This page collects WhisperX intelligence signals tagged #dependency-update. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability in the Vite development server has been patched in the major v6.0.0 release. The flaw, tracked as CVE-2026-39365, could allow an attacker to retrieve files ending in `.map` from outside the project's root directory, potentially exposing sensitive source map data. This is not a theoreti...
A critical security vulnerability in the popular Hono.js web framework allows attackers to corrupt HTML output and potentially inject unintended code. The flaw, tracked as GHSA-458j-xx4x-4375, resides in the framework's JSX/dom component. It stems from improper handling of JSX attribute names during server-side renderi...
A critical SQL injection vulnerability has been identified and patched in github.com/jackc/pgx/v5, a widely adopted PostgreSQL driver for Go applications. The flaw, tracked as GHSA-j88v-2chj-qfwx, was resolved in version 5.9.2, with users advised to upgrade from the affected v5.9.0 release. The vulnerability carries si...
An automated dependency update merged into a codebase this week addresses a security concern in Kysely, a widely-used TypeScript SQL query builder library, with the patch upgrading the package from version 0.27.6 to 0.28.16. The update, flagged with a [security] label and processed through Renovate bot, targets a SQL i...
The maintainers of Gradio, the popular open-source framework for building machine learning applications, have addressed a critical server-side request forgery (SSRF) vulnerability tracked as CVE-2026-28416. The flaw resided in the `gr.load()` configuration processing logic, where a malicious `proxy_url` parameter could...
The path-to-regexp library has been updated to version 8.4.0, addressing two documented security vulnerabilities identified as CVE-2026-4926 and CVE-2026-4923. The update includes fixes that restrict wildcard backtracking when more than one wildcard appears in a path, a pattern that could otherwise expose applications ...
A critical CSS injection vulnerability has been identified in Mermaid, the widely-used open-source diagram and charting library. Tracked as CVE-2026-41159 (GHSA-87f9-hvmw-gh4p), the flaw stems from improper sanitization of user-supplied configuration options, allowing injected styles to apply beyond the boundaries of r...
A critical memory leak vulnerability has been identified in UltraJSON (ujson) version 5.12.0, prompting the release of security patch v5.12.1. Tracked as CVE-2026-44660 and documented in GitHub Advisory GHSA-c38f-wx89-p2xg, the flaw manifests when ujson.dump() writes to a file-like object and the write operation raises...
A security vulnerability has been identified in fast-xml-parser, a widely-used XML parsing library, enabling attackers to inject XML comments and CDATA sections through unescaped delimiters. Tracked as CVE-2026-41650 and GHSA-gh4j-gqv2-49f6, the flaw resides specifically in the XMLBuilder component of the parser. The v...