Skip to content

[nightshift] dependency-risk: 13 vulnerabilities found (7 high severity) #14

Open
Open
[nightshift] dependency-risk: 13 vulnerabilities found (7 high severity)#14
Labels
dayshift/issue-inboxManaged by hermes-dayshift-glm
@nightshift-micr

Description

@nightshift-micr
nightshift-micr
opened on Apr 18, 2026

Dependency Risk Report: opencode-studio

Project: opencode-studio v1.17.0
Scanned: 3 package.json files (root, client-next/, server/)

Executive Summary

Area Root client-next server Total
Vulnerabilities 1 high 10 (5 high, 5 moderate) 2 (1 high, 1 low) 13
Outdated packages 1 4+ 0 ~5
Fix available

Overall risk level: MEDIUM-HIGH — Multiple high-severity CVEs in direct dependencies (axios, next), all fixable with dependency updates.

P0 — Critical/High Severity Vulnerabilities

1. next 16.1.1 — 8 CVEs (HIGH) [client-next, direct]

  • HTTP request deserialization → DoS (CVSS 7.5)
  • HTTP request smuggling in rewrites
  • DoS via Image Optimizer remotePatterns
  • Unbounded postponed resume buffering → DoS
  • Null origin bypasses Server Actions CSRF
  • Fix: Upgrade to next@16.2.4

2. axios ^1.13.2 — 3 CVEs (HIGH) [client-next, direct]

  • DoS via __proto__ key in mergeConfig (CVSS 7.5)
  • NO_PROXY hostname normalization bypass → SSRF
  • Cloud metadata exfiltration via header injection chain
  • Fix: Upgrade to axios@^1.15.0

3. path-to-regexp 8.0.0–8.3.0 — 2 CVEs (HIGH) [server, transitive via express]

  • DoS via sequential optional groups
  • ReDoS via multiple wildcards
  • Fix: Upgrade express to get path-to-regexp@>=8.4.0

4. lodash <=4.17.23 — 2 CVEs (HIGH) [root, transitive]

  • Code injection via _.template imports (CVSS 8.1)
  • Prototype pollution via array path bypass (CVSS 6.5)
  • Fix: npm audit fix at root level

5. flatted <=3.4.1 — 2 CVEs (HIGH) [client-next, transitive]

  • Unbounded recursion DoS in parse()
  • Prototype pollution via parse()
  • Fix: npm audit fix in client-next

6. minimatch — 6 ReDoS CVEs (HIGH) [client-next, transitive]

7. picomatch — 4 CVEs (HIGH) [client-next, transitive]

P1 — Moderate Severity Vulnerabilities

Package CVEs Location Fix
dompurify <=3.3.3 5 XSS/bypass CVEs client-next (transitive) npm audit fix
brace-expansion DoS via zero-step sequences client-next (transitive) npm audit fix
follow-redirects <=1.15.11 Auth header leak client-next (transitive) npm audit fix
ajv <6.14.0 ReDoS with $data option client-next (transitive) npm audit fix

P2 — Maintenance & Version Risks

Package Installed Latest Location
concurrently 8.2.2 9.2.1 root
next 16.1.1 16.2.4 client-next
pixelarticons ^1.8.1 2.1.0 client-next
axios ^1.13.2 1.15.0 client-next

Potentially Unused Dependencies

  • html-to-image — no imports found in source
  • pixelarticons — no imports found in source
  • Recommendation: Verify and remove if unused

P3 — Minor Concerns

  • obelisk.js — Last npm publish 2018, appears unmaintained
  • @nsmr/pixelart-react — Small/niche package, risk of abandonment
  • No internal/private scoped packages (no dependency confusion risk)
  • No license risks identified

Recommended Actions

Priority Action
P0 cd client-next && npm audit fix && npm install next@16.2.4
P0 cd client-next && npm install axios@latest
P0 cd server && npm audit fix
P0 npm audit fix (root)
P1 Remove unused deps (html-to-image, pixelarticons)
P2 Upgrade concurrently, pin tailwindcss minor version

Auto-generated by Nightshift v3 (GLM 5.1)

Metadata

Metadata

Assignees

No one assigned

    Labels

    dayshift/issue-inboxManaged by hermes-dayshift-glm

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions