Skip to content

build(deps): bump the npm_and_yarn group across 2 directories with 2 updates#2094

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/docs/npm_and_yarn-8ba767eaa2
Open

build(deps): bump the npm_and_yarn group across 2 directories with 2 updates#2094
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/docs/npm_and_yarn-8ba767eaa2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 27, 2026

Bumps the npm_and_yarn group with 1 update in the /docs directory: astro.
Bumps the npm_and_yarn group with 1 update in the /packages/vibecode-cli directory: handlebars.

Updates astro from 5.16.11 to 5.18.1

Release notes

Sourced from astro's releases.

astro@5.18.1

Patch Changes

  • Updated dependencies [c2cd371]:
    • @​astrojs/internal-helpers@​0.7.6
    • @​astrojs/markdown-remark@​6.3.11
Changelog

Sourced from astro's changelog.

5.18.1

Patch Changes

  • Updated dependencies [c2cd371]:
    • @​astrojs/internal-helpers@​0.7.6
    • @​astrojs/markdown-remark@​6.3.11

5.18.0

Minor Changes

  • #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

    This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

    If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

    // astro.config.mjs
export default defineConfig({
  security: {
    actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
  },
});

Patch Changes

  • #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

  • #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

  • #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

  • c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

... (truncated)

Commits

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

  • fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
  • fix type "RuntimeOptions" also accepting string partials - eab1d14
  • feat(types): set hash to be a Record<string, any> - de4414d
  • fix non-contiguous program indices - 4512766
  • refactor: rename i to startPartIndex - e497a35
  • security: fix security issues - 68d8df5

Commits

Commits
  • dce542c v4.7.9
  • 8a41389 Update release notes
  • 68d8df5 Fix security issues
  • b2a0831 Fix browser tests
  • 9f98c16 Fix release script
  • 45443b4 Revert "Improve partial indenting performance"
  • 8841a5f Fix CI errors with linting
  • e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
  • e914d60 Improve rendering performance
  • 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the npm_and_yarn group across 2 directories with 2 …
375b2c6 
…updates

Bumps the npm_and_yarn group with 1 update in the /docs directory: [astro](https://github.com/withastro/astro/tree/HEAD/packages/astro).
Bumps the npm_and_yarn group with 1 update in the /packages/vibecode-cli directory: [handlebars](https://github.com/handlebars-lang/handlebars.js).


Updates `astro` from 5.16.11 to 5.18.1
- [Release notes](https://github.com/withastro/astro/releases)
- [Changelog](https://github.com/withastro/astro/blob/astro@5.18.1/packages/astro/CHANGELOG.md)
- [Commits](https://github.com/withastro/astro/commits/astro@5.18.1/packages/astro)

Updates `handlebars` from 4.7.8 to 4.7.9
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9)

---
updated-dependencies:
- dependency-name: astro
  dependency-version: 5.18.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: handlebars
  dependency-version: 4.7.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 27, 2026
@dependabot dependabot bot requested a review from ryanmaclean as a code owner March 27, 2026 02:58
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 27, 2026
@dependabot dependabot bot mentioned this pull request Mar 27, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

Dependency Audit Results

# npm audit report

@hono/node-server  <1.19.10
Severity: high
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - https://github.com/advisories/GHSA-wc8c-qw6v-h7f6
fix available via `npm audit fix --force`
Will install prisma@6.19.2, which is a breaking change
node_modules/@hono/node-server
  @prisma/dev  <=0.22.0
  Depends on vulnerable versions of @hono/node-server
  node_modules/@prisma/dev
    prisma  >=6.13.0-dev.1
    Depends on vulnerable versions of @prisma/config
    Depends on vulnerable versions of @prisma/dev
    node_modules/prisma

basic-ftp  <5.2.0
Severity: critical
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method - https://github.com/advisories/GHSA-5rq4-664w-9x2c
fix available via `npm audit fix`
node_modules/basic-ftp

