fix(security): weekly dependabot security updates (20260527) by frameworks-volunteer · Pull Request #503 · security-alliance/frameworks

frameworks-volunteer · 2026-05-27T10:51:44Z

Weekly Dependabot Security Update (20260527)

Automated fix for 71 open security advisory/advisories.

Fixed packages

lodash-es: >=4.17.23 (GHSA-xxjr-mmjv-4gpg)
fast-xml-parser: >=5.3.4 (GHSA-37qj-frw5-hhjh)
fast-xml-parser: >=5.3.5 (GHSA-m7jm-9gc2-mpf2)
fast-xml-parser: >=5.3.6 (GHSA-jmr7-xgp7-cmfj)
hono: >=4.12.4 (GHSA-5pq2-9x2x-5p6w)
hono: >=4.12.4 (GHSA-p6xx-57qc-3wxr)
hono: >=4.12.4 (GHSA-q5qw-h33p-qvwr)
fast-xml-parser: >=5.3.8 (GHSA-fj3w-jwp8-x2g3)
@hono/node-server: >=1.19.10 (GHSA-wc8c-qw6v-h7f6)
hono: >=4.12.7 (GHSA-v8w9-8mx6-g223)
flatted: >=3.4.0 (GHSA-25h7-pfq9-p65f)
fast-xml-parser: >=5.5.6 (GHSA-8gc5-j5rx-235r)
flatted: >=3.4.2 (GHSA-rf6f-7fwh-wjgh)
smol-toml: >=1.6.1 (GHSA-v3rj-xjv7-4jmq)
brace-expansion: >=1.1.13 (GHSA-f886-m6hf-6m8v)
brace-expansion: >=2.0.3 (GHSA-f886-m6hf-6m8v)
picomatch: >=4.0.4 (GHSA-3v7f-55p6-f55p)
picomatch: >=4.0.4 (GHSA-c2c7-rcm5-vvqj)
yaml: >=2.8.3 (GHSA-48c2-rrv3-qjmp)
dompurify: >=3.3.2 (GHSA-v2wj-7wpq-c8vv)
lodash-es: >=4.18.0 (GHSA-r5fr-rjxr-66jc)
lodash-es: >=4.18.0 (GHSA-f23m-r3pf-42rh)
dompurify: >=3.3.2 (GHSA-cjmm-f4jc-qw8r)
dompurify: >=3.3.2 (GHSA-cj63-jhhr-wcxv)
vite: >=7.3.2 (GHSA-4w7w-66w2-5vf9)
vite: >=7.3.2 (GHSA-v2wj-q39q-566r)
vite: >=7.3.2 (GHSA-p9ff-h696-f583)
hono: >=4.12.12 (GHSA-26pp-8wgv-hjvm)
hono: >=4.12.12 (GHSA-r5rp-j6wh-rvv4)
hono: >=4.12.12 (GHSA-xf4j-xp2r-rqqx)
hono: >=4.12.12 (GHSA-wmmm-f939-6g9c)
@hono/node-server: >=1.19.13 (GHSA-92pp-h63x-v22m)
fast-xml-parser: >=5.5.7 (GHSA-jp2q-39xq-3w4g)
follow-redirects: >=1.16.0 (GHSA-r4q5-vmmm-2653)
dompurify: >=3.4.0 (GHSA-39q2-94rc-95cp)
hono: >=4.12.14 (GHSA-458j-xx4x-4375)
axios: >=1.15.0 (GHSA-3p68-rc4w-qgx5)
postcss: >=8.5.10 (GHSA-qx2v-qp2m-jg93)
hono: >=4.12.12 (GHSA-xpcf-pg52-r92g)
dompurify: >=3.4.0 (GHSA-h7mw-gpvr-xq4m)
dompurify: >=3.4.0 (GHSA-crv5-9vww-q3g8)
dompurify: >=3.4.0 (GHSA-v9jr-rg53-9pgp)
axios: >=1.15.1 (GHSA-w9j2-pvgh-6h63)
axios: >=1.15.1 (GHSA-pmwg-cvhr-8vh7)
axios: >=1.15.2 (GHSA-3w6x-2g7m-8v23)
axios: >=1.15.1 (GHSA-xhjh-pmcv-23jw)
axios: >=1.15.1 (GHSA-445q-vr5w-6q77)
axios: >=1.15.1 (GHSA-m7pr-hjqh-92cm)
axios: >=1.15.1 (GHSA-62hf-57xw-28j9)
axios: >=1.15.1 (GHSA-5c9x-8gcm-mpgx)
axios: >=1.15.1 (GHSA-vf2m-468p-8v99)
axios: >=1.15.1 (GHSA-pf86-5x62-jrwf)
axios: >=1.15.1 (GHSA-6chq-wfr3-2hj9)
axios: >=1.15.1 (GHSA-xx6v-rp6x-q39c)
dompurify: >=3.3.2 (GHSA-h8r8-wccr-v5f2)
axios: >=1.13.5 (GHSA-43fc-jf86-j433)
fast-xml-parser: >=5.7.0 (GHSA-gh4j-gqv2-49f6)
hono: >=4.12.18 (GHSA-qp7p-654g-cw7p)
mermaid: >=11.15.0 (GHSA-6m6c-36f7-fhxh)
mermaid: >=11.15.0 (GHSA-xcj9-5m2h-648r)
mermaid: >=11.15.0 (GHSA-87f9-hvmw-gh4p)
mermaid: >=11.15.0 (GHSA-ghcm-xqfw-q4vr)
axios: >=1.15.2 (GHSA-q8qp-cvcw-x6jj)
hono: >=4.12.18 (GHSA-hm8q-7f3q-5f36)
hono: >=4.12.18 (GHSA-p77w-8qqv-26rm)
hono: >=4.12.16 (GHSA-9vqf-7f2p-gf9v)
hono: >=4.12.16 (GHSA-69xw-7hcm-h432)
axios: >=1.15.0 (GHSA-fvcv-3m26-pcqx)
uuid: >=11.1.1 (GHSA-w5hq-g745-h8pq)
uuid: >=13.0.1 (GHSA-w5hq-g745-h8pq)
tmp: >=0.2.6 (GHSA-ph9p-34f9-6g65)

