Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: fix CVEs for undici, brace-expansion, ...#86

Merged
irgaly merged 1 commit into
irgaly:mainfrom
evva-sfw:chore/bump-packages-with-cves
Jul 18, 2025
Merged

chore: fix CVEs for undici, brace-expansion, ...#86
irgaly merged 1 commit into
irgaly:mainfrom
evva-sfw:chore/bump-packages-with-cves

Conversation

@axi92

@axi92 axi92 commented Jul 18, 2025

Copy link
Copy Markdown
Contributor

Fixes: CVE-2025-25288, CVE-2025-25290, CVE-2025-25289, CVE-2025-5889, CVE-2023-26136, CVE-2025-22150, CVE-2024-24758, CVE-2024-30260, CVE-2024-30261, CVE-2025-47279, CVE-2023-0842

NPM Audit

Before:

8 vulnerabilities (1 low, 7 moderate)

After:

found 0 vulnerabilities
Trivy Audit

Before:

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬───────┬─────────────────┬─────────┐
│                                      Target                                      │ Type  │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────────────────────────┼───────┼─────────────────┼─────────┤
│ package-lock.json                                                                │  npm  │       11        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼───────┼─────────────────┼─────────┤
│ sample/MyApp/MyApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.r- │ swift │        0        │    -    │
│ esolved                                                                          │       │                 │         │
└──────────────────────────────────────────────────────────────────────────────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


package-lock.json (npm)

Total: 11 (UNKNOWN: 0, LOW: 5, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version        │                            Title                             │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/plugin-paginate-rest │ CVE-2025-25288 │ MEDIUM   │ fixed  │ 9.1.4             │ 11.4.1, 9.2.2               │ octokit/plugin-paginate-rest: @octokit/plugin-paginate-rest  │
│                               │                │          │        │                   │                             │ has a Regular Expression in iterator that Leads to ReDoS...  │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-25288                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request              │ CVE-2025-25290 │          │        │ 8.1.6             │ 9.2.1, 8.4.1                │ octokit/request: @octokit/request has a Regular Expression   │
│                               │                │          │        │                   │                             │ in fetchWrapper that Leads to ReDoS...                       │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-25290                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request-error        │ CVE-2025-25289 │          │        │ 5.0.1             │ 5.1.1, 6.1.7                │ @octokit/request-error: @octokit/request-error has a Regular │
│                               │                │          │        │                   │                             │ Expression in index that Leads to ReDoS...                   │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-25289                   │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ brace-expansion               │ CVE-2025-5889  │ LOW      │        │ 1.1.11            │ 2.0.2, 1.1.12, 3.0.1, 4.0.1 │ brace-expansion: juliangruber brace-expansion index.js       │
│                               │                │          │        │                   │                             │ expand redos                                                 │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-5889                    │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ tough-cookie                  │ CVE-2023-26136 │ MEDIUM   │        │ 3.0.1             │ 4.1.3                       │ tough-cookie: prototype pollution in cookie memstore         │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2023-26136                   │
├───────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ undici                        │ CVE-2025-22150 │          │        │ 5.28.1            │ 5.28.5, 6.21.1, 7.2.3       │ undici: Undici Uses Insufficiently Random Values             │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-22150                   │
│                               ├────────────────┼──────────┤        │                   ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2024-24758 │ LOW      │        │                   │ 5.28.3, 6.6.1               │ undici: sensitive information exposure                       │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-24758                   │
│                               ├────────────────┤          │        │                   ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2024-30260 │          │        │                   │ 5.28.4, 6.11.1              │ nodejs-undici: proxy-authorization header not cleared on     │
│                               │                │          │        │                   │                             │ cross-origin redirect for dispatch, request, stream,...      │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-30260                   │
│                               ├────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                               │ CVE-2024-30261 │          │        │                   │                             │ nodejs-undici: fetch() with integrity option is too lax when │
│                               │                │          │        │                   │                             │ algorithm is specified...                                    │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-30261                   │
│                               ├────────────────┤          │        │                   ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-47279 │          │        │                   │ 5.29.0, 6.21.2, 7.5.0       │ undici: Undici Memory Leak with Invalid Certificates         │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2025-47279                   │
├───────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ xml2js                        │ CVE-2023-0842  │ MEDIUM   │        │ 0.4.23            │ 0.5.0                       │ node-xml2js: xml2js is vulnerable to prototype pollution     │
│                               │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2023-0842                    │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘

After:

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬───────┬─────────────────┬─────────┐
│                                      Target                                      │ Type  │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────────────────────────┼───────┼─────────────────┼─────────┤
│ package-lock.json                                                                │  npm  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼───────┼─────────────────┼─────────┤
│ sample/MyApp/MyApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.r- │ swift │        0        │    -    │
│ esolved                                                                          │       │                 │         │
└──────────────────────────────────────────────────────────────────────────────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

@irgaly

irgaly commented Jul 18, 2025

Copy link
Copy Markdown
Owner

Nice PR! Thank you! 👍

@irgaly irgaly merged commit 2110922 into irgaly:main Jul 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants