Situation
npm audit reports low severity vulnerabilities CVE-2025-7339 in example directories using on-headers < 1.1.0:
Steps to reproduce
git clone https://github.com/cypress-io/github-action
cd github-action
cd examples
cd config
npm ci
npm audit
cd ..
cd start
npm ci
npm audit
cd ../..
Logs
# npm audit report
form-data 4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data
on-headers <1.1.0
on-headers is vulnerable to http response header manipulation - https://github.com/advisories/GHSA-76c9-3jph-rj3q
fix available via `npm audit fix --force`
Will install serve@10.0.2, which is a breaking change
node_modules/on-headers
compression 1.0.3 - 1.8.0
Depends on vulnerable versions of on-headers
node_modules/compression
serve >=10.1.0
Depends on vulnerable versions of compression
node_modules/serve
4 vulnerabilities (3 low, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
$ npm ls on-headers
example-config@1.0.0 /home/mike/github/cypress-io/github-action/examples/config
└─┬ serve@14.2.4
└─┬ compression@1.7.4
└── on-headers@1.0.2
Assessment
on-headers@1.0.2 is a transitive dependency of serve@14.2.4 (current latest) and the vulnerability cannot be fixed with npm audit fix or by uninstalling and re-installing serve:
Situation
npm auditreports low severity vulnerabilities CVE-2025-7339 in example directories using on-headers< 1.1.0:Steps to reproduce
Logs
Assessment
on-headers@1.0.2 is a transitive dependency of serve@14.2.4 (current
latest) and the vulnerability cannot be fixed withnpm audit fixor by uninstalling and re-installing serve: