ci(secu): check dependency actions

[sc979]

ci(secu): check dependency actions

[github-actions]

Checkmarx One – Scan Summary & Details – 80436f30-6f88-411e-85dd-bb26a5471c79

New Issues (20)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2022-25883	Npm-semver-5.7.1	details Recommended version: 5.7.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW ID: 2z6z4hsdaevHjq4Rl5y4jHwlrw3qihLyeb2hvzSmxd4%3D Vulnerable Package
	CVE-2022-25883	Npm-semver-7.3.7	details Recommended version: 7.5.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW ID: z7u%2FSQGpuI7HRZ9rP1Qh2%2FkYNWSrgmCYjDG%2FCxEWxUk%3D Vulnerable Package
	CVE-2023-26115	Npm-word-wrap-1.2.3	details Recommended version: 1.2.4 Description: Versions prior to 1.24 of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regu... Attack Vector: NETWORK Attack Complexity: LOW ID: ruy8Uy0cPaqpQ9q6i8okVFXovppY2Kt%2BYxSBdAilU3U%3D Vulnerable Package
	CVE-2024-12905	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"... Attack Vector: NETWORK Attack Complexity: LOW ID: DS4OE0PXgK6TjeC58Ex61myk%2FegwVCLoEOBb0ioCO8E%3D Vulnerable Package
	CVE-2024-21538	Npm-cross-spawn-7.0.3	details Recommended version: 7.0.5 Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im... Attack Vector: NETWORK Attack Complexity: LOW ID: c4kVGpyuRq48kFKWTKMvk5swQ6ShZTizQXHUevIvW2o%3D Vulnerable Package
	CVE-2024-37890	Npm-ws-7.5.8	details Recommended version: 7.5.10 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW ID: IfDtGf7WMs4oQXk1oWCMg7xGJVzMdN2ClyYdA6FDYOQ%3D Vulnerable Package
	CVE-2024-37890	Npm-ws-8.5.0	details Recommended version: 8.17.1 Description: The ws is an open-source WebSocket client and server for Node.js. A request with a number of headers exceeding the "server.maxHeadersCount" thresho... Attack Vector: NETWORK Attack Complexity: LOW ID: R67Bambxa3xpg6VLQznbar%2FF58lF%2FhjP%2BktCEz3rkvk%3D Vulnerable Package
	CVE-2024-4068	Npm-braces-3.0.2	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW ID: orJ5liP%2FUIN6%2Fu%2BCLgYpsRXhjZRBqUQ5PJR4S4ILJEc%3D Vulnerable Package
	CVE-2025-48387	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ... Attack Vector: NETWORK Attack Complexity: LOW ID: Vd1eg%2BHmA0Qs0vNXE8GFjE4ehXfwxlvCvw5RGoNllsc%3D Vulnerable Package
	CVE-2025-59343	Npm-tar-fs-2.1.1	details Recommended version: 2.1.4 Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d... Attack Vector: NETWORK Attack Complexity: LOW ID: M%2FQCUT7GSxsql6xURGzvADO7Xgulci3BnvQpYRfvV8A%3D Vulnerable Package
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW ID: VlH22%2FdXXc1VzQvnHvqbxWsmN8CbS2w7LE%2BBSR7vc%2FQ%3D Vulnerable Package
	CVE-2024-4067	Npm-micromatch-4.0.5	details Recommended version: 4.0.8 Description: The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch.... Attack Vector: NETWORK Attack Complexity: LOW ID: vrsQZ6Bv8Nf75WoURUxD4NK0C6TxW6qiP4%2BE5P09AQc%3D Vulnerable Package
	CVE-2024-47764	Npm-cookie-0.4.2	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW ID: 1nDPy3wJOMgF%2Fr4vXZdHEWS74FGnPvm%2FFbig4vNltVg%3D Vulnerable Package
	CVE-2025-54798	Npm-tmp-0.2.3	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: NETWORK Attack Complexity: LOW ID: SD%2BXtovYYn%2FxCnXsoPcsvHokLyAWtPsNsJygmy6WCZU%3D Vulnerable Package
	CVE-2025-64718	Npm-js-yaml-4.1.0	details Recommended version: 4.1.1 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW ID: yyhw08gTHXgy03kNA0Dw7uXLoqHOCAFEKatF1cqjAOo%3D Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.19.12	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH ID: 6%2FobC3mKN5IL%2BQKyAS60L8w2TeWuxUMDqJ5I0nzwxAo%3D Vulnerable Package
	CVE-2025-5889	Npm-brace-expansion-1.1.11	details Recommended version: 1.1.12 Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the... Attack Vector: NETWORK Attack Complexity: HIGH ID: Cb7NE%2FpSwWZnGDBRd%2Fx65xK022brJbpaW2wls8LxWEQ%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-4.3.4	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: 9yoBLDuig7mxofPdUXo0LEAEJqGKBkrLxn78wv40b0I%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-3.2.7	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: wJouvAN5328GKlapvByhrR3R3RQW%2FPqUwOx0hgjmmeM%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-2.6.9	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: Z%2FC%2FdWOsjMXvm4zbLgyOSIE9uDsUD2JrxRRslNRmbY4%3D Vulnerable Package