Skip to content

Dependency & Actions audit - 2026-07-06 #37

Description

@krakenhavoc

GitHub Actions Deprecation

NONE — no .github/workflows/ directory exists in this repo; there is no CI pipeline to evaluate for Node20/Node24.

npm Dependencies

npm audit --omit=dev against the committed package-lock.json found 11 advisories (7 high, 3 moderate, 1 low), rooted in one direct dependency:

  • astro@^5.17.2 (locked at 5.17.2) — 2 major versions behind latest (7.0.6). Advisories include reflected XSS via unescaped slot name (GHSA-8hv8-536x-4wqp), Host-header SSRF in the prerendered error page (GHSA-2pvr-wf23-7pc7), an SSR allowlist bypass, XSS via define:vars and spread props, and a server-island replay issue. All are fixed only by the major bump to astro@7.0.6.
  • Transitive advisories pulled in via astro/vite that resolve with the same bump: vite (dev-server path traversal/file read), h3 (path traversal, SSE injection), devalue/defu (prototype pollution/DoS), js-yaml (DoS via merge-key aliases), picomatch (method injection/ReDoS), postcss (XSS), smol-toml (DoS), svgo (billion-laughs DoS).

Recommend npm audit fix --force to move to astro@7.0.6 and pull in patched transitive versions; test afterward given the 5→7 major jump carries breaking changes.

Go Module CVEs

NONE — no go.mod in this repo (Astro/TypeScript frontend).

Terraform Providers

NONE — no *.tf files in this repo.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions