Skip to content

VULN UPGRADE: minor: @opentelemetry/api, axios, express [apps/rolldice-game]#201

Draft
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/rolldice-game/3-1773111298
Draft

VULN UPGRADE: minor: @opentelemetry/api, axios, express [apps/rolldice-game]#201
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/rolldice-game/3-1773111298

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Mar 10, 2026

Summary: High-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

  • apps/rolldice-game (npm)

Updates

Package From To Type Vulnerabilities Fixed
axios 1.6.8 1.13.6 minor 8 HIGH
express 4.18.3 4.22.1 minor 2 MODERATE, 2 LOW
@opentelemetry/api 1.8.0 1.9.0 minor -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (8 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
axios GHSA-8hc4-vh64-cxmj HIGH Server-Side Request Forgery in axios 1.6.8 1.7.4
axios CVE-2024-39338 HIGH - 1.6.8 -
axios GHSA-jr5f-v2jv-69x6 HIGH axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL 1.6.8 1.8.2
axios CVE-2025-27152 HIGH Possible SSRF and Credential Leakage via Absolute URL in axios Requests 1.6.8 -
axios GHSA-4hjh-wcwx-xvwj HIGH Axios is vulnerable to DoS attack through lack of data size check 1.6.8 1.12.0
axios CVE-2025-58754 HIGH Axios is vulnerable to DoS attack through lack of data size check 1.6.8 -
axios GHSA-43fc-jf86-j433 HIGH Axios is Vulnerable to Denial of Service via proto Key in mergeConfig 1.6.8 1.13.5
axios CVE-2026-25639 HIGH Axios affected by Denial of Service via proto Key in mergeConfig 1.6.8 -
ℹ️ Other Vulnerabilities (4)
Package CVE Severity Summary Unsafe Version Fixed In
express GHSA-rv95-896h-c2vc MODERATE Express.js Open Redirect in malformed URLs 4.18.3 4.19.2
express CVE-2024-29041 MODERATE Express.js Open Redirect in malformed URLs 4.18.3 -
express GHSA-qw6h-vgh9-j6wx LOW express vulnerable to XSS via response.redirect() 4.18.3 4.20.0
express CVE-2024-43796 LOW express vulnerable to XSS via response.redirect() 4.18.3 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants