Skip to content

fix(security): npm security fixes (2026-07-06)#1381

Open
github-actions[bot] wants to merge 1 commit into
newjitsufrom
security/fix-npm-2026-07-06
Open

fix(security): npm security fixes (2026-07-06)#1381
github-actions[bot] wants to merge 1 commit into
newjitsufrom
security/fix-npm-2026-07-06

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This PR batches remaining npm security fixes not already covered by open PR #1380.

Included fixes:

  • CVE-2025-25289 (MEDIUM): @octokit/request-error Regular Expression ReDoS risk — @octokit/request-error 2.1.0 -> 5.1.1
  • CVE-2025-25288 (MEDIUM): @octokit/plugin-paginate-rest Regular Expression ReDoS risk — @octokit/plugin-paginate-rest 2.21.3 -> 9.2.2
  • CVE-2025-25290 (MEDIUM): @octokit/request Regular Expression ReDoS risk — @octokit/request 5.6.3 -> 8.4.1
  • CVE-2025-30359 (MEDIUM): webpack-dev-server source exposure vulnerability — webpack-dev-server 4.15.2 -> 5.2.5
  • CVE-2025-30360 (MEDIUM): webpack-dev-server source exposure vulnerability (non-Chromium) — webpack-dev-server 4.15.2 -> 5.2.5
  • CVE-2026-6402 (MEDIUM): webpack-dev-server cross-origin source exposure on non-HTTPS origins — webpack-dev-server 4.15.2 -> 5.2.5
  • CVE-2026-9595 (MEDIUM): webpack-dev-server HMR WebSocket interception via permissive user proxies — webpack-dev-server 4.15.2 -> 5.2.5
  • CVE-2026-34043 (MEDIUM): serialize-javascript CPU DoS via crafted array-like objects — serialize-javascript 6.0.2 -> 7.0.5
  • CVE-2026-53655 (MEDIUM): tar parser interpretation differential (file smuggling) — tar 6.2.1 -> 7.5.16

Verification:

  • pnpm install --no-frozen-lockfile (success)

Skipped (already satisfied / already covered):

Risks:

  • This uses transitive pnpm.overrides and includes major-version jumps for @octokit/request-error, @octokit/plugin-paginate-rest, @octokit/request, webpack-dev-server, serialize-javascript, and tar. These are mostly in tooling/dev dependency paths; if any integration issue appears, split by package family in follow-up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants