fix(deps): vuln minor upgrades — 12 packages (minor: 6 · patch: 6) [services/frontend]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 12 packages upgraded (MINOR changes included)

Manifests changed:

• services/frontend (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
form-data	4.0.2	4.0.6	patch	Transitive	2 CRITICAL
axios	1.8.4	1.17.0	minor	Direct	15 HIGH, 11 MEDIUM, 1 LOW
minimatch	9.0.5	9.0.9	patch	Transitive	6 HIGH
flatted	3.3.3	3.4.2	minor	Transitive	4 HIGH
vite	6.2.3	6.4.3	minor	Direct	2 HIGH, 11 MEDIUM, 4 LOW
picomatch	2.3.1	2.3.2	patch	Transitive	2 HIGH, 2 MEDIUM
rollup	4.38.0	4.62.0	minor	Transitive	2 HIGH
ajv	6.12.6	6.15.0	minor	Transitive	2 MEDIUM
brace-expansion	2.0.1	2.0.3	patch	Transitive	2 MEDIUM, 2 LOW
js-yaml	4.1.0	4.1.1	patch	Transitive	2 MEDIUM
follow-redirects	1.15.9	1.16.0	minor	Transitive	1 MEDIUM
postcss	8.5.3	8.5.15	patch	Transitive	1 MEDIUM

---

Security Details

🚨 Critical & High Severity (33 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
form-data	CVE-2025-7783	CRITICAL	-	4.0.2	-
form-data	GHSA-fjxv-7rqg-78g4	CRITICAL	form-data uses unsafe random function in form-data for choosing boundary	4.0.2	2.5.4
axios	GHSA-j5f8-grm9-p9fc	HIGH	Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection	1.8.4	1.16.0
axios	GHSA-4hjh-wcwx-xvwj	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.8.4	1.12.0
axios	GHSA-hfxv-24rg-xrqf	HIGH	Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection	1.8.4	1.16.0
axios	GHSA-3g43-6gmg-66jw	HIGH	axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge	1.8.4	1.15.2
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	1.8.4	1.15.1
axios	GHSA-p92q-9vqr-4j8v	HIGH	Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter	1.8.4	1.16.0
axios	CVE-2026-25639	HIGH	Axios affected by Denial of Service via proto Key in mergeConfig	1.8.4	-
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	1.8.4	1.15.1
axios	GHSA-777c-7fjr-54vf	HIGH	Allocation of Resources Without Limits or Throttling in Axios	1.8.4	1.16.0
axios	GHSA-43fc-jf86-j433	HIGH	Axios is Vulnerable to Denial of Service via proto Key in mergeConfig	1.8.4	1.13.5
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	1.8.4	1.15.1
axios	GHSA-q8qp-cvcw-x6jj	HIGH	Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking	1.8.4	1.15.2
axios	GHSA-35jp-ww65-95wh	HIGH	axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy	1.8.4	1.16.0
axios	GHSA-pjwm-pj3p-43mv	HIGH	axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)	1.8.4	1.16.0
axios	CVE-2025-58754	HIGH	Axios is vulnerable to DoS attack through lack of data size check	1.8.4	-
flatted	GHSA-25h7-pfq9-p65f	HIGH	flatted vulnerable to unbounded recursion DoS in parse() revive phase	3.3.3	3.4.0
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.3.3	-
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.3.3	3.4.2
flatted	CVE-2026-32141	HIGH	flatted: Unbounded recursion DoS in parse() revive phase	3.3.3	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	9.0.5	10.2.3
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	9.0.5	10.2.1
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	9.0.5	10.2.3
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	9.0.5	-
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	9.0.5	-
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	9.0.5	-
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	-
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	4.0.4
rollup	GHSA-mw96-cpmx-2vgc	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	4.38.0	2.80.0
rollup	CVE-2026-27606	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	4.38.0	-
vite	CVE-2025-31125	high	This package is related to CVE CVE-2025-31125 which was detected by cisa.gov as actively being exploited in the wild	6.2.3	-
vite	GHSA-p9ff-h696-f583	HIGH	Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket	6.2.3	8.0.5

ℹ️ Other Vulnerabilities (39)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
ajv	GHSA-2g4f-4pwh-qvx6	MODERATE	ajv has ReDoS when using $data option	6.12.6	8.18.0
ajv	CVE-2025-69873	MODERATE	-	6.12.6	-
axios	GHSA-445q-vr5w-6q77	MODERATE	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream	1.8.4	1.15.1
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	1.8.4	1.15.0
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	1.8.4	1.15.1
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.8.4	1.15.0
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	1.8.4	1.15.1
axios	GHSA-3w6x-2g7m-8v23	MODERATE	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver	1.8.4	1.15.2
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	1.8.4	1.15.1
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	1.8.4	1.15.1
axios	GHSA-898c-q2cr-xwhg	MODERATE	axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions	1.8.4	1.16.0
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	1.8.4	1.15.1
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	1.8.4	1.15.1
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	2.0.1	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	2.0.1	-
follow-redirects	GHSA-r4q5-vmmm-2653	MODERATE	follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets	1.15.9	1.16.0
js-yaml	CVE-2025-64718	MODERATE	js-yaml has prototype pollution in merge (<<)	4.1.0	-
js-yaml	GHSA-mh29-5h37-fv8m	MODERATE	js-yaml has prototype pollution in merge (<<)	4.1.0	4.1.1
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	4.0.4
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	-
postcss	GHSA-qx2v-qp2m-jg93	MODERATE	PostCSS has XSS via Unescaped </style> in its CSS Stringify Output	8.5.3	8.5.10
vite	GHSA-4r4m-qw57-chr8	MODERATE	Vite has a server.fs.deny bypassed for inline and raw with ?import query	6.2.3	6.2.4
vite	CVE-2025-31486	MODERATE	Vite allows server.fs.deny to be bypassed with .svg or relative paths	6.2.3	-
vite	CVE-2025-31125	MODERATE	Vite has a server.fs.deny bypassed for inline and raw with ?import query	6.2.3	-
vite	CVE-2025-62522	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.2.3	-
vite	GHSA-93m4-6634-74q7	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.2.3	7.1.11
vite	CVE-2025-32395	MODERATE	Vite has an server.fs.deny bypass with an invalid request-target	6.2.3	-
vite	GHSA-356w-63v5-8wf4	MODERATE	Vite has an server.fs.deny bypass with an invalid request-target	6.2.3	6.2.6
vite	CVE-2025-46565	MODERATE	Vite's server.fs.deny bypassed with /. for files under project root	6.2.3	-
vite	GHSA-859w-5945-r5v3	MODERATE	Vite's server.fs.deny bypassed with /. for files under project root	6.2.3	6.3.4
vite	GHSA-4w7w-66w2-5vf9	MODERATE	Vite Vulnerable to Path Traversal in Optimized Deps .map Handling	6.2.3	8.0.5
vite	GHSA-xcj6-pq6g-qj4x	MODERATE	Vite allows server.fs.deny to be bypassed with .svg or relative paths	6.2.3	6.2.5
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	1.8.4	1.15.1
brace-expansion	CVE-2025-5889	LOW	-	2.0.1	-
brace-expansion	GHSA-v6h2-p8h4-qcjw	LOW	brace-expansion Regular Expression Denial of Service vulnerability	2.0.1	2.0.2
vite	CVE-2025-58751	LOW	Vite middleware may serve files starting with the same name with the public directory	6.2.3	-
vite	GHSA-g4jq-h2w9-997c	LOW	Vite middleware may serve files starting with the same name with the public directory	6.2.3	7.1.5
vite	CVE-2025-58752	LOW	Vite's server.fs settings were not applied to HTML files	6.2.3	-
vite	GHSA-jqfw-vq24-v9c3	LOW	Vite's server.fs settings were not applied to HTML files	6.2.3	7.1.5

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System