Skip to content

Security: Fix 1 vulnerable package#38

Open
razorgupta wants to merge 1 commit intomasterfrom
security/sca-fix-1764846149
Open

Security: Fix 1 vulnerable package#38
razorgupta wants to merge 1 commit intomasterfrom
security/sca-fix-1764846149

Conversation

@razorgupta
Copy link

@razorgupta razorgupta commented Dec 4, 2025

Security Updates

This PR fixes security vulnerabilities found by Semgrep SCA.

✅ All packages validated for:

  • End of Life (EOL) status
  • Supply chain attack risks
  • Version stability (7-day cool-down or n-1 fallback)
  • Peer dependency compatibility

⚠️ Action Required:

  1. Run yarn install or npm install to regenerate lock file with fixed versions
  2. Run your build (yarn build / npm run build) to verify it compiles
  3. Run your test suite to verify compatibility
  4. Test in staging before merging to production

Updated Packages

NPM:

  • vm2: transitive → 3.10.0

🔐 Vulnerabilities Fixed

📋 Semgrep Findings Addressed

Semgrep ID Link
148862075 View in Semgrep

Changes Made

  • Updated dependency files with secure versions
  • Regenerated lock files

This PR was created automatically by Security Bot
Please review and test before merging

fix(security): upgrade 1 vulnerable package
c85771e 
Security fixes:
- vm2: transitive → 3.10.0

Addresses vulnerabilities:
- CVE-2023-37466

Automated security fix by Security Bot
@razorgupta razorgupta added dependencies Pull requests that update a dependency file security automated labels Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@razorgupta