Security: Fix 3 vulnerable packages #307
Conversation
Security fixes: - @babel/preset-env: transitive → 7.28.5 - @babel/traverse: transitive → 7.28.5 - fsevents: transitive → 2.3.3 Addresses vulnerabilities: - CVE-2023-45133 - CVE-2023-45311 Automated security fix by Security Bot
razorgupta
added
dependencies
![semgrep-code-razorpay[bot]](https://avatars.githubusercontent.com/u/7713209?s=60&v=4){kind=small}
| } | ||
| }, | ||
| "terser": { | ||
| "node_modules/terser": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 9732 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.
To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| } | ||
| }, | ||
| "node_modules/htmlnano/node_modules/terser": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 5505 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.
To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "get-func-name": { | ||
| "node_modules/get-func-name": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 5135 lists a dependency (get-func-name) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.
To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
Security Updates
This PR fixes security vulnerabilities found by Semgrep SCA.
✅ All packages validated for:
yarn installornpm installto regenerate lock file with fixed versionsyarn build/npm run build) to verify it compilesUpdated Packages
NPM:
@babel/preset-env: transitive → 7.28.5@babel/traverse: transitive → 7.28.5fsevents: transitive → 2.3.3🔐 Vulnerabilities Fixed
📋 Semgrep Findings Addressed
Changes Made
This PR was created automatically by Security Bot
Please review and test before merging