[GH-ISSUE #425] Security Alert: 12 npm vulnerabilities found #266

New issue

Closed

opened 2026-05-07 00:08:15 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented 2026-05-07 00:08:15 +02:00

Owner

Copy link

Originally created by @github-actions[bot] on GitHub (Feb 18, 2026).
Original GitHub issue: https://github.com/maziggy/bambuddy/issues/425

Originally assigned to: @maziggy on GitHub.

Automated Security Audit Results

The weekly security audit found vulnerabilities in npm dependencies.

Package	Severity	Via	Fix
@eslint-community/eslint-utils	moderate	eslint	Yes
@eslint/eslintrc	moderate	ajv	Yes
@typescript-eslint/eslint-plugin	moderate	@typescript-eslint/parser, @typescript-eslint/type-utils, @typescript-eslint/utils, eslint	Yes
@typescript-eslint/parser	moderate	eslint	Yes
@typescript-eslint/type-utils	moderate	@typescript-eslint/utils, eslint	Yes
@typescript-eslint/utils	moderate	@eslint-community/eslint-utils, eslint	Yes
ajv	moderate	ajv	Yes
eslint	moderate	@eslint-community/eslint-utils, @eslint/eslintrc, ajv	Yes
eslint-plugin-react-refresh	moderate	eslint	No
typescript-eslint	moderate	@typescript-eslint/eslint-plugin, @typescript-eslint/parser, @typescript-eslint/utils, eslint	Yes

Recommended Actions

1. Review each vulnerability: npm audit
2. Auto-fix if possible: npm audit fix
3. Manual fix for breaking changes: npm audit fix --force (review changes!)
4. Close this issue when resolved

---

This issue was automatically created by the security audit workflow.

Originally created by @github-actions[bot] on GitHub (Feb 18, 2026). Original GitHub issue: https://github.com/maziggy/bambuddy/issues/425 Originally assigned to: @maziggy on GitHub. ## Automated Security Audit Results The weekly security audit found vulnerabilities in npm dependencies. | Package | Severity | Via | Fix | |---------|----------|-----|-----| | @eslint-community/eslint-utils | moderate | eslint | Yes | | @eslint/eslintrc | moderate | ajv | Yes | | @typescript-eslint/eslint-plugin | moderate | @typescript-eslint/parser, @typescript-eslint/type-utils, @typescript-eslint/utils, eslint | Yes | | @typescript-eslint/parser | moderate | eslint | Yes | | @typescript-eslint/type-utils | moderate | @typescript-eslint/utils, eslint | Yes | | @typescript-eslint/utils | moderate | @eslint-community/eslint-utils, eslint | Yes | | ajv | moderate | ajv | Yes | | eslint | moderate | @eslint-community/eslint-utils, @eslint/eslintrc, ajv | Yes | | eslint-plugin-react-refresh | moderate | eslint | No | | typescript-eslint | moderate | @typescript-eslint/eslint-plugin, @typescript-eslint/parser, @typescript-eslint/utils, eslint | Yes | ### Recommended Actions 1. Review each vulnerability: `npm audit` 2. Auto-fix if possible: `npm audit fix` 3. Manual fix for breaking changes: `npm audit fix --force` (review changes!) 4. Close this issue when resolved --- *This issue was automatically created by the security audit workflow.*

BreizhHardware 2026-05-07 00:08:15 +02:00

• closed this issue
• added the
  dependencies
  security
  automated
  labels

BreizhHardware commented 2026-05-07 00:08:16 +02:00

Author

Owner

Copy link

@maziggy commented on GitHub (Feb 18, 2026):

commit bedcd0a73e (HEAD -> 0.2.1b, origin/0.2.1b)
Author: maziggy mz@v8w.de
Date: Wed Feb 18 09:30:29 2026 +0100

  1. ajv is only used by eslint to validate config schemas during linting
  2. It's a dev dependency, never reaches production
  3. The ReDoS requires crafted $data schema input — not an attack vector in a linting config

<!-- gh-comment-id:3919441313 --> @maziggy commented on GitHub (Feb 18, 2026): commit bedcd0a73e07cca78d6eadec410d4d00da14e5d7 (HEAD -> 0.2.1b, origin/0.2.1b) Author: maziggy <mz@v8w.de> Date: Wed Feb 18 09:30:29 2026 +0100 1. ajv is only used by eslint to validate config schemas during linting 2. It's a dev dependency, never reaches production 3. The ReDoS requires crafted $data schema input — not an attack vector in a linting config

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

github-repo-stats

bug-report-assets

dev

0.2.4b3

0.2.4b2

0.2.4b1

pr/1114

0.2.3.2

0.2.3.1

0.2.3

0.2.3b3

0.2.3b2

0.2.3b1

0.2.2.2

0.2.2.1

0.2.2b3

0.2.2

0.2.2b2

0.2.2b1

0.2.1.1

0.2.1

0.2.1b3

0.2.1b2

0.2.1b

0.2.0

0.2.0b

0.1.5-2-ctrl

v0.2.4b4-daily.20260508

v0.2.4b2

v0.2.4b3

v0.2.4b1

v0.2.3.2

v0.2.3.1

v0.2.3

v0.2.3b3

v0.2.3b2

v0.2.3b1-daily.20260407

v0.2.3b1

v0.2.2.2

v0.2.2.1

v0.2.3b1-daily.20260318

v0.2.3b1-daily.20260317

v0.2.3b1-daily.20260316

v0.2.2

v0.2.2b4-daily.20260314

v0.2.2b4-daily.20260313

v0.2.2b3-daily.20260312

v0.2.2b3-1

v0.2.2b2

v0.2.2-b2

v0.2.2b3

v0.2.2-b1

v0.2.2b1

v0.2.1.1

v0.2.1

v0.2.1b3

v0.2.1b2

v0.2.1b

v0.2.0

v0.1.9

v0.1.8.1

v0.1.8

v0.1.7

v0.1.6.2

v0.1.6.1

v0.1.6-hotfix

v0.1.6

v0.1.6b11

v0.1.6b10

v0.1.6b9

v0.1.6b8

v0.1.6b7

v0.1.6b6

v0.1.6b5

v0.1.6b4

v0.1.6b3

v0.1.6b2

v0.1.6b

v0.1.5-final

v0.1.5b7

v0.1.5b6

v0.1.5b5

v0.1.5b4

v0.1.5b3

v0.1.5b2

v0.1.5b

v0.1.4

v0.1.3

v0.1.2-bugfix

v0.1.2-final

v0.1.2

0.1.1

Labels

Clear labels   

A1

  

automated

  

automated

  

bug

  

bug

  

Closed due to inactivity

  

contrib

  

dependencies

  

dependencies

  

duplicate

  

enhancement

  

feedback

  

hold

  

invalid

  

Notes

  

P1S

  

pull-request

Mirrored from GitHub Pull Request

  

security

  

ThumbsUp

  

user-report

  

wontfix

No labels

A1

automated

automated

bug

bug

Closed due to inactivity

contrib

dependencies

dependencies

duplicate

enhancement

feedback

hold

invalid

Notes

P1S

pull-request

security

ThumbsUp

user-report

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/bambuddy-maziggy-1#266

No description provided.