Skip to content

Security: Fix 2 vulnerable packages#25

Open
razorgupta wants to merge 2 commits into
mainfrom
security/sca-fix-1764845925
Open

Security: Fix 2 vulnerable packages#25
razorgupta wants to merge 2 commits into
mainfrom
security/sca-fix-1764845925

Conversation

@razorgupta
Copy link
Copy Markdown

@razorgupta razorgupta commented Dec 4, 2025

Security Updates

This PR fixes security vulnerabilities found by Semgrep SCA.

✅ All packages validated for:

  • End of Life (EOL) status
  • Supply chain attack risks
  • Version stability (7-day cool-down or n-1 fallback)
  • Peer dependency compatibility

⚠️ Action Required:

  1. Run yarn install or npm install to regenerate lock file with fixed versions
  2. Run your build (yarn build / npm run build) to verify it compiles
  3. Run your test suite to verify compatibility
  4. Test in staging before merging to production

Updated Packages

NPM:

  • @babel/traverse: transitive → 7.28.5
  • fsevents: transitive → 2.3.3

🔐 Vulnerabilities Fixed

📋 Semgrep Findings Addressed

Semgrep ID Link
67565731 View in Semgrep
67565732 View in Semgrep
67565733 View in Semgrep
67565734 View in Semgrep
67565735 View in Semgrep
67565736 View in Semgrep

Changes Made

  • Updated dependency files with secure versions
  • Regenerated lock files

This PR was created automatically by Security Bot
Please review and test before merging

fix(security): upgrade 2 vulnerable packages
c8315fb 
Security fixes:
- @babel/traverse: transitive → 7.28.5
- fsevents: transitive → 2.3.3

Addresses vulnerabilities:
- CVE-2023-45133
- CVE-2023-45311

Automated security fix by Security Bot
@razorgupta razorgupta added dependencies Pull requests that update a dependency file security automated labels Dec 4, 2025
semgrep-code-razorpay[bot]
semgrep-code-razorpay Bot reviewed Dec 4, 2025
View reviewed changes
Comment thread package-lock.json
"version": "4.1.0",
"resolved": "https://registry.npmjs.org/throat/-/throat-4.1.0.tgz",
"integrity": "sha1-iQN8vJLFarGJJua6TLsgDhVnKmo=",
"dev": true
},
"tmpl": {
"node_modules/tmpl": {
Copy link
Copy Markdown

@semgrep-code-razorpay semgrep-code-razorpay Bot Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 10587 lists a dependency (tmpl) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 1.0.5 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 4, 2025

What

Hello old.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 4, 2025

What

Hello new.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 4, 2025

hello

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 4, 2025

What No match

Hello.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@semgrep-code-razorpay semgrep-code-razorpay[bot] semgrep-code-razorpay[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

automated dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@razorgupta