While scanning our project with Snyk, we identified two transitive vulnerabilities introduced via the dependency @gorules/jdm-editor@1.47.0. These issues originate from deeply nested dependencies and currently have no available fix in the affected versions.
🔒 Vulnerability 1: Missing Release of Resource after Effective Lifetime
Package: inflight@1.0.6
CWE: CWE-772
Severity: Medium (CVSS 6.2)
Snyk ID: SNYK-JS-INFLIGHT-6095116
Exploit Maturity: Proof of Concept
Fix: ❌ No fix available — inflight is unmaintained.
Description:
The inflight package fails to release resources properly after their effective lifetime. This can lead to memory/resource exhaustion, resulting in potential application crashes.
Dependency Path Example:
@gorules/jdm-editor@1.47.0
└─ exceljs@4.4.0
└─ archiver@5.3.2
└─ archiver-utils@2.1.0
└─ glob@7.2.3
└─ inflight@1.0.6
🐢 Vulnerability 2: Regular Expression Denial of Service (ReDoS)
Package: brace-expansion@1.1.11
CWE: CWE-1333
CVE: CVE-2025-5889
Severity: Low (CVSS 2.3)
Fix available in: brace-expansion@1.1.12 or later
Description:
The expand() function in brace-expansion is vulnerable to catastrophic backtracking on long input strings, allowing a potential denial of service.
Dependency Path Example:
@gorules/jdm-editor@1.47.0
└─ exceljs@4.4.0
└─ archiver@5.3.2
└─ archiver-utils@2.1.0
└─ glob@7.2.3
└─ minimatch@3.1.2
└─ brace-expansion@1.1.11
📌 Recommendation
Please consider updating or replacing the dependency chain to eliminate the use of deprecated/unmaintained packages like inflight.
Updating exceljs (or related dependencies) to versions that no longer rely on inflight or older versions of brace-expansion may help mitigate the vulnerabilities.
Alternatively, guidance on how best to override or patch these transitive issues from the maintainers would be appreciated.
While scanning our project with Snyk, we identified two transitive vulnerabilities introduced via the dependency @gorules/jdm-editor@1.47.0. These issues originate from deeply nested dependencies and currently have no available fix in the affected versions.
🔒 Vulnerability 1: Missing Release of Resource after Effective Lifetime
Package: inflight@1.0.6
CWE: CWE-772
Severity: Medium (CVSS 6.2)
Snyk ID: SNYK-JS-INFLIGHT-6095116
Exploit Maturity: Proof of Concept
Fix: ❌ No fix available — inflight is unmaintained.
Description:
The inflight package fails to release resources properly after their effective lifetime. This can lead to memory/resource exhaustion, resulting in potential application crashes.
Dependency Path Example:
@gorules/jdm-editor@1.47.0
└─ exceljs@4.4.0
└─ archiver@5.3.2
└─ archiver-utils@2.1.0
└─ glob@7.2.3
└─ inflight@1.0.6
🐢 Vulnerability 2: Regular Expression Denial of Service (ReDoS)
Package: brace-expansion@1.1.11
CWE: CWE-1333
CVE: CVE-2025-5889
Severity: Low (CVSS 2.3)
Fix available in: brace-expansion@1.1.12 or later
Description:
The expand() function in brace-expansion is vulnerable to catastrophic backtracking on long input strings, allowing a potential denial of service.
Dependency Path Example:
@gorules/jdm-editor@1.47.0
└─ exceljs@4.4.0
└─ archiver@5.3.2
└─ archiver-utils@2.1.0
└─ glob@7.2.3
└─ minimatch@3.1.2
└─ brace-expansion@1.1.11
📌 Recommendation
Please consider updating or replacing the dependency chain to eliminate the use of deprecated/unmaintained packages like inflight.
Updating exceljs (or related dependencies) to versions that no longer rely on inflight or older versions of brace-expansion may help mitigate the vulnerabilities.
Alternatively, guidance on how best to override or patch these transitive issues from the maintainers would be appreciated.