Summary
npm audit reports 15 HIGH-severity vulnerabilities in transitive dependencies not covered by #221 (Fastify body bypass) or #227 (moderate vulnerabilities). These require major-version bumps in upstream packages.
Vulnerabilities
| Package |
Count |
Severity |
Issues |
flatted |
2 |
HIGH |
Unbounded recursion DoS in parse() revive phase; Prototype pollution via parse() |
lodash |
3 |
HIGH |
Prototype pollution via _.unset/_.omit; Code injection via _.template |
minimatch |
4 |
HIGH |
Multiple ReDoS vulnerabilities in glob pattern matching |
picomatch |
2 |
HIGH |
Method injection in POSIX character classes; ReDoS via extglob patterns |
glob |
1 |
HIGH |
CLI command injection via -c/--cmd with shell:true |
Steps to fix
cd intercom-manager
npm audit --json | jq '.vulnerabilities | keys[]'
npm audit fix --force # review breaking changes carefully
npm test && npm run typecheck
For packages that can't be auto-fixed, check if the parent dependency has a newer version that pulls in patched transitive deps.
Priority: HIGH (P1)
Related: #221 (Fastify body bypass), #227 (moderate vulns)
Summary
npm auditreports 15 HIGH-severity vulnerabilities in transitive dependencies not covered by #221 (Fastify body bypass) or #227 (moderate vulnerabilities). These require major-version bumps in upstream packages.Vulnerabilities
flattedparse()revive phase; Prototype pollution viaparse()lodash_.unset/_.omit; Code injection via_.templateminimatchpicomatchglob-c/--cmdwithshell:trueSteps to fix
For packages that can't be auto-fixed, check if the parent dependency has a newer version that pulls in patched transitive deps.
Priority: HIGH (P1)
Related: #221 (Fastify body bypass), #227 (moderate vulns)