Skip to content

fix(deps): vuln minor upgrades — 10 packages (minor: 2 · patch: 8) [packages/tests]#315

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/npm/tests/0-1775512442
Closed

fix(deps): vuln minor upgrades — 10 packages (minor: 2 · patch: 8) [packages/tests]#315
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/npm/tests/0-1775512442

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 bot commented Apr 6, 2026

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

  • packages/tests (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Vulnerabilities Fixed
rollup 4.45.1 4.60.1 minor 2 HIGH
webpack 5.100.2 5.105.4 minor 4 LOW
@rollup/plugin-commonjs 28.0.1 28.0.9 patch -
@rspack/core 1.4.9 1.4.11 patch -
chalk 2.3.1 2.3.2 patch -
chalk 2.3.1 2.3.2 patch -
chalk 2.3.1 2.3.2 patch -
esbuild 0.25.8 0.25.12 patch -
nock 14.0.1 14.0.11 patch -
react 19.0.0 19.0.4 patch -
react 19.0.0 19.0.4 patch -
react-dom 19.0.0 19.0.4 patch -
react-dom 19.0.0 19.0.4 patch -
react-router-dom 6.28.0 6.28.2 patch -
react-router-dom 6.28.0 6.28.2 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
rollup GHSA-mw96-cpmx-2vgc HIGH Rollup 4 has Arbitrary File Write via Path Traversal 4.45.1 2.80.0
rollup CVE-2026-27606 HIGH Rollup 4 has Arbitrary File Write via Path Traversal 4.45.1 -
ℹ️ Other Vulnerabilities (4)
Package CVE Severity Summary Unsafe Version Fixed In
webpack GHSA-38r7-794h-5758 LOW webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence 5.100.2 5.104.0
webpack CVE-2025-68157 LOW webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects 5.100.2 -
webpack GHSA-8fgc-7cc6-rx7x LOW webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior 5.100.2 5.104.1
webpack CVE-2025-68458 LOW webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior 5.100.2 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@yoannmoinet yoannmoinet closed this Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yoannmoinet yoannmoinet Awaiting requested review from yoannmoinet yoannmoinet will be requested when the pull request is marked ready for review yoannmoinet is a code owner

Assignees

No one assigned

Labels

adms-custom-action-failed adms-dependency-update adms-high-severity adms-low-severity adms-minor-update adms-mode-all-updates adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yoannmoinet