Security Audit Flags High-Risk Vulnerabilities in AutoMapper, Scriban, and Frontend Dependencies

A critical security audit has exposed a significant supply chain risk within a software project, identifying multiple high-severity vulnerabilities in core dependencies. The audit found known, exploitable flaws in the .NET packages AutoMapper 12.0.1 and Scriban 6.5.5, with the latter harboring three separate advisories, including two rated HIGH. Simultaneously, the project's frontend is burdened with 17 npm audit findings, 14 of which are also classified as high-severity vulnerabilities.

The audit evidence is concrete. The .NET vulnerability scan links AutoMapper to a specific high-severity advisory (GHSA-rvv3-g6hj-g44x) and Scriban to three others (GHSA-5rpf-x9jg-8j5p, GHSA-grr9-747v-xvcp, GHSA-wgh7-7m3c-fx25). On the JavaScript side, the npm audit reveals a broad attack surface, with high-risk vulnerabilities affecting a wide array of packages including @rollup/plugin-terser, lodash, minimatch, next-pwa, and multiple workbox components. This combination of outdated and vulnerable packages across both the backend and frontend stacks creates a compounded security exposure.

This finding signals a severe lapse in dependency management and software supply chain hygiene. The presence of these unpatched, publicly documented vulnerabilities leaves the application open to potential exploitation, which could lead to data breaches, remote code execution, or system compromise. The situation demands immediate remediation—updating or replacing the affected packages—to mitigate the tangible risk to the application's security posture and the data it handles.