This page collects WhisperX intelligence signals tagged #dependency. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A moderate-severity security vulnerability (CVSS 5.5) in the ajv JSON schema validator library has been identified but cannot be automatically patched due to a corrupted project lockfile. The vulnerability is a Regular Expression Denial of Service (ReDoS) that affects versions of ajv below 8.18.0 when using the $data o...
A critical security vulnerability has been patched in the widely used Ruby JSON library, exposing applications to a format string injection attack. The flaw, tracked as CVE-2026-33210, was present in the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can potential...
A critical security flaw in the widely-used `yaml` npm package, tracked as CVE-2026-33532, exposes countless software projects to denial-of-service attacks. The vulnerability, a stack overflow in the parser's composition phase, allows an attacker to crash a Node.js application by feeding it a maliciously crafted YAML d...
An automated security audit has exposed six high and critical vulnerabilities in the order-service, creating a direct path for denial-of-service attacks, arbitrary file overwrites, and potential data breaches. The findings, flagged by npm audit, reveal a dangerously outdated dependency chain that could allow attackers ...
A critical security vulnerability with a CVSS score of 8.1 has been identified in the Microsoft JDBC Driver for SQL Server, version 11.2.3.jre17. The vulnerability scanner report indicates the flaw is present in the library file `mssql-jdbc-11.2.3.jre17.jar`, but the specific code path is currently marked as 'unreachab...
A high-severity security vulnerability has been identified within the `getsentry/sentry-javascript` repository, stemming from the `fast-xml-parser` dependency. The flaw, classified as conditionally reachable, poses a significant risk of information disclosure. The exact technical details of the vulnerability are being ...
A high-severity Denial of Service (DoS) vulnerability has been patched in the widely used `node-forge` cryptography library, forcing developers to urgently update to version 1.4.0. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this f...
A critical security vulnerability in the widely used Jackson Core library allows attackers to bypass a key defense mechanism. The non-blocking (async) JSON parser fails to enforce the `maxNumberLength` constraint, a limit designed to prevent denial-of-service attacks. This flaw, tracked as GHSA-72hv-8253-57qq, means an...
A critical security vulnerability has been flagged on an Adobe Experience Manager (AEM) Cloud staging environment, exposing a potential entry point for attackers. The issue centers on the publish-p138954-e320524-cmstg.adobeaemcloud.com site, which is running an outdated and vulnerable version of the `biz.aQute.bnd` (bn...
A high-severity security vulnerability in a critical dependency chain has been patched using a targeted package manager override. The fix addresses a confirmed ReDoS (Regular Expression Denial of Service) flaw in the `path-to-regexp` library, version 0.1.12, which was being pulled in as a transitive dependency. This vu...
A latent Regular Expression Denial of Service (ReDoS) vulnerability in the Pygments syntax highlighter library has triggered a cluster of low-severity Dependabot security alerts within a software ecosystem. The core risk stems from an inefficient regular expression used for GUID matching, which could allow an attacker ...
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a ...
A critical vulnerability, tracked as GHSA-xc9x-jj77-9p9j, has been disclosed within the widely-used Nokogiri gem, a core library for parsing HTML and XML in Ruby applications. The flaw stems from improper handling of unexpected data types, potentially exposing countless Ruby and Rails projects to exploitation. The main...
A critical security vulnerability in the popular JavaScript testing library Happy-DOM has been patched, addressing a flaw that could have exposed user session data. The issue, tracked as GHSA-w4gp-fjgq-3q4g, involved the library incorrectly forwarding cookies from the current origin to the target origin during fetch re...
A critical security vulnerability in the widely used `node-forge` cryptographic library has been patched, exposing countless Node.js applications to potential denial-of-service attacks. The flaw, rated HIGH severity, resides in the `BigInteger.modInverse()` function, which can be triggered to send a process into an inf...
A critical security vulnerability in the widely-used Nodemailer email-sending library has been patched in its new major version, v8. The flaw, tracked as GHSA-c7w3-x93f-qmm8, allowed for arbitrary SMTP command injection, posing a severe risk to any application using the library to send mail. This is not a theoretical w...
A high-severity Denial of Service vulnerability has been patched in the widely-used node-forge cryptography library, forcing developers to urgently update to version 1.4.0. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function ...
A major dependency overhaul for version 0.4.0 is underway, driven by the urgent need to patch at least six HIGH-severity security vulnerabilities. The update targets over 25 packages, with the most critical fixes addressing an arbitrary file write flaw in `rollup`, multiple ReDoS (Regular Expression Denial of Service) ...
A critical security vulnerability has prompted a mandatory upgrade from Vite 7 to Vite 8 within a project's development pipeline. The move directly addresses a HIGH severity flaw in Rollup 4, identified as GHSA-mw96-cpmx-2vgc, which allows for arbitrary file writes via path traversal. Vite 8 resolves this by replacing ...
A critical security vulnerability in the Vite development server has been patched, requiring immediate attention from developers. The flaw, tracked as CVE-2025-58752, could allow unauthorized access to any HTML file on the host machine, bypassing the server's configured file system restrictions. This exposure risk is n...