8000
Skip to content

deps(npm): bump the npm group across 1 directory with 10 updates#7738

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/dependencies/npm-01daee311c
Open

deps(npm): bump the npm group across 1 directory with 10 updates#7738
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/dependencies/npm-01daee311c

Conversation

@dependabot
Copy link
Copy Markdown
Contributor
@dependabot dependabot bot commented on behalf of github Apr 10, 2026

Bumps the npm group with 10 updates in the /dependencies directory:

Package From To
@biomejs/biome 2.4.10 2.4.11
eslint-plugin-jest 29.15.1 29.15.2
jscpd 4.0.8 4.0.9
next 16.2.2 16.2.3
prettier 3.8.1 3.8.2
react 19.2.4 19.2.5
react-dom 19.2.4 19.2.5
renovate 43.110.3 43.110.14
stylelint-config-recommended-scss 17.0.0 17.0.1
textlint 15.5.2 15.5.4

Updates @biomejs/biome from 2.4.10 to 2.4.11

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.11

2.4.11

Patch Changes

  • #9350 4af4a3a Thanks @​dyc3! - Added the new nursery rule useConsistentTestIt in the test domain. The rule enforces consistent use of either it or test for test functions in Jest/Vitest suites, with separate control for top-level tests and tests inside describe blocks.

    Invalid:

    test("should fly", () => {}); // Top-level test using 'test' flagged, convert to 'it'
describe("pig", () => {
test("should fly", () => {}); // Test inside 'describe' using 'test' flagged, convert to 'it'
});

  • #9429 a2f3f7e Thanks @​ematipico! - Added the new nursery lint rule useExplicitReturnType. It reports TypeScript functions and methods that omit an explicit return type.

    function toString(x: any) {
  // rule triggered, it doesn't declare a return type
  return x.toString();
}

  • #9828 9e40844 Thanks @​ematipico! - Fixed #9484: the formatter no longer panics when formatting files that contain graphql tagged template literals combined with parenthesized expressions.

  • #9886 e7c681e Thanks @​ematipico! - Fixed an issue where, occasionally, some bindings and references were not properly tracked, causing false positives from noUnusedVariables and noUndeclaredVariables in Svelte, Vue, and Astro files.

  • #9760 5b16d18 Thanks @​myx0m0p! - Fixed #4093: the noDelete rule no longer triggers for delete process.env.FOO, since delete is the documented way to remove environment variables in Node.js.

  • #9799 2af8efd Thanks @​minseong0324! - Added the rule noMisleadingReturnType. The rule detects when a function's return type annotation is wider than what the implementation actually returns.

    // Flagged: `: string` is wider than `"loading" | "idle"`
function getStatus(b: boolean): string {
  if (b) return "loading";
  return "idle";
}

  • #9880 7f67749 Thanks @​dyc3! - Improved the diagnostics for useFind to better explain the problem, why it matters, and how to fix it.

  • #9755 bff7bdb Thanks @​ematipico! - Improved performance of fix-all operations (--write). Biome is now smarter when it runs lint rules and assist actions. First, it runs only rules that have code fixes, and then runs the rest of the rules.

  • #8651 aafca2d Thanks @​siketyan! - Add a new lint rule useDisposables for JavaScript, which detects disposable objects assigned to variables without using or await using syntax. Disposable objects that implement the Disposable or AsyncDisposable interface are intended to be disposed of after use. Not disposing them can lead to resource or memory leaks, depending on the implementation.

    Invalid:

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.11

Patch Changes

  • #9350 4af4a3a Thanks @​dyc3! - Added the new nursery rule useConsistentTestIt in the test domain. The rule enforces consistent use of either it or test for test functions in Jest/Vitest suites, with separate control for top-level tests and tests inside describe blocks.

    Invalid:

    test("should fly", () => {}); // Top-level test using 'test' flagged, convert to 'it'
describe("pig", () => {
test("should fly", () => {}); // Test inside 'describe' using 'test' flagged, convert to 'it'
});

  • #9429 a2f3f7e Thanks @​ematipico! - Added the new nursery lint rule useExplicitReturnType. It reports TypeScript functions and methods that omit an explicit return type.

    function toString(x: any) {
  // rule triggered, it doesn't declare a return type
  return x.toString();
}

  • #9828 9e40844 Thanks @​ematipico! - Fixed #9484: the formatter no longer panics when formatting files that contain graphql tagged template literals combined with parenthesized expressions.

  • #9886 e7c681e Thanks @​ematipico! - Fixed an issue where, occasionally, some bindings and references were not properly tracked, causing false positives from noUnusedVariables and noUndeclaredVariables in Svelte, Vue, and Astro files.

  • #9760 5b16d18 Thanks @​myx0m0p! - Fixed #4093: the noDelete rule no longer triggers for delete process.env.FOO, since delete is the documented way to remove environment variables in Node.js.

  • #9799 2af8efd Thanks @​minseong0324! - Added the rule noMisleadingReturnType. The rule detects when a function's return type annotation is wider than what the implementation actually returns.

    // Flagged: `: string` is wider than `"loading" | "idle"`
function getStatus(b: boolean): string {
  if (b) return "loading";
  return "idle";
}

  • #9880 7f67749 Thanks @​dyc3! - Improved the diagnostics for useFind to better explain the problem, why it matters, and how to fix it.

  • #9755 bff7bdb Thanks @​ematipico! - Improved performance of fix-all operations (--write). Biome is now smarter when it runs lint rules and assist actions. First, it runs only rules that have code fixes, and then runs the rest of the rules.

  • #8651 aafca2d Thanks @​siketyan! - Add a new lint rule useDisposables for JavaScript, which detects disposable objects assigned to variables without using or await using syntax. Disposable objects that implement the Disposable or AsyncDisposable interface are intended to be disposed of after use. Not disposing them can lead to resource or memory leaks, depending on the implementation.

    Invalid:

    

    • 






... (truncated)





Commits






Updates eslint-plugin-jest from 29.15.1 to 29.15.2<
8000
/p>


Release notes

Sourced from eslint-plugin-jest's releases.




v29.15.2


29.15.2 (2026-04-09)


Bug Fixes


    

  • valid-mock-module-path: don't report virtual mocks (#1946) (a1916d1)
    • 








Changelog

Sourced from eslint-plugin-jest's changelog.




29.15.2 (2026-04-09)


Bug Fixes


    

  • valid-mock-module-path: don't report virtual mocks (#1946) (a1916d1)
    • 








Commits






Updates jscpd from 4.0.8 to 4.0.9



Commits






Updates next from 16.2.2 to 16.2.3



Release notes

Sourced from next's releases.




v16.2.3




[!NOTE]
This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.




Core Changes


    

  • Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
    • 

  • Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
    • 

  • Deduplicate output assets and detect content conflicts on emit (#92292)
    • 

  • Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
    • 

  • turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)
    • 



Credits


Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!







Commits

    

  • d5f649b v16.2.3
    • 

  • 2873928 [16.x] Avoid consuming cyclic models multiple times (#75)
    • 

  • d7c7765 [backport]: Ensure app-page reports stale ISR revalidation errors via onReque...
    • 

  • c573e8c fix(server-hmr): metadata routes overwrite page runtime HMR handler (#92273)
    • 

  • 57b8f65 next-core: deduplicate output assets and detect content conflicts on emit (#9...
    • 

  • f158df1 Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
    • 

  • 356d605 turbo-tasks-backend: stability fixes for task cancellation and error handling...
    • 

  • 3b77a6e Fix DashMap read-write self-deadlock in task_cache causing hangs (#92210)
    • 

  • b2f208a Backport: new view-transitions guide, update and fixes (#92264)
    • 

  • See full diff in compare view
    • 







Updates prettier from 3.8.1 to 3.8.2



Release notes

Sourced from prettier's releases.




3.8.2


    

  • Support Angular v21.2
    • 



🔗 Changelog







Changelog

Sourced from prettier's changelog.




3.8.2


diff


Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)


Exhaustive typechecking with @default never;



<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}


arrow function and instanceof expressions.



<!-- Input -->
@let fn = (a) =>        a?    1:2;
{{ fn ( a         instanceof b)}}
<!-- Prettier 3.8.1 -->
@​let fn = (a) =>        a?    1:2;
{{ fn ( a         instanceof b)}}
<!-- Prettier 3.8.2 -->
@​let fn = (a) => (a ? 1 : 2);
{{ fn(a instanceof b) }}







Commits






Updates react from 19.2.4 to 19.2.5



Release notes

Sourced from react's releases.




19.2.5 (April 8th, 2026)


React Server Components








Commits






Updates react-dom from 19.2.4 to 19.2.5



Release notes

Sourced from react-dom's releases.




19.2.5 (April 8th, 2026)


React Server Components








Commits






Updates renovate from 43.110.3 to 43.110.14



Release notes

Sourced from renovate's releases.




43.110.14


43.110.14 (2026-04-10)


Bug Fixes


    

  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.23 (main) (#42527) (7766644)
    • 



43.110.13


43.110.13 (2026-04-10)


Bug Fixes


    

  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.22 (main) (#42525) (736ab3d)
    • 



Miscellaneous Chores


    

  • deps: update dependency esbuild to v0.27.7 (main) (#42521) (c8e14ba)
    • 

  • deps: update dependency esbuild to v0.28.0 (main) (#42522) (9bf3f64)
    • 

  • workers/repository: split malicious dependency checks (#42508) (a945d8b)
    • 



43.110.12


43.110.12 (2026-04-09)


Bug Fixes


    

  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.21 (main) (#42512) (d2493d0)
    • 



43.110.11


43.110.11 (2026-04-09)


Bug Fixes


    

  • deps: update ghcr.io/renovatebot/base-image docker tag to v13.33.20 (main) (#42511) (a10dd73)
    • 



Miscellaneous Chores


    

  • deps: update dependency vitest-mock-extended to v3.1.1 (main) (#42505) (3ce4aad)
    • 

  • workers/repository: log warning on skipReason: malicious (#42504) (1caa918)
    • 



43.110.10


43.110.10 (2026-04-09)


Bug Fixes



Miscellaneous Chores






... (truncated)





Commits

    

  • 7766644 fix(deps): update ghcr.io/renovatebot/base-image docker tag to v13.33.23 (mai...
    • 

  • 736ab3d fix(deps): update ghcr.io/renovatebot/base-image docker tag to v13.33.22 (mai...
    • 

  • 9bf3f64 chore(deps): update dependency esbuild to v0.28.0 (main) (#42522)
    • 

  • a945d8b chore(workers/repository): split malicious dependency checks (#42508)
    • 

  • c8e14ba chore(deps): update dependency esbuild to v0.27.7 (main) (#42521)
    • 

  • d2493d0 fix(deps): update ghcr.io/renovatebot/base-image docker tag to v13.33.21 (mai...
    • 

  • a10dd73 fix(deps): update ghcr.io/renovatebot/base-image docker tag to v13.33.20 (mai...
    • 

  • 3ce4aad chore(deps): update dependency vitest-mock-extended to v3.1.1 (main) (#42505)
    • 

  • 1caa918 chore(workers/repository): log warning on skipReason: malicious (#42504)
    • 

  • 6146355 chore(types): add a skipReason: malicious (#42500)
    • 

  • Additional commits viewable in compare view
    • 







Updates stylelint-config-recommended-scss from 17.0.0 to 17.0.1



Release notes

Sourced from stylelint-config-recommended-scss's releases.




17.0.1


    

  • Fixed: false positive for no-invalid-position-declaration inside a mixin (#373).
    • 








Changelog

Sourced from stylelint-config-recommended-scss's changelog.




17.0.1


    

  • Fixed: false positive for no-invalid-position-declaration inside a mixin (#373).
    • 








Commits






Updates textlint from 15.5.2 to 15.5.4



Commits

    

  • 728f427 v15.5.4 (#1997)
    • 

  • 212b941 fix: add packages config to lerna.json (#1996)
    • 

  • a3f50fa refactor: drop unused/replaceable deps (clone, mkdirp, shelljs) (#1994)
    • 

  • bd5236d v15.5.3 (#1993)
    • 

  • ecb09ed chore(deps): update node.js to v22.22.2 (#1898)
    • 

  • 08a9cdc chore: migrate from eslint to oxlint (#1992)
    • 

  • a8d178a chore: migrate to pnpm catalog for external dependencies (#1991)
    • 

  • 34148ec chore(deps): update benchmark-action/github-action-benchmark action to v1.22....
    • 

  • d2adcf5 fix(ci): remove leftover lerna --scope flag from website build (#1989)
    • 

  • 5c0b9bd chore: migrate from lerna to lerna-lite and remove nx (#1988)
    • 

  • Additional commits viewable in compare view
    • 







Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.





Dependabot commands and options



You can trigger Dependabot actions by commenting on this PR:


    

  • @dependabot rebase will rebase this PR
    • 

  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • 

  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
    • 

  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
    • 

  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
    • 

  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
    • 

  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
    • 

  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    • 




    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



                    

          
        





  





    



      

  
        

  

      

  
  

  
          

  

    

      


  

      
        @dependabot
  




      

        
          deps(npm): bump the npm group across 1 directory with 10 updates
        

          
                        
      


      

        

    
    
    

  

    


      


      

        

          

    
    
    

  

  

    
  



        

      


      

        
          f34d57b
        
      

    

  

    

      
Bumps the npm group with 10 updates in the /dependencies directory:

| Package | From | To |
| --- | --- | --- |
| [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.4.10` | `2.4.11` |
| [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) | `29.15.1` | `29.15.2` |
| [jscpd](https://github.com/kucherenko/jscpd) | `4.0.8` | `4.0.9` |
| [next](https://github.com/vercel/next.js) | `16.2.2` | `16.2.3` |
| [prettier](https://github.com/prettier/prettier) | `3.8.1` | `3.8.2` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.5` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.5` |
| [renovate](https://github.com/renovatebot/renovate) | `43.110.3` | `43.110.14` |
| [stylelint-config-recommended-scss](https://github.com/stylelint-scss/stylelint-config-recommended-scss) | `17.0.0` | `17.0.1` |
| [textlint](https://github.com/textlint/textlint) | `15.5.2` | `15.5.4` |



Updates `@biomejs/biome` from 2.4.10 to 2.4.11
- [Release notes](https://github.com/biomejs/biome/releases)
- [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md)
- [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.4.11/packages/@biomejs/biome)

Updates `eslint-plugin-jest` from 29.15.1 to 29.15.2
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](jest-community/eslint-plugin-jest@v29.15.1...v29.15.2)

Updates `jscpd` from 4.0.8 to 4.0.9
- [Changelog](https://github.com/kucherenko/jscpd/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kucherenko/jscpd/commits)

Updates `next` from 16.2.2 to 16.2.3
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.2...v16.2.3)

Updates `prettier` from 3.8.1 to 3.8.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.1...3.8.2)

Updates `react` from 19.2.4 to 19.2.5
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react)

Updates `react-dom` from 19.2.4 to 19.2.5
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.5/packages/react-dom)

Updates `renovate` from 43.110.3 to 43.110.14
- [Release notes](https://github.com/renovatebot/renovate/releases)
- [Commits](renovatebot/renovate@43.110.3...43.110.14)

Updates `stylelint-config-recommended-scss` from 17.0.0 to 17.0.1
- [Release notes](https://github.com/stylelint-scss/stylelint-config-recommended-scss/releases)
- [Changelog](https://github.com/stylelint-scss/stylelint-config-recommended-scss/blob/master/CHANGELOG.md)
- [Commits](stylelint-scss/stylelint-config-recommended-scss@v17.0.0...v17.0.1)

Updates `textlint` from 15.5.2 to 15.5.4
- [Release notes](https://github.com/textlint/textlint/releases)
- [Commits](textlint/textlint@v15.5.2...v15.5.4)

---
updated-dependencies:
- dependency-name: "@biomejs/biome"
  dependency-version: 2.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: eslint-plugin-jest
  dependency-version: 29.15.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: jscpd
  dependency-version: 4.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: next
  dependency-version: 16.2.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: prettier
  dependency-version: 3.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: react
  dependency-version: 19.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: react-dom
  dependency-version: 19.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: renovate
  dependency-version: 43.110.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: stylelint-config-recommended-scss
  dependency-version: 17.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: textlint
  dependency-version: 15.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>

    







  








      

  
            

    

      
    

    


      


          @dependabot
dependabot
bot



            added
      

  dependencies

  Pull requests that update a dependency file

      

  javascript

  Pull requests that update Javascript code

  labels


      Apr 10, 2026

    

  



  
    

    

      
    

    


      


          @dependabot
dependabot
bot



            added
      

  dependencies

  Pull requests that update a dependency file

      

  javascript

  Pull requests that update Javascript code

  labels


      Apr 10, 2026

    

  



  

  
  

  
    
            @github-actions
  github-actions
bot
enabled auto-merge

    April 10, 2026 13:37    
    









      

  
      



  

  @github-actions






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
    Contributor


        

    

  


  
    

      
          
      

      
            github-actions
  bot

      

      

      commented


        Apr 10, 2026


      
    


  




      


        



  
    

      
          
Super-linter summary






Language
Validation result






BIOME_FORMAT
Pass ✅




BIOME_LINT
Pass ✅




CHECKOV
Pass ✅




EDITORCONFIG
Pass ✅




GITLEAKS
Pass ✅




GIT_COMMITLINT
Pass ✅




GIT_MERGE_CONFLICT_MARKERS
Pass ✅




JSCPD
Pass ✅




JSON
Pass ✅




JSON_PRETTIER
Pass ✅




PRE_COMMIT
Pass ✅




SPELL_CODESPELL
Pass ✅




TRIVY
Fail ❌






Super-linter detected linting errors


For more information, see the

GitHub Actions workflow run


Powered by Super-linter



TRIVY

trivy filesystem --config /github/workspace/.github/linters/trivy.yaml /github/workspace

Report Summary

┌─────────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│               Target                │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dependencies/Gemfile.lock           │  bundler   │        0        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dependencies/composer/composer.lock │  composer  │        0        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dependencies/package-lock.json      │    npm     │        1        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dev-dependencies/package-lock.json  │    npm     │        0        │         -         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ Dockerfile                          │ dockerfile │        -        │         0         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ dev-dependencies/Dockerfile         │ dockerfile │        -        │         0         │    -    │
├─────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ test/linters/trivy/good/Dockerfile  │ dockerfile │        -        │         0         │    -    │
└─────────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


dependencies/package-lock.json (npm)
====================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ axios   │ CVE-2025-62718 │ CRITICAL │ fixed  │ 1.13.6            │ 1.15.0        │ Axios has a NO_PROXY Hostname Normalization Bypass Leads to │
│         │                │          │        │                   │               │ SSRF                                                        │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-62718                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘





      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    
















  
  

    

      

  










  








  
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  










      

  

    
    

    

  

    Reviewers
  


    


      

          


  
      @zkoppert
  
    zkoppert


                Awaiting requested review from zkoppert

                    zkoppert is a code owner

        
      

      

          


  
      @Hanse00
  
    Hanse00


                Awaiting requested review from Hanse00

                    Hanse00 is a code owner

        
      

      

          


  
      @ferrarimarco
  
    ferrarimarco


                Awaiting requested review from ferrarimarco

                    ferrarimarco is a code owner

        
      


        

      At least 1 approving review is required to merge this pull request.
  








    
    
    

    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

      

    dependencies

  Pull requests that update a dependency file
  

    javascript

  Pull requests that update Javascript code








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
        

  

    

      0 participants
    

    

    

  






    


    


    


    











  




    

  


  


          



    




  

    

    

    





    

    

    

  



0