Feeling Lucky
NPM Resource Changed
PR-6.2-dev
[#48006] - [6.2] npm audit fix
- Fixed in Code Base
- 22 Jun 2026
- Medium
- Build: 6.2-dev
- # 48006
- Diff
- MacJoom:6.2-dev-npm-audit-20260622
User tests: Successful: Unsuccessful:
Just the npm audit fix
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | NPM Change |
MacJoom
- comment
- 22 Jun 2026
- @babel/*: 16 packages → 7.29.7
- @cypress/request: 3.0.10 → 4.0.1
- cypress: 15.14.1 → 15.17.0
- esbuild: 0.27.4 → 0.27.7 plus 26 platform packages
- @selderee/plugin-htmlparser2: 0.11.0 → 0.12.0
- @zone-eu/mailsplit: 5.4.8 → 5.4.12
- ansi-escapes: 4.3.2 → 7.3.0
- cli-cursor: 3.1.0 → 5.0.0
- cli-truncate: 2.1.0 → 5.2.0
- form-data: 4.0.5 → 4.0.6
- brace-expansion: 5.0.5 → 5.0.6
- hasown: 2.0.2 → 2.0.4
- html-to-text: 9.0.5 → 10.0.0
- htmlparser2: 8.0.2 → 10.1.0
- js-yaml: 4.1.1 → 4.2.0
- leac: 0.6.0 → 0.7.0
- libmime: 5.3.7 → 5.3.8
- linkify-it: 5.0.0 → 5.0.1
- listr2: 3.14.0 → 9.0.5
- log-update: 4.0.0 → 6.1.0
- mailparser: 3.9.8 → 3.9.11
- nodemailer: 8.0.5 → 9.0.1
- parseley: 0.12.1 → 0.13.1
- peberminta: 0.9.0 → 0.10.0
- qs: 6.14.2 → 6.15.2
- restore-cursor: 3.1.0 → 5.1.0
- selderee: 0.11.0 → 0.12.0
- slice-ansi: 3.0.0 → 8.0.0
- smtp-server: 3.18.4 → 3.19.1
- tmp: 0.2.5 → 0.2.7
- wrap-ansi: 7.0.0 → 9.0.2
- yauzl: 2.10.0 → 3.4.0
tecpromotion
- comment
- 22 Jun 2026
full history
npm audit fix --dry-run
add @esbuild/win32-x64 0.27.7
add @esbuild/win32-ia32 0.27.7
add @esbuild/win32-arm64 0.27.7
add @esbuild/sunos-x64 0.27.7
add @esbuild/openharmony-arm64 0.27.7
add @esbuild/openbsd-x64 0.27.7
add @esbuild/openbsd-arm64 0.27.7
add @esbuild/netbsd-x64 0.27.7
add @esbuild/netbsd-arm64 0.27.7
add @esbuild/linux-x64 0.27.7
add @esbuild/linux-s390x 0.27.7
add @esbuild/linux-riscv64 0.27.7
add @esbuild/linux-ppc64 0.27.7
add @esbuild/linux-mips64el 0.27.7
add @esbuild/linux-loong64 0.27.7
add @esbuild/linux-ia32 0.27.7
add @esbuild/linux-arm64 0.27.7
add @esbuild/linux-arm 0.27.7
add @esbuild/freebsd-x64 0.27.7
add @esbuild/freebsd-arm64 0.27.7
add @esbuild/darwin-x64 0.27.7
add @esbuild/android-x64 0.27.7
add @esbuild/android-arm64 0.27.7
add @esbuild/android-arm 0.27.7
add @esbuild/aix-ppc64 0.27.7
add sass-embedded-win32-x64 1.98.0
add sass-embedded-win32-arm64 1.98.0
add sass-embedded-unknown-all 1.98.0
add sass-embedded-linux-x64 1.98.0
add sass-embedded-linux-riscv64 1.98.0
add sass-embedded-linux-musl-x64 1.98.0
add sass-embedded-linux-musl-riscv64 1.98.0
add sass-embedded-linux-musl-arm64 1.98.0
add sass-embedded-linux-musl-arm 1.98.0
add sass-embedded-linux-arm64 1.98.0
add sass-embedded-linux-arm 1.98.0
add sass-embedded-darwin-x64 1.98.0
add sass-embedded-android-x64 1.98.0
add sass-embedded-android-riscv64 1.98.0
add sass-embedded-android-arm64 1.98.0
add sass-embedded-android-arm 1.98.0
add sass-embedded-all-unknown 1.98.0
add lightningcss-win32-x64-msvc 1.32.0
add lightningcss-win32-arm64-msvc 1.32.0
add lightningcss-linux-x64-musl 1.32.0
add lightningcss-linux-x64-gnu 1.32.0
add lightningcss-linux-arm64-musl 1.32.0
add lightningcss-linux-arm64-gnu 1.32.0
add lightningcss-linux-arm-gnueabihf 1.32.0
add lightningcss-freebsd-x64 1.32.0
add lightningcss-darwin-x64 1.32.0
add lightningcss-android-arm64 1.32.0
add @rollup/rollup-win32-x64-msvc 4.59.0
add @rollup/rollup-win32-x64-gnu 4.59.0
add @rollup/rollup-win32-ia32-msvc 4.59.0
add @rollup/rollup-win32-arm64-msvc 4.59.0
add @rollup/rollup-openharmony-arm64 4.59.0
add @rollup/rollup-openbsd-x64 4.59.0
add @rollup/rollup-linux-x64-musl 4.59.0
add @rollup/rollup-linux-x64-gnu 4.18.0
add @rollup/rollup-linux-s390x-gnu 4.59.0
add @rollup/rollup-linux-riscv64-musl 4.59.0
add @rollup/rollup-linux-riscv64-gnu 4.59.0
add @rollup/rollup-linux-ppc64-musl 4.59.0
add @rollup/rollup-linux-ppc64-gnu 4.59.0
add @rollup/rollup-linux-loong64-musl 4.59.0
add @rollup/rollup-linux-loong64-gnu 4.59.0
add @rollup/rollup-linux-arm64-musl 4.59.0
add @rollup/rollup-linux-arm64-gnu 4.59.0
add @rollup/rollup-linux-arm-musleabihf 4.59.0
add @rollup/rollup-linux-arm-gnueabihf 4.59.0
add @rollup/rollup-freebsd-x64 4.59.0
add @rollup/rollup-freebsd-arm64 4.59.0
add @rollup/rollup-darwin-x64 4.59.0
add @rollup/rollup-android-arm64 4.59.0
add @rollup/rollup-android-arm-eabi 4.59.0
add @parcel/watcher-win32-x64 2.5.6
add @parcel/watcher-win32-ia32 2.5.6
add @parcel/watcher-win32-arm64 2.5.6
add @parcel/watcher-linux-x64-musl 2.5.6
add @parcel/watcher-linux-x64-glibc 2.5.6
add @parcel/watcher-linux-arm64-musl 2.5.6
add @parcel/watcher-linux-arm64-glibc 2.5.6
add @parcel/watcher-linux-arm-musl 2.5.6
add @parcel/watcher-linux-arm-glibc 2.5.6
add @parcel/watcher-freebsd-x64 2.5.6
add @parcel/watcher-darwin-x64 2.5.6
add @parcel/watcher-android-arm64 2.5.6
add ansi-regex 6.2.2
add strip-ansi 7.2.0
change which-typed-array 1.1.22 => 1.1.20
change vue-eslint-parser 10.4.1 => 10.4.0
change vue 3.5.38 => 3.5.30
change undici-types 8.3.0 => 7.18.2
change typed-array-length 1.0.8 => 1.0.7
remove strip-ansi 6.0.1
remove is-fullwidth-code-point 3.0.0
remove ansi-regex 5.0.1
change ajv 8.20.0 => 8.18.0
change systeminformation 5.31.9 => 5.31.6
add mdn-data 2.27.1
change flat-cache 6.1.22 => 6.1.20
change file-entry-cache 11.1.3 => 11.1.2
change strip-ansi 7.2.0 => 6.0.1
change string.prototype.trimend 1.0.10 => 1.0.9
change string.prototype.trim 1.2.11 => 1.2.10
remove strip-ansi 6.0.1
remove is-fullwidth-code-point 3.0.0
remove ansi-regex 5.0.1
add is-fullwidth-code-point 5.1.0
change side-channel-list 1.0.1 => 1.0.0
change side-channel 1.1.1 => 1.1.0
change semver 7.8.5 => 7.7.4
change sass-embedded-darwin-arm64 1.100.0 => 1.98.0
change sass-embedded 1.100.0 => 1.98.0
change sass 1.100.0 => 1.98.0
add readdirp 4.1.2
add chokidar 4.0.3
change safe-array-concat 1.1.4 => 1.1.3
change rollup 4.62.2 => 4.59.0
add @rollup/rollup-linux-x64-gnu 4.59.0
change resolve 1.22.12 => 1.22.11
change regjsparser 0.13.2 => 0.13.0
change qified 0.10.1 => 0.6.0
remove hookified 2.2.0
change postcss-selector-parser 7.1.4 => 7.1.1
change postcss 8.5.15 => 8.5.12
change pg-protocol 1.15.0 => 1.13.0
change pg-pool 3.14.0 => 3.13.0
change pg-connection-string 2.14.0 => 2.12.0
change pg-cloudflare 1.4.0 => 1.3.0
change pg 8.22.0 => 8.20.0
change lru-cache 11.5.1 => 11.2.6
remove object.entries 1.1.9
change node-releases 2.0.48 => 2.0.27
remove node-exports-info 1.6.0
remove semver 6.3.1
change nanoid 3.3.15 => 3.3.11
change mysql2 3.22.5 => 3.19.1
change mdn-data 2.27.1 => 2.12.2
add ansi-regex 6.2.2
add is-fullwidth-code-point 5.1.0
add strip-ansi 7.2.0
change jsonfile 6.2.1 => 6.2.0
change is-fullwidth-code-point 5.1.0 => 3.0.0
remove is-document.all 1.0.0
change is-core-module 2.16.2 => 2.16.1
change immutable 5.1.6 => 5.1.5
change hashery 1.5.1 => 1.5.0
change minimatch 10.2.5 => 10.2.4
change fuse.js 7.4.2 => 7.1.0
change function.prototype.name 1.2.0 => 1.1.8
change fs-extra 11.3.5 => 11.3.4
change eslint-plugin-vue 10.9.2 => 10.8.0
change eslint-module-utils 2.13.0 => 2.12.1
change eslint-import-resolver-node 0.3.10 => 0.3.9
remove resolve 2.0.0-next.7
change es-to-primitive 1.3.1 => 1.3.0
change es-object-atoms 1.1.2 => 1.1.1
change es-module-shims 2.8.1 => 2.8.0
remove es-abstract-get 1.0.0
change es-abstract 1.24.2 => 1.24.1
change electron-to-chromium 1.5.376 => 1.5.307
change dotenv 17.4.2 => 17.3.1
change diff 8.0.4 => 8.0.3
change dayjs 1.11.21 => 1.11.19
change css-tree 3.2.1 => 3.1.0
change cosmiconfig 9.0.2 => 9.0.1
change core-js-compat 3.49.0 => 3.48.0
change core-js 3.49.0 => 3.48.0
add ansi-regex 6.2.2
add strip-ansi 7.2.0
change choices.js 11.2.3 => 11.2.1
change caniuse-lite 1.0.30001799 => 1.0.30001778
change call-bind 1.0.9 => 1.0.8
change cacheable 2.3.5 => 2.3.3
change browserslist 4.28.2 => 4.28.1
change brace-expansion 1.1.15 => 1.1.13
change baseline-browser-mapping 2.10.38 => 2.10.7
change babel-plugin-polyfill-regenerator 0.6.8 => 0.6.6
change babel-plugin-polyfill-corejs3 0.14.2 => 0.14.0
change babel-plugin-polyfill-corejs2 0.4.17 => 0.4.15
change ansi-regex 6.2.2 => 5.0.1
change ajv 6.15.0 => 6.14.0
change acorn 8.17.0 => 8.16.0
change @vue/shared 3.5.38 => 3.5.30
change @vue/server-renderer 3.5.38 => 3.5.30
change @vue/runtime-dom 3.5.38 => 3.5.30
change @vue/runtime-core 3.5.38 => 3.5.30
change @vue/reactivity 3.5.38 => 3.5.30
change @vue/compiler-ssr 3.5.38 => 3.5.30
change @vue/compiler-sfc 3.5.38 => 3.5.30
change @vue/compiler-dom 3.5.38 => 3.5.30
change @vue/compiler-core 3.5.38 => 3.5.30
change @types/smtp-server 3.5.13 => 3.5.12
change @types/nodemailer 8.0.1 => 7.0.11
change @types/node 26.0.0 => 25.3.3
change @types/estree 1.0.9 => 1.0.8
change @rollup/rollup-darwin-arm64 4.62.2 => 4.59.0
change @rollup/pluginutils 5.4.0 => 5.3.0
change @rollup/plugin-commonjs 29.0.3 => 29.0.2
change @lezer/markdown 1.6.4 => 1.6.3
change @lezer/lr 1.4.10 => 1.4.8
change @lezer/css 1.3.3 => 1.3.1
change @lezer/common 1.5.2 => 1.5.1
remove @humanfs/types 0.15.0
change @humanfs/node 0.16.8 => 0.16.7
change @humanfs/core 0.19.2 => 0.19.1
change @csstools/css-syntax-patches-for-csstree 1.1.5 => 1.0.29
change @codemirror/view 6.43.1 => 6.40.0
change @codemirror/search 6.7.1 => 6.6.0
change @codemirror/lint 6.9.7 => 6.9.5
change @codemirror/language 6.12.3 => 6.12.2
change @codemirror/autocomplete 6.20.3 => 6.20.1
change @cacheable/utils 2.4.1 => 2.4.0
change @cacheable/memory 2.0.9 => 2.0.8
change @bufbuild/protobuf 2.12.0 => 2.11.0
change @babel/preset-env 7.29.7 => 7.29.0
change @babel/plugin-transform-unicode-sets-regex 7.29.7 => 7.28.6
change @babel/plugin-transform-unicode-regex 7.29.7 => 7.27.1
change @babel/plugin-transform-unicode-property-regex 7.29.7 => 7.28.6
change @babel/plugin-transform-unicode-escapes 7.29.7 => 7.27.1
change @babel/plugin-transform-typeof-symbol 7.29.7 => 7.27.1
change @babel/plugin-transform-template-literals 7.29.7 => 7.27.1
change @babel/plugin-transform-sticky-regex 7.29.7 => 7.27.1
change @babel/plugin-transform-spread 7.29.7 => 7.28.6
change @babel/plugin-transform-shorthand-properties 7.29.7 => 7.27.1
change @babel/plugin-transform-reserved-words 7.29.7 => 7.27.1
change @babel/plugin-transform-regexp-modifiers 7.29.7 => 7.28.6
change @babel/plugin-transform-regenerator 7.29.7 => 7.29.0
change @babel/plugin-transform-property-literals 7.29.7 => 7.27.1
change @babel/plugin-transform-private-property-in-object 7.29.7 => 7.28.6
change @babel/plugin-transform-private-methods 7.29.7 => 7.28.6
change @babel/plugin-transform-parameters 7.29.7 => 7.27.7
change @babel/plugin-transform-optional-chaining 7.29.7 => 7.28.6
change @babel/plugin-transform-optional-catch-binding 7.29.7 => 7.28.6
change @babel/plugin-transform-object-super 7.29.7 => 7.27.1
change @babel/plugin-transform-object-rest-spread 7.29.7 => 7.28.6
change @babel/plugin-transform-numeric-separator 7.29.7 => 7.28.6
change @babel/plugin-transform-nullish-coalescing-operator 7.29.7 => 7.28.6
change @babel/plugin-transform-new-target 7.29.7 => 7.27.1
change @babel/plugin-transform-named-capturing-groups-regex 7.29.7 => 7.29.0
change @babel/plugin-transform-modules-umd 7.29.7 => 7.27.1
change @babel/plugin-transform-modules-systemjs 7.29.7 => 7.29.4
change @babel/plugin-transform-modules-commonjs 7.29.7 => 7.28.6
change @babel/plugin-transform-modules-amd 7.29.7 => 7.27.1
change @babel/plugin-transform-member-expression-literals 7.29.7 => 7.27.1
change @babel/plugin-transform-logical-assignment-operators 7.29.7 => 7.28.6
change @babel/plugin-transform-literals 7.29.7 => 7.27.1
change @babel/plugin-transform-json-strings 7.29.7 => 7.28.6
change @babel/plugin-transform-function-name 7.29.7 => 7.27.1
change @babel/plugin-transform-for-of 7.29.7 => 7.27.1
change @babel/plugin-transform-export-namespace-from 7.29.7 => 7.27.1
change @babel/plugin-transform-exponentiation-operator 7.29.7 => 7.28.6
change @babel/plugin-transform-explicit-resource-management 7.29.7 => 7.28.6
change @babel/plugin-transform-dynamic-import 7.29.7 => 7.27.1
change @babel/plugin-transform-duplicate-named-capturing-groups-regex 7.29.7 => 7.29.0
change @babel/plugin-transform-duplicate-keys 7.29.7 => 7.27.1
change @babel/plugin-transform-dotall-regex 7.29.7 => 7.28.6
change @babel/plugin-transform-destructuring 7.29.7 => 7.28.5
change @babel/plugin-transform-computed-properties 7.29.7 => 7.28.6
change @babel/plugin-transform-classes 7.29.7 => 7.28.6
change @babel/plugin-transform-class-static-block 7.29.7 => 7.28.6
change @babel/plugin-transform-class-properties 7.29.7 => 7.28.6
change @babel/plugin-transform-block-scoping 7.29.7 => 7.28.6
change @babel/plugin-transform-block-scoped-functions 7.29.7 => 7.27.1
change @babel/plugin-transform-async-to-generator 7.29.7 => 7.28.6
change @babel/plugin-transform-async-generator-functions 7.29.7 => 7.29.0
change @babel/plugin-transform-arrow-functions 7.29.7 => 7.27.1
change @babel/plugin-syntax-import-attributes 7.29.7 => 7.28.6
change @babel/plugin-syntax-import-assertions 7.29.7 => 7.28.6
change @babel/plugin-bugfix-v8-static-class-fields-redefine-readonly 7.29.7 => 7.28.6
change @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining 7.29.7 => 7.27.1
remove @babel/plugin-bugfix-safari-rest-destructuring-rhs-array 7.29.7
change @babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression 7.29.7 => 7.27.1
change @babel/plugin-bugfix-safari-class-field-initializer-scope 7.29.7 => 7.27.1
change @babel/plugin-bugfix-firefox-class-in-computed-class-key 7.29.7 => 7.28.5
change @babel/helper-wrap-function 7.29.7 => 7.28.6
change @babel/helper-skip-transparent-expression-wrappers 7.29.7 => 7.27.1
change @babel/helper-replace-supers 7.29.7 => 7.28.6
change @babel/helper-remap-async-to-generator 7.29.7 => 7.27.1
change @babel/helper-plugin-utils 7.29.7 => 7.28.6
change @babel/helper-optimise-call-expression 7.29.7 => 7.27.1
change @babel/helper-member-expression-to-functions 7.29.7 => 7.28.5
change @babel/helper-define-polyfill-provider 0.6.8 => 0.6.6
change @babel/helper-create-regexp-features-plugin 7.29.7 => 7.28.5
change @babel/helper-create-class-features-plugin 7.29.7 => 7.28.6
change @babel/helper-annotate-as-pure 7.29.7 => 7.27.3
added 100 packages, removed 15 packages, changed 173 packages, and audited 899 packages in 5s
237 packages are looking for funding
run `npm fund` for details
# npm audit report
@babel/core <=7.29.0
@babel/core: Arbitrary File Read via sourceMappingURL Comment - https://github.com/advisories/GHSA-4x5r-pxfx-6jf8
fix available via `npm audit fix`
brace-expansion 5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
esbuild 0.27.3 - 0.28.0
esbuild allows arbitrary file read when running the development server on Windows - https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
fix available via `npm audit fix --force`
Will install esbuild@0.28.1, which is a breaking change
form-data 4.0.0 - 4.0.5
Severity: high
form-data: CRLF injection in form-data via unescaped multipart field names and filenames - https://github.com/advisories/GHSA-hmw2-7cc7-3qxx
fix available via `npm audit fix`
js-yaml <=4.1.1
Severity: moderate
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - https://github.com/advisories/GHSA-h67p-54hq-rp68
fix available via `npm audit fix`
nodemailer <=9.0.0
Severity: high
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection - https://github.com/advisories/GHSA-268h-hp4c-crq3
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization - https://github.com/advisories/GHSA-wqvq-jvpq-h66f
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception - https://github.com/advisories/GHSA-r7g4-qg5f-qqm2
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message - https://github.com/advisories/GHSA-p6gq-j5cr-w38f
fix available via `npm audit fix`
mailparser 2.3.1 - 3.9.8
Depends on vulnerable versions of nodemailer
smtp-server 2.0.0 - 3.18.4
Depends on vulnerable versions of nodemailer
qs 6.11.1 - 6.15.1
Severity: moderate
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set - https://github.com/advisories/GHSA-q8mj-m7cp-5q26
fix available via `npm audit fix`
@cypress/request <=4.0.0
Depends on vulnerable versions of qs
Depends on vulnerable versions of uuid
cypress 13.15.0 - 15.14.2
Depends on vulnerable versions of @cypress/request
tmp <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - https://github.com/advisories/GHSA-ph9p-34f9-6g65
fix available via `npm audit fix`
uuid <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix`
13 vulnerabilities (2 low, 8 moderate, 3 high)
Vulnerable package, severity, and fix target version
npm audit --json | jq -r '
.vulnerabilities
| to_entries[]
| .value
| "\(.name) [\(.severity)] — vulnerable range: \(.range) → fix: " +
(if (.fixAvailable | type) == "object"
then "\(.fixAvailable.version)\(if .fixAvailable.isSemVerMajor then " (MAJOR!)" else "" end)"
else "no direct fix" end)'
@babel/core [low] — vulnerable range: <=7.29.0 → fix: no direct fix
@cypress/request [moderate] — vulnerable range: <=4.0.0 → fix: no direct fix
brace-expansion [moderate] — vulnerable range: 5.0.2 - 5.0.5 → fix: no direct fix
cypress [moderate] — vulnerable range: 13.15.0 - 15.14.2 → fix: no direct fix
esbuild [low] — vulnerable range: 0.27.3 - 0.28.0 → fix: 0.28.1 (MAJOR!)
form-data [high] — vulnerable range: 4.0.0 - 4.0.5 → fix: no direct fix
js-yaml [moderate] — vulnerable range: <=4.1.1 → fix: no direct fix
mailparser [moderate] — vulnerable range: 2.3.1 - 3.9.8 → fix: no direct fix
nodemailer [high] — vulnerable range: <=9.0.0 → fix: no direct fix
qs [moderate] — vulnerable range: 6.11.1 - 6.15.1 → fix: no direct fix
smtp-server [moderate] — vulnerable range: 2.0.0 - 3.18.4 → fix: no direct fix
tmp [high] — vulnerable range: <0.2.6 → fix: no direct fix
uuid [moderate] — vulnerable range: <11.1.1 → fix: no direct fix
Advisory source links
npm audit --json | jq -r '
.vulnerabilities[].via[]
| select(type == "object")
| "\(.name): \(.title)\n \(.url)"'
@babel/core: @babel/core: Arbitrary File Read via sourceMappingURL Comment
GHSA-4x5r-pxfx-6jf8
brace-expansion: brace-expansion: Large numeric range defeats documented max DoS protection
GHSA-jxxr-4gwj-5jf2
esbuild: esbuild allows arbitrary file read when running the development server on Windows
GHSA-g7r4-m6w7-qqqr
form-data: form-data: CRLF injection in form-data via unescaped multipart field names and filenames
GHSA-hmw2-7cc7-3qxx
js-yaml: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
GHSA-h67p-54hq-rp68
nodemailer: Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
GHSA-268h-hp4c-crq3
nodemailer: Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
GHSA-wqvq-jvpq-h66f
nodemailer: Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
GHSA-r7g4-qg5f-qqm2
nodemailer: Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message
GHSA-p6gq-j5cr-w38f
qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
GHSA-q8mj-m7cp-5q26
tmp: tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
GHSA-ph9p-34f9-6g65
uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
GHSA-w5hq-g745-h8pq
optional run
git diff package-lock.json
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2026-06-22 15:53:20 |
| Closed_By | ⇒ | tecpromotion | |
| Labels |
Added:
NPM Resource Changed
PR-6.2-dev
|
||
richard67
- comment
- 22 Jun 2026
@MacJoom Is this really the result of an npm audit fix run like the title and description of this PR tells? To me it seems more like a general NPM update. On 5.4-dev and 6.1-dev an npm audit fix does much less. I haven't tried on 6.2-dev before this PR here was merged.
richard67
- comment
- 22 Jun 2026
@MacJoom Is this really the result of an npm audit fix run like the title and description of this PR tells? To me it seems more like a general NPM update. On 5.4-dev and 6.1-dev an npm audit fix does much less. I haven't tried on 6.2-dev before this PR here was merged.
Update: Seems ok, I have checked.
Would be good if you listed the fixed packages the way Richard does