Skip to content

UID2-6844: fix npm vulnerabilities - node-forge, path-to-regexp, picomatch, flatted#185

Merged
BehnamMozafari merged 3 commits intomainfrom
bmz-UID2-6844-fix-npm-vulns
Apr 1, 2026
Merged

UID2-6844: fix npm vulnerabilities - node-forge, path-to-regexp, picomatch, flatted#185
BehnamMozafari merged 3 commits intomainfrom
bmz-UID2-6844-fix-npm-vulns

Conversation

@BehnamMozafari
Copy link
Copy Markdown
Contributor

@BehnamMozafari BehnamMozafari commented Mar 31, 2026

Summary

Fixes multiple HIGH severity npm vulnerabilities across root and all web-integration sub-packages.

Note: CVE-2026-4926 (path-to-regexp 8.x) was also fixed in the server-side sub-packages here, and was previously fixed in uid2-web-integrations (UID2-6838).

Package CVE(s) Severity Fix
node-forge CVE-2026-33891/33894/33895/33896 HIGH 1.3.2 → 1.4.0 (override)
path-to-regexp 0.1.x CVE-2026-4867 HIGH 0.1.12 → 0.1.13 (override)
path-to-regexp 8.x CVE-2026-4926 HIGH 8.2/8.3 → 8.4.0 (direct dep bump in server-side packages)
picomatch CVE-2026-33671 HIGH 2.3.1 → 2.3.2 (override)
flatted CVE-2026-33228 HIGH 3.4.1 → 3.4.2 (override)

Jira: UID2-6844

Test plan

  • CI vulnerability scan passes
  • Build passes for all sub-packages

BehnamMozafari and others added 3 commits March 31, 2026 17:29
@BehnamMozafari @claude
UID2-6844: fix npm vulnerabilities across all example sub-packages
78eee84 
Adds/updates overrides and direct deps across root and all web-integration sub-packages:
- node-forge → 1.4.0 (CVE-2026-33891/33894/33895/33896, HIGH)
- path-to-regexp 0.1.x → 0.1.13 (CVE-2026-4867, HIGH)
- path-to-regexp 8.x → 8.4.0 (CVE-2026-4926, HIGH) in server-side sub-packages
- picomatch → 2.3.2 (CVE-2026-33671, HIGH)
- flatted → 3.4.2 (CVE-2026-33228, HIGH)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@BehnamMozafari @claude
UID2-6844: upgrade shared-actions to v3 to fix trivy-action@0.14.0 re…
a9b17d8 
…solution

aquasecurity/trivy-action@0.14.0 is no longer resolvable; shared-actions v3
uses the updated trivy action (v0.35.0).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@BehnamMozafari @claude
UID2-6844: fix path-to-regexp 8.x in prebid-integrations (CVE-2026-4926)
05e2b15 
prebid-integrations/client-server had path-to-regexp 8.3.0 as a transitive
dep; add override to force ^8.4.0.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@BehnamMozafari BehnamMozafari merged commit 046d1df into main Apr 1, 2026
2 checks passed
@BehnamMozafari BehnamMozafari deleted the bmz-UID2-6844-fix-npm-vulns branch April 1, 2026 01:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sunnywu sunnywu sunnywu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BehnamMozafari @sunnywu