brace-expansion  <5.0.5
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix --force`
Will install @eslint/eslintrc@0.1.0, which is a breaking change
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint-plugin-import/node_modules/brace-expansion
node_modules/eslint-plugin-jsx-a11y/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion
node_modules/test-exclude/node_modules/brace-expansion
  minimatch  2.0.0 - 10.0.2
  Depends on vulnerable versions of brace-expansion
  node_modules/@eslint/config-array/node_modules/minimatch
  node_modules/@eslint/eslintrc/node_modules/minimatch
  node_modules/@sentry/node/node_modules/minimatch
  node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
  node_modules/eslint-plugin-import/node_modules/minimatch
  node_modules/eslint-plugin-jsx-a11y/node_modules/minimatch
  node_modules/eslint-plugin-react/node_modules/minimatch
  node_modules/eslint/node_modules/minimatch
  node_modules/glob/node_modules/minimatch
  node_modules/readdir-glob/node_modules/minimatch
  node_modules/test-exclude/node_modules/minimatch
    @eslint/config-array  <=0.22.0
    Depends on vulnerable versions of minimatch
    node_modules/@eslint/config-array
      eslint  0.12.0 - 2.0.0-rc.1 || 4.1.0 - 10.0.0-rc.2
      Depends on vulnerable versions of @eslint/config-array
      Depends on vulnerable versions of @eslint/eslintrc
      Depends on vulnerable versions of minimatch
      node_modules/eslint
    @eslint/eslintrc  0.0.1 || >=0.1.1
    Depends on vulnerable versions of minimatch
    node_modules/@eslint/eslintrc
    @sentry/node  9.21.0 - 10.39.0
    Depends on vulnerable versions of minimatch
    node_modules/@sentry/node
      lighthouse  12.6.1-dev.20250602 - 12.6.1-dev.20250626 || >=12.7.0-dev.20250627
      Depends on vulnerable versions of @sentry/node
      node_modules/lighthouse
    @typescript-eslint/typescript-estree  6.16.0 - 8.56.1-alpha.2
    Depends on vulnerable versions of minimatch
    node_modules/@typescript-eslint/typescript-estree
      @typescript-eslint/parser  6.16.0 - 8.56.1-alpha.2
      Depends on vulnerable versions of @typescript-eslint/typescript-estree
      node_modules/@typescript-eslint/parser
        typescript-eslint  <=8.56.1-alpha.2
        Depends on vulnerable versions of @typescript-eslint/eslint-plugin
        Depends on vulnerable versions of @typescript-eslint/parser
        Depends on vulnerable versions of @typescript-eslint/typescript-estree
        Depends on vulnerable versions of @typescript-eslint/utils
        node_modules/typescript-eslint
      @typescript-eslint/type-utils  6.16.0 - 8.56.1-alpha.2
      Depends on vulnerable versions of @typescript-eslint/typescript-estree
      Depends on vulnerable versions of @typescript-eslint/utils
      node_modules/@typescript-eslint/type-utils
        @typescript-eslint/eslint-plugin  6.16.0 - 8.56.1-alpha.2
        Depends on vulnerable versions of @typescript-eslint/type-utils
        Depends on vulnerable versions of @typescript-eslint/utils
        node_modules/@typescript-eslint/eslint-plugin
      @typescript-eslint/utils  6.16.0 - 8.56.1-alpha.2
      Depends on vulnerable versions of @typescript-eslint/typescript-estree
      node_modules/@typescript-eslint/utils
    eslint-plugin-import  >=1.15.0
    Depends on vulnerable versions of minimatch
    node_modules/eslint-plugin-import
      eslint-config-next  >=10.2.1-canary.2
      Depends on vulnerable versions of eslint-plugin-import
      Depends on vulnerable versions of eslint-plugin-jsx-a11y
      Depends on vulnerable versions of eslint-plugin-react
      node_modules/eslint-config-next
    eslint-plugin-jsx-a11y  >=6.5.0
    Depends on vulnerable versions of minimatch
    node_modules/eslint-plugin-jsx-a11y
    eslint-plugin-react  >=7.23.0
    Depends on vulnerable versions of minimatch
    node_modules/eslint-plugin-react
    glob  4.3.0 - 10.5.0
    Depends on vulnerable versions of minimatch
    node_modules/glob
    node_modules/test-exclude/node_modules/glob
      @datadog/datadog-ci-base  <=5.9.0
      Depends on vulnerable versions of glob
      Depends on vulnerable versions of simple-git
      node_modules/@datadog/datadog-ci-base
        @datadog/datadog-ci  3.21.1 - 5.9.0
        Depends on vulnerable versions of @datadog/datadog-ci-base
        Depends on vulnerable versions of @datadog/datadog-ci-plugin-coverage
        Depends on vulnerable versions of @datadog/datadog-ci-plugin-deployment
        Depends on vulnerable versions of @datadog/datadog-ci-plugin-dora
        Depends on vulnerable versions of @datadog/datadog-ci-plugin-sarif
        Depends on vulnerable versions of @datadog/datadog-ci-plugin-sbom
        node_modules/@datadog/datadog-ci
      @jest/reporters  *
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of glob
      node_modules/@jest/reporters
      archiver-utils  >=0.2.0
      Depends on vulnerable versions of glob
      node_modules/archiver-utils
        archiver  >=0.20.0
        Depends on vulnerable versions of archiver-utils
        Depends on vulnerable versions of readdir-glob
        Depends on vulnerable versions of zip-stream
        node_modules/archiver
          testcontainers  >=7.1.0
          Depends on vulnerable versions of archiver
          node_modules/testcontainers
        zip-stream  0.8.0 - 6.0.1
        Depends on vulnerable versions of archiver-utils
        node_modules/zip-stream
      jest-config  >=19.1.0-alpha.eed82034
      Depends on vulnerable versions of babel-jest
      Depends on vulnerable versions of glob
      Depends on vulnerable versions of jest-circus
      Depends on vulnerable versions of jest-runner
      node_modules/jest-config
        @jest/core  *
        Depends on vulnerable versions of @jest/reporters
        Depends on vulnerable versions of @jest/transform
        Depends on vulnerable versions of jest-config
        Depends on vulnerable versions of jest-resolve-dependencies
        Depends on vulnerable versions of jest-runner
        Depends on vulnerable versions of jest-runtime
        Depends on vulnerable versions of jest-snapshot
        node_modules/@jest/core
          jest  >=19.1.0-alpha.eed82034
          Depends on vulnerable versions of @jest/core
          Depends on vulnerable versions of jest-cli
          node_modules/jest
          jest-cli  >=19.1.0-alpha.eed82034
          Depends on vulnerable versions of @jest/core
          Depends on vulnerable versions of jest-config
          node_modules/jest-cli
      jest-runtime  >=24.0.0-alpha.0
      Depends on vulnerable versions of @jest/globals
      Depends on vulnerable versions of @jest/transform
      Depends on vulnerable versions of glob
      Depends on vulnerable versions of jest-snapshot
      node_modules/jest-runtime
        jest-circus  >=25.2.4
        Depends on vulnerable versions of @jest/expect
        Depends on vulnerable versions of jest-runtime
        Depends on vulnerable versions of jest-snapshot
        node_modules/jest-circus
        jest-runner  >=24.0.0-alpha.0
        Depends on vulnerable versions of @jest/transform
        Depends on vulnerable versions of jest-runtime
        node_modules/jest-runner
      test-exclude  4.2.2 || 5.0.0 - 7.0.2
      Depends on vulnerable versions of glob
      Depends on vulnerable versions of minimatch
      node_modules/test-exclude
        babel-plugin-istanbul  >=5.0.1
        Depends on vulnerable versions of test-exclude
        node_modules/babel-plugin-istanbul
          @jest/transform  *
          Depends on vulnerable versions of babel-plugin-istanbul
          node_modules/@jest/transform
            babel-jest  >=24.0.0-alpha.0
            Depends on vulnerable versions of @jest/transform
            Depends on vulnerable versions of babel-plugin-istanbul
            node_modules/babel-jest
            jest-snapshot  >=27.0.0-next.0
            Depends on vulnerable versions of @jest/transform
            node_modules/jest-snapshot
              @jest/expect  *
              Depends on vulnerable versions of jest-snapshot
              node_modules/@jest/expect
                @jest/globals  >=28.0.0-alpha.0
                Depends on vulnerable versions of @jest/expect
                node_modules/@jest/globals
              jest-resolve-dependencies  >=27.0.0-next.0
              Depends on vulnerable versions of jest-snapshot
              node_modules/jest-resolve-dependencies
    readdir-glob  <=2.0.3
    Depends on vulnerable versions of minimatch
    node_modules/readdir-glob

