VYPR

apk package

chainguard/lerna

pkg:apk/chainguard/lerna

Vulnerabilities (65)

  • CVE-2026-26996Feb 20, 2026
    affected < 9.0.4-r3fixed 9.0.4-r3

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-26960Feb 20, 2026
    affected < 9.0.4-r3fixed 9.0.4-r3

    node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t

  • CVE-2026-25639HigFeb 9, 2026
    affected < 9.0.4-r2fixed 9.0.4-r2

    Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providi

  • CVE-2026-25547CriFeb 4, 2026
    affected < 9.0.3-r3fixed 9.0.3-r3

    @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume

  • CVE-2026-24842Jan 28, 2026
    affected < 9.0.4-r1fixed 9.0.4-r1

    node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that b

  • CVE-2026-23950Jan 20, 2026
    affected < 9.0.4-r0fixed 9.0.4-r0

    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS AP

  • CVE-2026-23745Jan 16, 2026
    affected < 9.0.4-r0fixed 9.0.4-r0

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading t

  • CVE-2025-64756Nov 17, 2025
    affected < 9.0.1-r1fixed 9.0.1-r1

    Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.

  • CVE-2025-64718Nov 13, 2025
    affected < 9.0.1-r1fixed 9.0.1-r1

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-58754Sep 12, 2025
    affected < 8.2.4-r2fixed 8.2.4-r2

    Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire

  • CVE-2025-54798Aug 7, 2025
    affected < 8.2.4-r1fixed 8.2.4-r1

    tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

  • CVE-2025-5889LowJun 9, 2025
    affected < 8.2.2-r2fixed 8.2.2-r2

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l

  • CVE-2025-27152Mar 7, 2025
    affected < 8.2.1-r1fixed 8.2.1-r1

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2025-25290MedFeb 14, 2025
    affected < 8.2.1-r0fixed 8.2.1-r0

    @octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses i

  • CVE-2025-25289MedFeb 14, 2025
    affected < 8.2.1-r0fixed 8.2.1-r0

    @octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing

  • CVE-2025-25288MedFeb 14, 2025
    affected < 8.2.1-r0fixed 8.2.1-r0

    @octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—p

  • CVE-2024-21538HigNov 8, 2024
    affected < 8.1.9-r1fixed 8.1.9-r1

    Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted

  • CVE-2024-39338Aug 9, 2024
    affected < 8.1.8-r1fixed 8.1.8-r1

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2024-4068May 13, 2024
    affected < 8.1.4-r0fixed 8.1.4-r0

    The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program

  • CVE-2024-4067May 13, 2024
    affected < 8.1.8-r1fixed 8.1.8-r1

    The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w