Skip to content

VULN UPGRADE: minor upgrades — 14 packages (minor: 1 · patch: 13) [packages/tools]#267

Closed
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/npm/tools/0-1770972207
Closed

VULN UPGRADE: minor upgrades — 14 packages (minor: 1 · patch: 13) [packages/tools]#267
campaigner-prod[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/minorpatch/npm/tools/0-1770972207

Conversation

@campaigner-prod
Copy link

@campaigner-prod campaigner-prod bot commented Feb 13, 2026

Summary: Security update — 14 packages upgraded (MINOR changes included)

Manifests changed:

  • packages/tools (npm)

Updates

Package From To Type Vulnerabilities Fixed
vite 6.3.5 6.3.7 patch 2 MODERATE, 4 LOW
webpack 5.100.2 5.105.0 minor 4 LOW
@inquirer/checkbox 2.3.3 2.3.11 patch -
@inquirer/input 2.1.7 2.1.12 patch -
@inquirer/select 2.3.3 2.3.11 patch -
@rollup/plugin-commonjs 28.0.1 28.0.9 patch -
@rollup/plugin-node-resolve 15.3.0 15.3.1 patch -
@rspack/core 1.4.9 1.4.11 patch -
@types/chalk 2.2.0 2.2.4 patch -
@types/node 20.12.12 20.12.14 patch -
chalk 2.3.1 2.3.2 patch -
esbuild 0.25.3 0.25.12 patch -
glob 7.1.6 7.1.7 patch -
typescript 5.4.3 5.4.5 patch -

Packages marked with "-" are updated due to dependency constraints.

Security Details

ℹ️ Other Vulnerabilities (10)
Package CVE Severity Summary Unsafe Version Fixed In
vite GHSA-93m4-6634-74q7 MODERATE vite allows server.fs.deny bypass via backslash on Windows 6.3.5 7.1.11
vite CVE-2025-62522 MODERATE vite allows server.fs.deny bypass via backslash on Windows 6.3.5 -
vite GHSA-g4jq-h2w9-997c LOW Vite middleware may serve files starting with the same name with the public directory 6.3.5 7.1.5
vite CVE-2025-58751 LOW Vite middleware may serve files starting with the same name with the public directory 6.3.5 -
vite GHSA-jqfw-vq24-v9c3 LOW Vite's server.fs settings were not applied to HTML files 6.3.5 7.1.5
vite CVE-2025-58752 LOW Vite's server.fs settings were not applied to HTML files 6.3.5 -
webpack GHSA-38r7-794h-5758 LOW webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence 5.100.2 5.104.0
webpack CVE-2025-68157 LOW webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects 5.100.2 -
webpack GHSA-8fgc-7cc6-rx7x LOW webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior 5.100.2 5.104.1
webpack CVE-2025-68458 LOW webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior 5.100.2 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

@dd-prapprover
Copy link

dd-prapprover bot commented Feb 13, 2026
edited
Loading

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

🔗 Workflow Link

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-02-13T08:47:40Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: CI tests failed, please fix and re-trigger

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yoannmoinet yoannmoinet Awaiting requested review from yoannmoinet yoannmoinet is a code owner

Assignees

No one assigned

Labels

adms-dependency-update campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yoannmoinet