Fix CVE-2026-44573

[alexvpickering]

Description

bump versions and refactor to fix CVE-2026-44573

Details

URL to issue

N/A

Link to staging deployment URL (or set N/A)

N/A

Links to any PRs or resources related to this PR

Integration test branch

master

Merge checklist

Your changes will be ready for merging after all of the steps below have been completed.

Code updates

Have best practices and ongoing refactors being observed in this PR

• Migrated any selector / reducer used to the new format.
• All new dependency licenses have been checked for compatibility.

Manual/unit testing

• Tested changes using InfraMock locally or no tests required for change, e.g. Kubernetes chart updates.
• Validated that current unit tests for code work as expected and are sufficient for code coverage or no unit tests required for change, e.g. documentation update.
• Unit tests written or no unit tests required for change, e.g. documentation update.

Integration testing

You must check the box below to run integration tests on the latest commit on your PR branch.
Integration tests have to pass before the PR can be merged. Without checking the box, your PR
will not pass the required status checks for merging.

• Started end-to-end tests on the latest commit.

Documentation updates

• Relevant Github READMEs updated or no GitHub README updates required.
• Relevant Wiki pages created/updated or no Wiki updates required.

Optional

• Staging environment is unstaged before merging.
• Photo of a cute animal attached to this PR.

[dbmi-svc-checkmarx]

Checkmarx One – Scan Summary & Details – 80b08cee-9376-47d2-a191-f7d756955255

---

New Issues (6)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-45736	Npm-ws-8.14.2	details Recommended version: 8.20.1 Description: ws is an open source WebSocket client and server for Node.js. In versions 8.0.0 prior to 8.20.1, the `websocket.close()` implementation is vulnerab... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		Missing User Instruction	Dockerfile: 2	details Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
3		CVE-2026-41650	Npm-fast-xml-parser-4.2.5	details Recommended version: 5.7.0 Description: fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		Unpinned Package Version in Apk Add	Dockerfile: 14	details Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
5		Healthcheck Instruction Missing	Dockerfile: 2	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
6		Multiple RUN, ADD, COPY, Instructions Listed	Dockerfile: 14	details Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.

---

Fixed Issues (26)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2026-4800	Npm-lodash-4.17.21
	CVE-2024-39338	Npm-axios-1.6.0
	CVE-2024-39338	Npm-axios-1.6.2
	CVE-2025-27152	Npm-axios-1.6.0
	CVE-2025-27152	Npm-axios-1.6.2
	CVE-2025-57822	Npm-next-12.3.5
	CVE-2025-58754	Npm-axios-1.6.0
	CVE-2025-58754	Npm-axios-1.6.2
	CVE-2025-59471	Npm-next-12.3.5
	CVE-2026-25639	Npm-axios-1.6.2
	CVE-2026-25639	Npm-axios-1.6.0
	CVE-2026-45109	Npm-next-12.3.5
	Missing User Instruction	Dockerfile: 2
	CVE-2023-26159	Npm-follow-redirects-1.15.3
	CVE-2023-44270	Npm-postcss-8.4.14
	CVE-2024-28849	Npm-follow-redirects-1.15.3
	CVE-2024-55565	Npm-nanoid-3.3.7
	CVE-2025-27789	Npm-@babel/helpers-7.23.2
	CVE-2025-57752	Npm-next-12.3.5
	CVE-2026-27980	Npm-next-12.3.5
	CVE-2026-40895	Npm-follow-redirects-1.15.3
	Unpinned Package Version in Apk Add	Dockerfile: 14
	CVE-2025-30218	Npm-next-12.3.5
	CVE-2025-55173	Npm-next-12.3.5
	Healthcheck Instruction Missing	Dockerfile: 2
	Multiple RUN, ADD, COPY, Instructions Listed	Dockerfile: 14

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[github-actions]

📦 Next.js Bundle Analysis for ui

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page	Size (compressed)
global	684.9 KB (🟡 +110.47 KB)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

