove bogus leading space in help when option has default value but not a description (#2348)

.configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

Breaking: Commander 14 requires Node.js v20 or higher

internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)

[13.1.0] (2025-01-21)

Added

support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)

[13.0.0] (2024-12-30)

Added

... (truncated)

Commits

0692be5 Prepare for 14.0.2 (#2437)
88a348e Bump actions/setup-node from 5 to 6 (#2438)
3fe83d6 Bump github/codeql-action from 3 to 4 (#2435)
0b7988e Bump globals from 16.3.0 to 16.4.0 (#2429)
8005253 Bump typescript-eslint from 8.42.0 to 8.45.0 (#2430)
213e679 Bump ts-jest from 29.4.1 to 29.4.4 (#2431)
7ede91b Bump jest from 30.1.3 to 30.2.0 (#2432)
8c91f34 Bump typescript from 5.9.2 to 5.9.3 (#2433)
ff1d2ce Improve negative test (#2428)
1a6dba5 Clarify deprecated routine (#2427)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

github-actions · 2025-10-27T04:11:46Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

npm/commander

14.0.2

🟢 7.4

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 10	all changesets reviewed
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Maintained	🟢 10	19 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	🟢 9	SAST tool detected but not run on all commits

npm/commander

14.0.2

🟢 7.4

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 10	all changesets reviewed
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
Maintained	🟢 10	19 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts	🟢 10	no binaries found in the repo
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	🟢 9	SAST tool detected but not run on all commits

Scanned Files

package.json
yarn.lock

github-actions · 2025-10-27T04:12:07Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	5
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
├─ tmp: �[38;5;37m0.1.0�[39m
│  ├─ ID: �[38;5;220m1106849�[39m
│  ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
│  ├─ Severity: low
│  ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
│  ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
│  ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
│  └─ Recommendation: Upgrade to version 0.2.4 or later
│
└─ validator: �[38;5;37m13.15.15�[39m
   ├─ ID: �[38;5;220m1108959�[39m
   ├─ Issue: validator.js has a URL validation bypass vulnerability in its isURL function
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-9965-vmph-33xx�[39m
   ├─ Severity: moderate
   ├─ Vulnerable Versions: �[38;5;37m<=13.15.15�[39m
   ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
   ├─ Via: validator
   └─ Recommendation: None

github-actions · 2025-10-27T04:19:59Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-27T04:28:57Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-28T04:08:44Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-28T04:13:25Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-29T04:09:44Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-30T04:09:17Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-10-31T04:08:27Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1106849�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-11-05T04:09:56Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1109537�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-11-05T04:14:48Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1109537�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-11-07T04:08:19Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1109537�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-11-07T04:13:02Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1109537�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

github-actions · 2025-11-10T04:09:39Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1109537�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

Bumps [commander](https://github.com/tj/commander.js) from 12.1.0 to 14.0.2. - [Release notes](https://github.com/tj/commander.js/releases) - [Changelog](https://github.com/tj/commander.js/blob/master/CHANGELOG.md) - [Commits](tj/commander.js@v12.1.0...v14.0.2) --- updated-dependencies: - dependency-name: commander dependency-version: 14.0.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2025-11-11T04:39:45Z

🟠 Dependency Security Audit

🟠 3 high severity vulnerabilities found

Severity	Count
🔴 Critical	0
🟠 High	3
🟡 Moderate	4
🟢 Low	4

⚠️ Recommended: High severity vulnerabilities should be addressed.

View full audit report

├─ lodash.pick: �[38;5;37m4.4.0�[39m
│  ├─ ID: �[38;5;220m1106907�[39m
│  ├─ Issue: Prototype Pollution in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p6mc-m468-83gw�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m>=4.0.0 <=4.4.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ lodash.template: �[38;5;37m4.5.0�[39m
│  ├─ ID: �[38;5;220m1106902�[39m
│  ├─ Issue: Command Injection in lodash
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-35jh-r3h4-6jhm�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<=4.5.0�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: electron-winstaller
│  └─ Recommendation: None
│
├─ nth-check: �[38;5;37m1.0.2�[39m
│  ├─ ID: �[38;5;220m1095141�[39m
│  ├─ Issue: Inefficient Regular Expression Complexity in nth-check
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-rp65-9cf3-cjxr�[39m
│  ├─ Severity: high
│  ├─ Vulnerable Versions: �[38;5;37m<2.0.1�[39m
│  ├─ Patched Versions: �[38;5;37m>=2.0.1�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: Upgrade to version 2.0.1 or later
│
├─ request: �[38;5;37m2.88.2�[39m
│  ├─ ID: �[38;5;220m1096727�[39m
│  ├─ Issue: Server-Side Request Forgery in Request
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-p8p7-x288-28g6�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m<=2.88.2�[39m
│  ├─ Patched Versions: �[38;5;37m<0.0.0�[39m
│  ├─ Via: open-graph
│  └─ Recommendation: None
│
├─ serialize-javascript: �[38;5;37m6.0.0�[39m
│  ├─ ID: �[38;5;220m1105261�[39m
│  ├─ Issue: Cross-site Scripting (XSS) in serialize-javascript
│  ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-76p7-773f-r4q5�[39m
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: �[38;5;37m>=6.0.0 <6.0.2�[39m
│  ├─ Patched Versions: �[38;5;37m>=6.0.2�[39m
│  ├─ Via: mocha, webpack, babel-loader
│  └─ Recommendation: Upgrade to version 6.0.2 or later
│
└─ tmp: �[38;5;37m0.1.0�[39m
   ├─ ID: �[38;5;220m1109537�[39m
   ├─ Issue: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
   ├─ URL: �[38;5;170mhttps://github.com/advisories/GHSA-52f5-9888-hmc6�[39m
   ├─ Severity: low
   ├─ Vulnerable Versions: �[38;5;37m<=0.2.3�[39m
   ├─ Patched Versions: �[38;5;37m>=0.2.4�[39m
   ├─ Via: @wireapp/protocol-messaging, electron-winstaller, electron-builder
   └─ Recommendation: Upgrade to version 0.2.4 or later

sonarqubecloud · 2025-11-11T04:39:51Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

dependabot bot added dependencies javascript Pull requests that update Javascript code labels Oct 27, 2025

dependabot bot mentioned this pull request Oct 27, 2025

chore(deps-dev): bump commander from 12.1.0 to 14.0.1 #9065

Closed

otto-the-bot approved these changes Oct 27, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from f072435 to cc0d311 Compare October 27, 2025 04:19

otto-the-bot approved these changes Oct 27, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from cc0d311 to f4088d2 Compare October 27, 2025 04:28

otto-the-bot approved these changes Oct 27, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from f4088d2 to 04678bc Compare October 28, 2025 04:07

otto-the-bot approved these changes Oct 28, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from 04678bc to 190ed93 Compare October 28, 2025 04:12

otto-the-bot approved these changes Oct 28, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from 190ed93 to bd90978 Compare October 29, 2025 04:09

otto-the-bot approved these changes Oct 29, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from bd90978 to ca2d640 Compare October 30, 2025 04:08

otto-the-bot approved these changes Oct 30, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from ca2d640 to 515d7ee Compare October 31, 2025 04:07

otto-the-bot approved these changes Oct 31, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from 515d7ee to 3d7f1de Compare November 5, 2025 04:09

otto-the-bot approved these changes Nov 5, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from 3d7f1de to 26ee0ec Compare November 5, 2025 04:14

otto-the-bot approved these changes Nov 5, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from 26ee0ec to bb614b5 Compare November 7, 2025 04:07

otto-the-bot approved these changes Nov 7, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from bb614b5 to d3e5554 Compare November 7, 2025 04:12

otto-the-bot approved these changes Nov 7, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from d3e5554 to 5d27b5a Compare November 10, 2025 04:08

otto-the-bot approved these changes Nov 10, 2025

View reviewed changes

dependabot bot force-pushed the dependabot/npm_and_yarn/commander-14.0.2 branch from 5d27b5a to d46c8f3 Compare November 11, 2025 04:39

otto-the-bot approved these changes Nov 11, 2025

View reviewed changes

chore(deps-dev): bump commander from 12.1.0 to 14.0.2 #9188

Are you sure you want to change the base?

chore(deps-dev): bump commander from 12.1.0 to 14.0.2 #9188

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v14.0.2

Changed

v14.0.1

Fixed

Changed

v14.0.0

Added

Fixed

Changed

v13.1.0

Added

v13.0.0

Added

[14.0.2] (2025-10-25)

Changed

[14.0.1] (2025-09-12)

Fixed

Changed

[14.0.0] (2025-05-18)

Added

Fixed

Changed

[13.1.0] (2025-01-21)

Added

[13.0.0] (2024-12-30)

Added

Uh oh!

github-actions bot commented Oct 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

github-actions bot commented Oct 27, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 27, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 27, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 28, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 28, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 29, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 30, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Oct 31, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Nov 5, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Nov 5, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Nov 7, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Nov 7, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Nov 10, 2025

🟠 Dependency Security Audit

Uh oh!

github-actions bot commented Nov 11, 2025

dependabot bot commented on behalf of github Oct 27, 2025 •

edited

Loading

github-actions bot commented Oct 27, 2025 •

edited

Loading