Closes open dependabot alerts.

github-actions · 2026-05-27T11:05:12Z

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
frameworks	✅ Ready (View Log)	Visit Preview	`3ab5d4f`

scode2277 · 2026-05-27T13:08:39Z

@frameworks-volunteer the PR says there are 71 open advisories but there's only 1 open. Please re-check the source and strip the overrides down to only what's needed to close that one.

frameworks-volunteer · 2026-05-27T13:19:22Z

Model: glm-5.1 Reasoning: medium Provider: openrouter

You're right — the 71 count was stale. Recent Dependabot group bumps (#491, #502) already resolved most of those. pnpm audit on develop now shows only 2 open advisories:

GHSA-w5hq-g745-h8pq — uuid@8.3.2 (exceljs transitive) → needs >=11.1.1
GHSA-ph9p-34f9-6g65 — tmp@0.2.5 (exceljs transitive) → needs >=0.2.6

I've opened #504 with only those two overrides, dropping the other 11 unnecessary ones from this PR. Closing this in favor of #504.

fix(security): weekly dependabot security updates

3ab5d4f

frameworks-volunteer force-pushed the fix/dependabot-weekly-20260527 branch from 8f465c7 to 3ab5d4f Compare May 27, 2026 11:02

github-actions Bot deployed to Preview May 27, 2026 11:05 View deployment

mattaereal requested a review from scode2277 May 27, 2026 12:44

frameworks-volunteer mentioned this pull request May 27, 2026

fix(security): add overrides for uuid and tmp advisories #504

Open

frameworks-volunteer closed this May 27, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(security): weekly dependabot security updates (20260527)#503

fix(security): weekly dependabot security updates (20260527)#503
frameworks-volunteer wants to merge 1 commit into
security-alliance:developfrom
frameworks-volunteer:fix/dependabot-weekly-20260527

frameworks-volunteer commented May 27, 2026

Uh oh!

github-actions Bot commented May 27, 2026 •

edited

Loading

Uh oh!

scode2277 commented May 27, 2026

Uh oh!

frameworks-volunteer commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

frameworks-volunteer commented May 27, 2026

Weekly Dependabot Security Update (20260527)

Fixed packages

Uh oh!

github-actions Bot commented May 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Uh oh!

scode2277 commented May 27, 2026

Uh oh!

frameworks-volunteer commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

github-actions Bot commented May 27, 2026 •

edited

Loading