{ "auditReportVersion": 2, "vulnerabilities": { "@eslint/plugin-kit": { "name": "@eslint/plugin-kit", "severity": "low", "isDirect": false, "via": [ { "source": 1106734, "name": "@eslint/plugin-kit", "dependency": "@eslint/plugin-kit", "title": "@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser", "url": "https://github.com/advisories/GHSA-xffm-g5w8-qvg7", "severity": "low", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<0.3.4" } ], "effects": [ "eslint" ], "range": "<0.3.4", "nodes": [ "node_modules/@eslint/plugin-kit" ], "fixAvailable": { "name": "eslint", "version": "9.39.4", "isSemVerMajor": false } }, "ajv": { "name": "ajv", "severity": "moderate", "isDirect": true, "via": [ { "source": 1113714, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<6.14.0" }, { "source": 1113715, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=7.0.0-alpha.0 <8.18.0" } ], "effects": [], "range": "<6.14.0 || >=7.0.0-alpha.0 <8.18.0", "nodes": [ "node_modules/@eslint/eslintrc/node_modules/ajv", "node_modules/ajv", "node_modules/eslint/node_modules/ajv" ], "fixAvailable": { "name": "ajv", "version": "8.18.0", "isSemVerMajor": false } }, "brace-expansion": { "name": "brace-expansion", "severity": "low", "isDirect": false, "via": [ { "source": 1105443, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion Regular Expression Denial of Service vulnerability", "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", "severity": "low", "cwe": [ "CWE-400" ], "cvss": { "score": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=1.0.0 <=1.1.11" }, { "source": 1105444, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion Regular Expression Denial of Service vulnerability", "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", "severity": "low", "cwe": [ "CWE-400" ], "cvss": { "score": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, "range": ">=2.0.0 <=2.0.1" } ], "effects": [], "range": "1.0.0 - 1.1.11 || 2.0.0 - 2.0.1", "nodes": [ "node_modules/brace-expansion", "node_modules/glob/node_modules/brace-expansion" ], "fixAvailable": true }, "eslint": { "name": "eslint", "severity": "low", "isDirect": true, "via": [ "@eslint/plugin-kit" ], "effects": [], "range": "9.10.0 - 9.26.0", "nodes": [ "node_modules/eslint" ], "fixAvailable": { "name": "eslint", "version": "9.39.4", "isSemVerMajor": false } }, "flatted": { "name": "flatted", "severity": "high", "isDirect": false, "via": [ { "source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": [ "CWE-674" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.4.0" } ], "effects": [], "range": "<3.4.0", "nodes": [ "node_modules/flatted" ], "fixAvailable": true }, "immutable": { "name": "immutable", "severity": "high", "isDirect": false, "via": [ { "source": 1114158, "name": "immutable", "dependency": "immutable", "title": "Immutable is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.8.3" }, { "source": 1114159, "name": "immutable", "dependency": "immutable", "title": "Immutable is vulnerable to Prototype Pollution", "url": "https://github.com/advisories/GHSA-wf6x-7x77-mvgw", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=4.0.0-rc.1 <4.3.8" } ], "effects": [], "range": "<3.8.3 || >=4.0.0-rc.1 <4.3.8", "nodes": [ "node_modules/immutable", "node_modules/sass/node_modules/immutable" ], "fixAvailable": true }, "js-yaml": { "name": "js-yaml", "severity": "moderate", "isDirect": false, "via": [ { "source": 1112715, "name": "js-yaml", "dependency": "js-yaml", "title": "js-yaml has prototype pollution in merge (<<)", "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": ">=4.0.0 <4.1.1" } ], "effects": [], "range": "4.0.0 - 4.1.0", "nodes": [ "node_modules/js-yaml" ], "fixAvailable": true }, "lodash": { "name": "lodash", "severity": "moderate", "isDirect": true, "via": [ { "source": 1112455, "name": "lodash", "dependency": "lodash", "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": ">=4.0.0 <=4.17.22" } ], "effects": [], "range": "4.0.0 - 4.17.21", "nodes": [ "node_modules/lodash" ], "fixAvailable": { "name": "lodash", "version": "4.17.23", "isSemVerMajor": false } }, "lodash-es": { "name": "lodash-es", "severity": "moderate", "isDirect": false, "via": [ { "source": 1112453, "name": "lodash-es", "dependency": "lodash-es", "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, "range": ">=4.0.0 <=4.17.22" } ], "effects": [], "range": "4.0.0 - 4.17.22", "nodes": [ "node_modules/lodash-es" ], "fixAvailable": true }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.1.3" }, { "source": 1113465, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=9.0.0 <9.0.6" }, { "source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.3" }, { "source": 1113544, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=9.0.0 <9.0.7" }, { "source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.4" }, { "source": 1113552, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=9.0.0 <9.0.7" } ], "effects": [], "range": "<=3.1.3 || 9.0.0 - 9.0.6", "nodes": [ "node_modules/glob/node_modules/minimatch", "node_modules/minimatch" ], "fixAvailable": true }, "rollup": { "name": "rollup", "severity": "high", "isDirect": false, "via": [ { "source": 1113515, "name": "rollup", "dependency": "rollup", "title": "Rollup 4 has Arbitrary File Write via Path Traversal", "url": "https://github.com/advisories/GHSA-mw96-cpmx-2vgc", "severity": "high", "cwe": [ "CWE-22" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=4.0.0 <4.59.0" } ], "effects": [], "range": "4.0.0 - 4.58.0", "nodes": [ "node_modules/rollup" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 3, "moderate": 4, "high": 4, "critical": 0, "total": 11 }, "dependencies": { "prod": 342, "dev": 712, "optional": 47, "peer": 0, "peerOptional": 0, "total": 1054 } } }