This page collects WhisperX intelligence signals tagged #npm Security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security alert has been triggered for the `astro-relative-links-0.4.2.tgz` package, which contains four distinct vulnerabilities, the most severe rated at 7.5 on the CVSS scale. This vulnerable library is not an isolated dependency but is deeply embedded across a wide array of tutorial and source code projec...
A high-severity remote code execution (RCE) vulnerability in the ubiquitous JavaScript utility library `lodash` has triggered an automated security alert within a GitHub repository. The alert, generated by the CVE Remediator bot, warns that any project using a version of `lodash` below 4.17.21 is exposed to potential e...
A high-severity vulnerability, CVE-2026-44665, has been identified in the fast-xml-builder npm package (versions prior to 1.1.7), exposing applications to attribute injection attacks. The flaw, detected by Trivy security scanning, stems from improper handling of quotes within XML attribute values when entity processing...