fix(deps): vuln minor upgrades — 15 packages (minor: 12 · patch: 3)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
fast-xml-parser	4.2.5	4.5.6	minor	Transitive	2 CRITICAL, 4 HIGH, 3 MEDIUM, 2 LOW
basic-ftp	5.0.5	5.3.1	minor	Transitive	2 CRITICAL, 3 HIGH
simple-git	3.16.0	3.36.0	minor	Transitive	2 CRITICAL, 2 HIGH
form-data	4.0.0	4.0.6	patch	Transitive	2 CRITICAL, 1 HIGH
@babel/traverse	7.12.5	7.29.7	minor	Transitive	2 CRITICAL
protobufjs	7.3.0	7.6.4	minor	Transitive	1 CRITICAL, 5 HIGH, 5 MEDIUM
axios	1.7.2	1.17.0	minor	Transitive	19 HIGH, 11 MEDIUM, 1 LOW
node-forge	1.3.1	1.4.0	minor	Transitive	12 HIGH, 2 MEDIUM
minimatch	3.0.4	3.1.5	minor	Transitive	8 HIGH
ws	7.4.0	7.5.11	minor	Transitive	3 HIGH, 2 MEDIUM
lodash.template	4.5.0	4.18.1	minor	Transitive	3 HIGH
picomatch	2.2.2	2.3.2	minor	Transitive	2 HIGH, 2 MEDIUM
qs	6.5.2	6.15.2	minor	Transitive	2 HIGH, 2 MEDIUM
@grpc/grpc-js	1.10.8	1.10.12	patch	Transitive	2 HIGH, 2 MEDIUM
postcss	7.0.35	7.0.39	patch	Transitive	7 MEDIUM

