Overview

7 days30 days

Latest CI Pipeline Executions

Fuzzy

Succeeded
22.7.6
7eccccd8 fix(misc): bump happy-dom, tmp, and form-data to patched versions (#36013) New workspaces / `nx@23.0.0` ship dependencies with published security advisories: - `happy-dom@~9.20.3` (when the happy-dom test environment is selected) - two **critical** RCE advisories: [GHSA-37j7-fg3j-429f](https://github.com/advisories/GHSA-37j7-fg3j-429f) (VM context escape) and [GHSA-96g7-g7g9-jxw8](https://github.com/advisories/GHSA-96g7-g7g9-jxw8) (server-side code execution via `<script>`). - `tmp@0.2.6` - **high**, [GHSA-7c78-jf6q-g5cm](https://github.com/advisories/GHSA-7c78-jf6q-g5cm) (path traversal). - `form-data@4.0.5` (transitive via `axios`) - **high**, [GHSA-hmw2-7cc7-3qxx](https://github.com/advisories/GHSA-hmw2-7cc7-3qxx) (CRLF injection). `tmp` and `form-data` reach generated workspaces because `expand-deps` pins nx's transitive deps from the monorepo lockfile at publish time. - `happyDomVersion` bumped `~9.20.3` -> `^20.10.4` in `packages/vitest/src/utils/versions.ts` (caret matches sibling `jsdomVersion` so it stays patched within the major). - `tmp` forced to `~0.2.7` and `form-data` to `^4.0.6` via catalog + overrides; lockfile re-resolved so the next release pins the patched versions. `pnpm audit` reports 0 critical repo-wide; `tmp` and `form-data` are CLEAN. N/A  --- [View session information ↗](https://snapshot.app.trypolygraph.com/orgs/69cdc268b6aa527e4129c2b4/sessions/rapid-panther-825e4172) 
by Jack Hsu