This page collects WhisperX intelligence signals tagged #dependency management. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
An automated security scan has flagged a high or critical-severity vulnerability within the `develop` branch of the `trivy-actions-with-issue-creation` repository. The scan, triggered by user @veenoise, specifically identified the issue within the `package-lock.json` file, a core dependency manifest for Node.js project...
A critical security audit has exposed a significant supply chain risk within a software project, identifying multiple high-severity vulnerabilities in core dependencies. The audit found known, exploitable flaws in the .NET packages AutoMapper 12.0.1 and Scriban 6.5.5, with the latter harboring three separate advisories...
A critical security vulnerability in the widely-used Python `filelock` library has been patched, exposing systems to potential file corruption and symlink attacks. The flaw, tracked as CVE-2025-68146 and GHSA-w853-jp5j-5j7f, is a Time-of-Check-Time-of-Use (TOCTOU) race condition that allows local attackers to corrupt o...
A critical security flaw has been identified in the widely used Pebble Java templating engine, version 3.2.0. The vulnerability, rated with a severity score of 6.8 (Medium), is confirmed as reachable within the application's codebase, posing a direct risk of exploitation. This is not a theoretical threat; the vulnerabl...
A critical security update for the widely-used JavaScript module bundler Webpack patches a DOM Clobbering vulnerability that can lead to cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2024-43788, resides in Webpack's `AutoPublicPathRuntimeModule`. This module is a core component for determining the public...
A critical security vulnerability has been disclosed in the widely-used Python `requests` library, tracked as CVE-2026-25645. The flaw resides in the `requests.utils.extract_zipped_paths()` utility function, which uses a predictable filename when extracting files from zip archives into the system's temporary directory....
A high-severity vulnerability, CVE-2026-4867, has been identified in the widely used Express.js framework version 4.22.1. The flaw, with a CVSS score of 7.5, resides in the `path-to-regexp` dependency, a core library for parsing URL paths. This security gap exposes any application built on this specific version of Expr...
A critical security exposure has been identified within the DemoCorp AI-Based-Classification project on GitHub. The automated scan reveals six distinct vulnerabilities embedded in the project's dependency chain, with the highest severity rated at a critical 7.5 CVSS score. The flaw originates from the `grunt-1.6.1.tgz`...
A critical security alert has been triggered for the `astro-relative-links-0.4.2.tgz` package, which contains four distinct vulnerabilities, the most severe rated at 7.5 on the CVSS scale. This vulnerable library is not an isolated dependency but is deeply embedded across a wide array of tutorial and source code projec...
A high-severity Denial of Service (DoS) vulnerability has been patched in the widely used cryptographic library node-forge. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function is called with a zero value as input, the interna...
A critical security vulnerability in the Angular framework has been patched, forcing a major version jump from v16 to v19 for dependent projects. The flaw, tracked as CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6), is a cross-site scripting (XSS) vulnerability that stems from the framework's failure to properly sanitize SVG scri...
A critical security vulnerability in the Angular framework's compiler component has been disclosed, prompting an urgent dependency update. The flaw, tracked as CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6), involves a cross-site scripting (XSS) risk stemming from unsanitized SVG script attributes. This vulnerability could allow...
A critical vulnerability in the Eclipse Jetty project has forced a significant and complex build-system intervention to mitigate a denial-of-service risk. The flaw, CVE-2023-44487, is an HTTP/2 Rapid Reset Attack that allows an attacker to bypass concurrent stream limits and cause a DoS condition through rapid stream c...
A critical security vulnerability has been disclosed in the Nuxt framework, exposing web applications to potential cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2024-34343, resides in the `navigateTo` function, which is designed to block the `javascript:` protocol but fails to correctly utilize the secur...
A critical security vulnerability in the widely-used AutoMapper library has been patched, forcing a major version jump from 12.0.1 to 15.1.3. The flaw, tracked as CVE-2026-32933, exposes applications to Denial of Service (DoS) attacks. The core issue lies in the library's handling of object mapping: when processing dee...
A security-driven dependency update is forcing a major version jump for thousands of projects relying on Apollo Server. The automated pull request mandates an upgrade from version 4.7.1 to at least version 5.0.0, a significant leap that carries inherent integration risks. The update is flagged with a [SECURITY] tag, in...
A critical security vulnerability in the Nuxt framework, tracked as CVE-2024-34343, exposes applications to potential cross-site scripting (XSS) attacks. The flaw resides in the `navigateTo` function, which is designed to block the `javascript:` protocol but fails to correctly utilize the APIs provided by the underlyin...
A critical security vulnerability in the widely-used AutoMapper library exposes countless .NET applications to potential Denial of Service (DoS) attacks. The flaw, tracked as CVE-2026-32933, stems from the library's handling of deeply nested object graphs. During mapping operations, AutoMapper employs recursive method ...
A critical security vulnerability in the widely-used Nodemailer library exposes applications to email misrouting. The flaw, tracked as CVE-2025-13033, stems from the library's incorrect handling of quoted local-parts containing the '@' symbol within email addresses. This parsing error can cause emails to be delivered t...
A critical security vulnerability in the widely used Flask web framework could allow a client's session cookie to be leaked to other users through misconfigured proxy caches. The flaw, tracked as CVE-2023-30861, is triggered under specific conditions where a proxy caches HTTP responses containing `Set-Cookie` headers. ...