---

Security Details

🚨 Critical & High Severity (77 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@babel/traverse	GHSA-67hx-6x53-jw92	CRITICAL	Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code	7.12.5	7.23.2
@babel/traverse	CVE-2023-45133	CRITICAL	Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code	7.12.5	-
basic-ftp	GHSA-5rq4-664w-9x2c	CRITICAL	Basic FTP has Path Traversal Vulnerability in its downloadToDir() method	5.0.5	5.2.0
basic-ftp	CVE-2026-27699	CRITICAL	Basic FTP has Path Traversal Vulnerability in its downloadToDir() method	5.0.5	-
fast-xml-parser	GHSA-m7jm-9gc2-mpf2	CRITICAL	fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names	4.2.5	5.3.5
fast-xml-parser	CVE-2026-25896	CRITICAL	fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names	4.2.5	-
form-data	CVE-2025-7783	CRITICAL	-	4.0.0	-
form-data	GHSA-fjxv-7rqg-78g4	CRITICAL	form-data uses unsafe random function in form-data for choosing boundary	4.0.0	2.5.4
protobufjs	GHSA-xq3m-2v4x-88gg	CRITICAL	Arbitrary code execution in protobufjs	7.3.0	8.0.1
simple-git	CVE-2026-28292	CRITICAL	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE	3.16.0	-
simple-git	GHSA-r275-fr43-pm7q	CRITICAL	simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE	3.16.0	3.32.3
@grpc/grpc-js	GHSA-99f4-grh7-6pcq	HIGH	@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash	1.10.8	1.9.16
@grpc/grpc-js	GHSA-5375-pq7m-f5r2	HIGH	@grpc/grpc-js: A malformed request can cause a server crash	1.10.8	1.9.16
axios	GHSA-q8qp-cvcw-x6jj	HIGH	Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking	1.7.2	1.15.2
axios	GHSA-777c-7fjr-54vf	HIGH	Allocation of Resources Without Limits or Throttling in Axios	1.7.2	1.16.0
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	1.7.2	1.15.1
axios	GHSA-43fc-jf86-j433	HIGH	Axios is Vulnerable to Denial of Service via proto Key in mergeConfig	1.7.2	1.13.5
axios	CVE-2026-25639	HIGH	Axios affected by Denial of Service via proto Key in mergeConfig	1.7.2	-
axios	GHSA-4hjh-wcwx-xvwj	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.7.2	1.12.0
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	1.7.2	1.15.1
axios	GHSA-hfxv-24rg-xrqf	HIGH	Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection	1.7.2	1.16.0
axios	GHSA-35jp-ww65-95wh	HIGH	axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy	1.7.2	1.16.0
axios	GHSA-pjwm-pj3p-43mv	HIGH	axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)	1.7.2	1.16.0
axios	CVE-2025-27152	HIGH	Possible SSRF and Credential Leakage via Absolute URL in axios Requests	1.7.2	-
axios	GHSA-jr5f-v2jv-69x6	HIGH	axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL	1.7.2	1.8.2
axios	GHSA-3g43-6gmg-66jw	HIGH	axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge	1.7.2	1.15.2
axios	GHSA-j5f8-grm9-p9fc	HIGH	Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection	1.7.2	1.16.0
axios	GHSA-p92q-9vqr-4j8v	HIGH	Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter	1.7.2	1.16.0
axios	CVE-2025-58754	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.7.2	-
axios	GHSA-8hc4-vh64-cxmj	HIGH	Server-Side Request Forgery in axios	1.7.2	1.7.4
axios	CVE-2024-39338	HIGH	-	1.7.2	-
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	1.7.2	1.15.1
basic-ftp	GHSA-rp42-5vxx-qpwr	HIGH	basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()	5.0.5	5.3.0
basic-ftp	GHSA-6v7q-wjvx-w8wg	HIGH	basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands	5.0.5	5.2.2
basic-ftp	GHSA-rpmf-866q-6p89	HIGH	basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering	5.0.5	5.3.1
fast-xml-parser	CVE-2026-33036	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	4.2.5	-
fast-xml-parser	CVE-2026-26278	HIGH	fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)	4.2.5	-
fast-xml-parser	GHSA-jmr7-xgp7-cmfj	HIGH	fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)	4.2.5	4.5.4
fast-xml-parser	GHSA-8gc5-j5rx-235r	HIGH	fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)	4.2.5	5.5.6
form-data	GHSA-hmw2-7cc7-3qxx	HIGH	form-data: CRLF injection in form-data via unescaped multipart field names and filenames	4.0.0	2.5.6
lodash.template	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.5.0	4.18.0
lodash.template	GHSA-35jh-r3h4-6jhm	HIGH	Command Injection in lodash	4.5.0	-
lodash.template	CVE-2021-23337	HIGH	-	4.5.0	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.0.4	10.2.3
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.0.4	10.2.1
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.0.4	-
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.0.4	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.0.4	10.2.3
minimatch	CVE-2022-3517	HIGH	-	3.0.4	-
minimatch	GHSA-f8q6-p94x-37v3	HIGH	minimatch ReDoS vulnerability	3.0.4	3.0.5
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.0.4	-
node-forge	GHSA-554w-wpv2-vw27	HIGH	node-forge has ASN.1 Unbounded Recursion	1.3.1	1.3.2
node-forge	GHSA-5m6q-g25r-mvwx	HIGH	Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input	1.3.1	1.4.0
node-forge	CVE-2026-33895	HIGH	Forge has signature forgery in Ed25519 due to missing S > L check	1.3.1	-
node-forge	GHSA-ppp5-5v6c-4jwp	HIGH	Forge has signature forgery in RSA-PKCS due to ASN.1 extra field	1.3.1	1.4.0
node-forge	CVE-2025-12816	HIGH	-	1.3.1	-
node-forge	GHSA-5gfm-wpxj-wjgq	HIGH	node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization	1.3.1	1.3.2
node-forge	CVE-2026-33891	HIGH	Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input	1.3.1	-
node-forge	CVE-2026-33894	HIGH	Forge has signature forgery in RSA-PKCS due to ASN.1 extra field	1.3.1	-
node-forge	CVE-2025-66031	HIGH	node-forge ASN.1 Unbounded Recursion	1.3.1	-
node-forge	GHSA-2328-f5f3-gj25	HIGH	Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)	1.3.1	1.4.0
node-forge	CVE-2026-33896	HIGH	Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)	1.3.1	-
node-forge	GHSA-q67f-28xg-22rw	HIGH	Forge has signature forgery in Ed25519 due to missing S > L check	1.3.1	1.4.0
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.2.2	4.0.4
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.2.2	-
protobufjs	GHSA-jvwf-75h9-cwgg	HIGH	protobuf.js: Process-wide denial of service through unsafe option paths	7.3.0	7.5.6
protobufjs	GHSA-685m-2w69-288q	HIGH	protobuf.js: Denial of service through unbounded protobuf recursion	7.3.0	7.5.6
protobufjs	GHSA-wcpc-wj8m-hjx6	HIGH	protobufjs: Denial of service through unbounded Any expansion during JSON conversion	7.3.0	7.6.1
protobufjs	GHSA-75px-5xx7-5xc7	HIGH	protobuf.js: Code generation gadget after prototype pollution	7.3.0	7.5.6
protobufjs	GHSA-66ff-xgx4-vchm	HIGH	protobuf.js: Code injection through bytes field defaults in generated toObject code	7.3.0	7.5.6
qs	GHSA-hrpp-h998-j3pp	HIGH	qs vulnerable to Prototype Pollution	6.5.2	6.10.3
qs	CVE-2022-24999	HIGH	-	6.5.2	-
simple-git	GHSA-jcxm-m3jx-f287	HIGH	simple-git Affected by Command Execution via Option-Parsing Bypass	3.16.0	3.32.0
simple-git	GHSA-hffm-xvc3-vprc	HIGH	simple-git is vulnerable to Remote Code Execution	3.16.0	3.36.0
ws	GHSA-3h5v-q93c-6h6q	HIGH	ws affected by a DoS when handling a request with many HTTP headers	7.4.0	5.2.4
ws	CVE-2024-37890	HIGH	Denial of service when handling a request with many HTTP headers in ws	7.4.0	-
ws	GHSA-96hv-2xvq-fx4p	HIGH	ws: Memory exhaustion DoS from tiny fragments and data chunks	7.4.0	5.2.5