dompurify  3.1.3 - 3.3.1
Severity: moderate
DOMPurify contains a Cross-site Scripting vulnerability - https://github.com/advisories/GHSA-v2wj-7wpq-c8vv
fix available via `npm audit fix --force`
Will install monaco-editor@0.53.0, which is a breaking change
node_modules/dompurify
  monaco-editor  >=0.54.0-dev-20250909
  Depends on vulnerable versions of dompurify
  node_modules/monaco-editor

effect  <3.20.0
Severity: high
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC - https://github.com/advisories/GHSA-38f7-945m-qr2g
fix available via `npm audit fix --force`
Will install prisma@6.19.2, which is a breaking change
node_modules/effect
  @prisma/config  6.13.0-dev.1 - 7.6.0-integration-feat-prisma-bootstrap.1
  Depends on vulnerable versions of effect
  node_modules/@prisma/config

express-rate-limit  8.2.0 - 8.2.1
Severity: high
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network - https://github.com/advisories/GHSA-46wh-pxpv-q5gq
fix available via `npm audit fix`
node_modules/express-rate-limit

fast-xml-parser  4.0.0-beta.3 - 5.5.6
Severity: high
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder - https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) - https://github.com/advisories/GHSA-8gc5-j5rx-235r
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - https://github.com/advisories/GHSA-jp2q-39xq-3w4g
fix available via `npm audit fix`
node_modules/fast-xml-parser
  @aws-sdk/xml-builder  3.894.0 - 3.972.8
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/xml-builder