Twenty-one Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load
/401	226 B (🟢 -13 B)	685.12 KB
/404	228 B (🟢 -12 B)	685.12 KB
/_error	229 B (🟢 -13 B)	685.12 KB
/data-management	202.1 KB (🟢 -55.87 KB)	886.99 KB
/experiments/[experimentId]/data-exploration	1.47 MB (🟢 -12 KB)	2.13 MB
/experiments/[experimentId]/data-processing	489.9 KB (🟢 -45.81 KB)	1.15 MB
/experiments/[experimentId]/plots-and-tables	11.88 KB (🟢 -3.97 KB)	696.78 KB
/experiments/[experimentId]/plots-and-tables/batch-differential-expression	64.47 KB (🟢 -12.49 KB)	749.37 KB
/experiments/[experimentId]/plots-and-tables/dot-plot	445.1 KB (🟢 -48.08 KB)	1.1 MB
/experiments/[experimentId]/plots-and-tables/embedding-categorical	445.66 KB (🟢 -37.98 KB)	1.1 MB
/experiments/[experimentId]/plots-and-tables/embedding-continuous	465.94 KB (🟢 -47.22 KB)	1.12 MB
/experiments/[experimentId]/plots-and-tables/frequency	446.95 KB (🟢 -38.32 KB)	1.11 MB
/experiments/[experimentId]/plots-and-tables/marker-heatmap	535.3 KB (🟢 -48.75 KB)	1.19 MB
/experiments/[experimentId]/plots-and-tables/normalized-matrix	139.53 KB (🟢 -33.5 KB)	824.43 KB
/experiments/[experimentId]/plots-and-tables/spatial-categorical	893.02 KB (🟢 -8.3 KB)	1.54 MB
/experiments/[experimentId]/plots-and-tables/spatial-feature	894.86 KB (🟢 -8.08 KB)	1.54 MB
/experiments/[experimentId]/plots-and-tables/trajectory-analysis	448.82 KB (🟢 -37.54 KB)	1.11 MB
/experiments/[experimentId]/plots-and-tables/violin	467.04 KB (🟢 -47.36 KB)	1.12 MB
/experiments/[experimentId]/plots-and-tables/volcano	451.39 KB (🟢 -37.54 KB)	1.11 MB
/repository	106.39 KB (🟢 -30.25 KB)	791.29 KB
/settings/profile	18.24 KB (🟢 -7.42 KB)	703.14 KB

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this.

[github-actions]

📦 Next.js Bundle Analysis for ui

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page	Size (compressed)
global	684.9 KB (🟡 +110.47 KB)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

Twenty-one Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load
/401	226 B (🟢 -13 B)	685.12 KB
/404	228 B (🟢 -12 B)	685.12 KB
/_error	229 B (🟢 -13 B)	685.12 KB
/data-management	202.1 KB (🟢 -55.87 KB)	886.99 KB
/experiments/[experimentId]/data-exploration	1.47 MB (🟢 -11.95 KB)	2.13 MB
/experiments/[experimentId]/data-processing	489.9 KB (🟢 -45.81 KB)	1.15 MB
/experiments/[experimentId]/plots-and-tables	11.88 KB (🟢 -3.97 KB)	696.78 KB
/experiments/[experimentId]/plots-and-tables/batch-differential-expression	64.47 KB (🟢 -12.49 KB)	749.37 KB
/experiments/[experimentId]/plots-and-tables/dot-plot	445.1 KB (🟢 -48.08 KB)	1.1 MB
/experiments/[experimentId]/plots-and-tables/embedding-categorical	445.66 KB (🟢 -37.98 KB)	1.1 MB
/experiments/[experimentId]/plots-and-tables/embedding-continuous	465.94 KB (🟢 -47.22 KB)	1.12 MB
/experiments/[experimentId]/plots-and-tables/frequency	446.95 KB (🟢 -38.32 KB)	1.11 MB
/experiments/[experimentId]/plots-and-tables/marker-heatmap	535.3 KB (🟢 -48.75 KB)	1.19 MB
/experiments/[experimentId]/plots-and-tables/normalized-matrix	139.53 KB (🟢 -33.5 KB)	824.43 KB
/experiments/[experimentId]/plots-and-tables/spatial-categorical	893.02 KB (🟢 -8.3 KB)	1.54 MB
/experiments/[experimentId]/plots-and-tables/spatial-feature	894.86 KB (🟢 -8.08 KB)	1.54 MB
/experiments/[experimentId]/plots-and-tables/trajectory-analysis	448.82 KB (🟢 -37.54 KB)	1.11 MB
/experiments/[experimentId]/plots-and-tables/violin	467.04 KB (🟢 -47.36 KB)	1.12 MB
/experiments/[experimentId]/plots-and-tables/volcano	451.39 KB (🟢 -37.54 KB)	1.11 MB
/repository	106.39 KB (🟢 -30.25 KB)	791.29 KB
/settings/profile	18.24 KB (🟢 -7.42 KB)	703.14 KB

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this.