ℹ️ Other Vulnerabilities (39)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@grpc/grpc-js	CVE-2024-37168	MODERATE	@grpc/grpc-js can allocate memory for incoming messages well above configured limits	1.10.8	-
@grpc/grpc-js	GHSA-7v5v-9h63-cj86	MODERATE	@grpc/grpc-js can allocate memory for incoming messages well above configured limits	1.10.8	1.10.9
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	1.7.2	1.15.0
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	1.7.2	1.15.1
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	1.7.2	1.15.1
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.7.2	1.15.0
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	1.7.2	1.15.1
axios	GHSA-898c-q2cr-xwhg	MODERATE	axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions	1.7.2	1.16.0
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	1.7.2	1.15.1
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	1.7.2	1.15.1
axios	GHSA-445q-vr5w-6q77	MODERATE	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream	1.7.2	1.15.1
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	1.7.2	1.15.1
axios	GHSA-3w6x-2g7m-8v23	MODERATE	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver	1.7.2	1.15.2
fast-xml-parser	GHSA-jp2q-39xq-3w4g	MODERATE	Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser	4.2.5	4.5.5
fast-xml-parser	GHSA-gh4j-gqv2-49f6	MODERATE	fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters	4.2.5	5.7.0
fast-xml-parser	CVE-2026-33349	MODERATE	fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation	4.2.5	-
node-forge	GHSA-65ch-62r8-g69g	MODERATE	node-forge is vulnerable to ASN.1 OID Integer Truncation	1.3.1	1.3.2
node-forge	CVE-2025-66030	MODERATE	node-forge ASN.1 OID Integer Truncation	1.3.1	-
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.2.2	4.0.4
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.2.2	-
postcss	GHSA-7fh5-64p2-3v2j	MODERATE	PostCSS line return parsing error	7.0.35	8.4.31
postcss	GHSA-hwj9-h5mp-3pm3	MODERATE	Regular Expression Denial of Service in postcss	7.0.35	7.0.36
postcss	CVE-2021-23368	MODERATE	-	7.0.35	-
postcss	GHSA-566m-qj78-rww5	MODERATE	Regular Expression Denial of Service in postcss	7.0.35	8.2.13
postcss	CVE-2023-44270	MODERATE	-	7.0.35	-
postcss	GHSA-qx2v-qp2m-jg93	MODERATE	PostCSS has XSS via Unescaped </style> in its CSS Stringify Output	7.0.35	8.5.10
postcss	CVE-2021-23382	MODERATE	-	7.0.35	-
protobufjs	GHSA-fx83-v9x8-x52w	MODERATE	protobuf.js: Prototype injection in generated message constructors	7.3.0	7.5.6
protobufjs	GHSA-q6x5-8v7m-xcrf	MODERATE	protobufjs has overlong UTF-8 decoding	7.3.0	7.5.6
protobufjs	GHSA-f38q-mgvj-vph7	MODERATE	protobufjs : Schema-derived names can shadow runtime-significant properties	7.3.0	7.6.3
protobufjs	GHSA-jggg-4jg4-v7c6	MODERATE	protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion	7.3.0	7.5.8
protobufjs	GHSA-2pr8-phx7-x9h3	MODERATE	protobuf.js: Denial of service from crafted field names in generated code	7.3.0	7.5.6
qs	CVE-2025-15284	MODERATE	-	6.5.2	-
qs	GHSA-6rw7-vpxm-498p	MODERATE	qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion	6.5.2	6.14.1
ws	CVE-2021-32640	MODERATE	-	7.4.0	-
ws	GHSA-6fc8-4gx4-v693	MODERATE	ReDoS in Sec-Websocket-Protocol header	7.4.0	7.4.6
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	1.7.2	1.15.1
fast-xml-parser	CVE-2026-27942	LOW	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder	4.2.5	-
fast-xml-parser	GHSA-fj3w-jwp8-x2g3	LOW	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder	4.2.5	5.3.8

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System