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

hono  <=4.12.6
Severity: high
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo - https://github.com/advisories/GHSA-xh87-mx6m-69f3
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() - https://github.com/advisories/GHSA-5pq2-9x2x-5p6w
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() - https://github.com/advisories/GHSA-p6xx-57qc-3wxr
Hono vulnerable to arbitrary file access via serveStatic vulnerability  - https://github.com/advisories/GHSA-q5qw-h33p-qvwr
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) - https://github.com/advisories/GHSA-v8w9-8mx6-g223
fix available via `npm audit fix`
node_modules/hono

next  16.0.0-beta.0 - 16.1.6
Severity: moderate
Next.js: HTTP request smuggling in rewrites - https://github.com/advisories/GHSA-ggv3-7p47-pfv8
Next.js: Unbounded next/image disk cache growth can exhaust storage - https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
Next.js: Unbounded postponed resume buffering can lead to DoS - https://github.com/advisories/GHSA-h27x-g6w4-24gq
Next.js: null origin can bypass Server Actions CSRF checks - https://github.com/advisories/GHSA-mq59-m269-xvcx
Next.js: null origin can bypass dev HMR websocket CSRF checks - https://github.com/advisories/GHSA-jcc7-9wpm-mj36
fix available via `npm audit fix --force`
Will install next@16.2.1, which is outside the stated dependency range
node_modules/next

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
fix available via `npm audit fix`
node_modules/jest-util/node_modules/picomatch
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install terser-webpack-plugin@5.4.0, which is outside the stated dependency range
node_modules/serialize-javascript
  terser-webpack-plugin  <=5.3.16
  Depends on vulnerable versions of serialize-javascript
  node_modules/terser-webpack-plugin

simple-git  3.15.0 - 3.32.2
Severity: critical
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE - https://github.com/advisories/GHSA-r275-fr43-pm7q
fix available via `npm audit fix --force`
Will install @datadog/datadog-ci@5.10.0, which is outside the stated dependency range
node_modules/simple-git
  @datadog/datadog-ci-plugin-coverage  5.3.0 - 5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-coverage
  @datadog/datadog-ci-plugin-deployment  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-deployment
  @datadog/datadog-ci-plugin-dora  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-dora
  @datadog/datadog-ci-plugin-sarif  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sarif
  @datadog/datadog-ci-plugin-sbom  <=5.9.0
  Depends on vulnerable versions of simple-git
  node_modules/@datadog/datadog-ci-plugin-sbom

socket.io-parser  4.0.0 - 4.2.5
Severity: high
socket.io allows an unbounded number of binary attachments - https://github.com/advisories/GHSA-677m-j7p3-52f9
fix available via `npm audit fix`
node_modules/socket.io-parser

undici  7.0.0 - 7.23.0
Severity: high
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - https://github.com/advisories/GHSA-phc3-fgpg-7m6h
fix available via `npm audit fix`
node_modules/undici

yaml  1.0.0 - 1.10.2 || 2.0.0 - 2.8.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
fix available via `npm audit fix`
node_modules/cosmiconfig/node_modules/yaml
node_modules/yaml

67 vulnerabilities (1 low, 43 moderate, 14 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

PR Analysis 📊

Changed Files Summary:

  • JavaScript/TypeScript files: 0
  • Test files: 0
  • Documentation files: 0
  • Configuration files: 1

CI Status: Running automated checks...

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

🔒 Security Audit Results

Secret Scanning: No secrets detected
⚠️ Environment Config: Missing variables
NPM Audit: Critical/High vulnerabilities
Secret Patterns: None detected

📊 View full results: Security Audit Summary
⏱️ Duration: < 2 minutes

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

Quick Checks Results

Check Status
ESLint
TypeScript

✅ All quick checks passed!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

Build Status ✅ Build successful

✅ Build completed successfully!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

Test Results ✅ Passed

Test Suites: 57 failed, 5 skipped, 488 passed, 545 of 550 total
Tests: 380 failed, 104 skipped, 30 todo, 10665 passed, 11179 total

✅ All tests passed! Ready for review.

View test output

Check the Actions tab for detailed test output.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026

PR Status Summary

Check Status
Quick Checks ✅ Passed
Tests ✅ Passed
Build ✅ Passed

All checks passed! This PR is ready to merge. 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanmaclean ryanmaclean Awaiting requested review from ryanmaclean ryanmaclean is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants