chore(deps)(deps): bump the web-dependencies group across 1 directory with 17 updates

[dependabot]

Bumps the web-dependencies group with 14 updates in the /web directory:

Package	From	To
i18next-browser-languagedetector	8.2.0	8.2.1
livekit-client	2.16.0	2.18.0
maplibre-gl	5.14.0	5.21.1
web-vitals	5.1.0	5.2.0
zustand	5.0.9	5.0.12
@playwright/test	1.58.0	1.58.2
@testing-library/react	16.3.0	16.3.2
@types/maplibre-gl	1.13.2	1.14.0
@vitest/coverage-v8	4.0.18	4.1.2
autoprefixer	10.4.22	10.4.27
eslint-plugin-react-refresh	0.4.24	0.5.2
msw	2.12.7	2.12.14
postcss	8.5.6	8.5.8
typescript-eslint	8.49.0	8.57.2

Updates i18next-browser-languagedetector from 8.2.0 to 8.2.1

Changelog

Sourced from i18next-browser-languagedetector's changelog.

8.2.1

• Add missing typescript definition for hash options 33154

Commits

• 7164126 8.2.1
• 6df69c7 release
• 1ffa1cf Add missing typescript definition for hash options (#315)
• 697d89b Bump js-yaml (#313)
• ce82da9 Bump lodash from 4.17.21 to 4.17.23 (#312)
• d05fe5a fix url in readme
• 9d1d7d2 Bump tmp from 0.2.1 to 0.2.5 (#309)
• 32f0429 Bump cipher-base from 1.0.4 to 1.0.6 (#307)
• 9c0db8f Bump sha.js from 2.4.11 to 2.4.12 (#308)
• 3ad9ac5 Bump pbkdf2 from 3.1.2 to 3.1.3 (#306)
• Additional commits viewable in compare view

Updates livekit-client from 2.16.0 to 2.18.0

Release notes

Sourced from livekit-client's releases.

v2.18.0

Minor Changes

• Rename pID to participantID in log context - #1842 (@​lukasIO)

Patch Changes

• Ensure freshly created RTCEngine isn't recreated on join - #1843 (@​lukasIO)

• Fix shouldReturnCachedValueFromFetch check for cached options - #1837 (@​lukasIO)

• Fix data stream header length field - #1847 (@​ladvoc)

• Add token fetch force option to skip TokenSource cache - #1839 (@​lukasIO)

v2.17.3

Patch Changes

• Update happy-dom dependency version - #1821 (@​renovate)

• e2ee: ensure current key index isn't unintentionally updated - #1830 (@​lukasIO)

• Prevent unmute -> mute -> unmute cycle for track restarts that happen during unmute - #1793 (@​mfairley)

• Use controller.error to signal unexpected errors mid data stream - #1834 (@​lukasIO)

• Signal leave on failed connection attempts if signalling is connected - #1817 (@​lukasIO)

• Vendored ts-debounce and added critical timers to debounce function - #1800 (@​mfairley)

• Ensure cryptor setup respects async queue in worker - #1833 (@​lukasIO)

• Adds new OutgoingDataTrackManager to manage sending data track payloads - #1810 (@​1egoman)

v2.17.2

Patch Changes

• Ensure connection state mismatches aren't triggered for ongoing PC connection attempts - #1807 (@​lukasIO)

• Fix unnecessary track restarts on unmute when using ideal device constraints - #1794 (@​mfairley)

• Prevent ongoing renegotiations from declaring the negotiation as timed out - #1813 (@​lukasIO)

• Add data track packetizer and depacketizer implementations - #1798 (@​1egoman)

• Add missing type exports required by @livekit/components-core - #1815 (@​1egoman)

v2.17.1

Patch Changes

... (truncated)

Changelog

Sourced from livekit-client's changelog.

2.18.0

Minor Changes

• Rename pID to participantID in log context - #1842 (@​lukasIO)

Patch Changes

• Ensure freshly created RTCEngine isn't recreated on join - #1843 (@​lukasIO)

• Fix shouldReturnCachedValueFromFetch check for cached options - #1837 (@​lukasIO)

• Fix data stream header length field - #1847 (@​ladvoc)

• Add token fetch force option to skip TokenSource cache - #1839 (@​lukasIO)

2.17.3

Patch Changes

• Update happy-dom dependency version - #1821 (@​renovate)

• e2ee: ensure current key index isn't unintentionally updated - #1830 (@​lukasIO)

• Prevent unmute -> mute -> unmute cycle for track restarts that happen during unmute - #1793 (@​mfairley)

• Use controller.error to signal unexpected errors mid data stream - #1834 (@​lukasIO)

• Signal leave on failed connection attempts if signalling is connected - #1817 (@​lukasIO)

• Vendored ts-debounce and added critical timers to debounce function - #1800 (@​mfairley)

• Ensure cryptor setup respects async queue in worker - #1833 (@​lukasIO)

• Adds new OutgoingDataTrackManager to manage sending data track payloads - #1810 (@​1egoman)

2.17.2

Patch Changes

• Ensure connection state mismatches aren't triggered for ongoing PC connection attempts - #1807 (@​lukasIO)

• Fix unnecessary track restarts on unmute when using ideal device constraints - #1794 (@​mfairley)

• Prevent ongoing renegotiations from declaring the negotiation as timed out - #1813 (@​lukasIO)

• Add data track packetizer and depacketizer implementations - #1798 (@​1egoman)

• Add missing type exports required by @livekit/components-core - #1815 (@​1egoman)

... (truncated)

Commits

• 80e772b Version Packages (#1838)
• cc12439 Follow-up to #1845 (#1847)
• 93b49d2 Fix data stream header length field (#1845)
• 3bea46a Data tracks - incoming manager (#1819)
• 80301cb Ensure freshly created RTCEngine isn't recreated on join (#1843)
• 52222a1 Port to new @livekit/throws-transformer npm package (#1840)
• 0bcbb11 Rename pID to participantID in log context (#1842)
• fca3cc6 Add token fetch force option to skip TokenSource cache (#1839)
• fcc7c79 Fix shouldReturnCachedValueFromFetch check for cached options (#1837)
• d87b777 Version Packages (#1818)
• Additional commits viewable in compare view

Updates maplibre-gl from 5.14.0 to 5.21.1

Release notes

Sourced from maplibre-gl's releases.

v5.21.1

🐞 Bug fixes

• Add missing promoteId parameter to geojson worker and refactor communication object (#7320) (by @​HarelM)

v5.21.0

✨ Features and improvements

• Add compatibility for ES2020 (#7283) (by @​claudiobgit)
• Add referrerPolicy option to RequestParameters to allow controlling the referrer policy for tile requests (#7278) (by @​Bingtagui404)
• Wait for the GPU to finish its callstack for rendering benchmarks (#7285) (by @​xavierjs)
• Remove Edge 18 WebP detection workaround; always send Accept: image/webp header for image requests (#7293) (by @​johanrd)
• Remove legacy browser compatibility code targeting IE11 and pre-2016 browsers (#7294) (by @​johanrd)
• Remove legacy DOM.remove() and DOM.mouseButton() wrappers; use native APIs directly (baseline 2015) (#7295) (by @​johanrd)
• Make setTransformRequest accept an async function in addition to a sync function. (#7184) (by @​kikuomax )

🐞 Bug fixes

• Fix incorrect popup location in case of terrain and jumpTo (#7267) (by @​HarelM)
• Fix memory leak in VideoSource: remove playing event listener and pause video on source removal (#7279) (by @​johanrd)
• Fix memory leak where typed array views retained StructArray buffers after GPU upload, preventing garbage collection (#7280) (by @​johanrd)
• Fix raster DEM tiles getting stuck in "reloading" state (#7284) (by @​katemihalikova)
• Fix GeolocateControl leaking a movestart listener on the map after removal, which could also crash if the control was in active tracking state when removed (#7286) (by @​johanrd)
• Cap tile texture reuse pool to prevent unbounded VRAM growth during rapid zoom/pan (#7289) (by @​johanrd)
• Fix Marker click listener not removed on remove(), leaking the handler added in #7028 (#7287) (by @​johanrd)
• Fix Terrain GPU resource leak: free FBO, textures, and meshes when terrain is disabled via setTerrain(null) (#7288) (by @​johanrd)
• Fix guard against partial layout in PauseablePlacement (#7079) (by @​garethbowker)
• Fix missing tile encoding for MLT queryRenderedFeatures (#7056) (by @​dannote and @​ted-piotrowski)
• Fix 3D Tiles example (#7275) (by @​hh-hang)

v5.20.2

🐞 Bug fixes

• Fix update GeoJSON when using diff update by updating geojson-vt package (#7257) (by @​HarelM)

v5.20.1

🐞 Bug fixes

• Fix cannot read properties of undefined (reading 'range') by updating geojson-vt package (#7245) (by @​HarelM)
• Fix a bug where raster-resampling: nearest was not applied as expected (#7247) (by @​yano-h)

v5.20.0

✨ Features and improvements

... (truncated)

Changelog

Sourced from maplibre-gl's changelog.

5.21.1

🐞 Bug fixes

• Add missing promoteId parameter to geojson worker and refactor communication object (#7320) (by @​HarelM)

5.21.0

✨ Features and improvements

• Add compatibility for ES2020 (#7283) (by @​claudiobgit)
• Add referrerPolicy option to RequestParameters to allow controlling the referrer policy for tile requests (#7278) (by @​Bingtagui404)
• Wait for the GPU to finish its callstack for rendering benchmarks (#7285) (by @​xavierjs)
• Remove Edge 18 WebP detection workaround; always send Accept: image/webp header for image requests (#7293) (by @​johanrd)
• Remove legacy browser compatibility code targeting IE11 and pre-2016 browsers (#7294) (by @​johanrd)
• Remove legacy DOM.remove() and DOM.mouseButton() wrappers; use native APIs directly (baseline 2015) (#7295) (by @​johanrd)
• Make setTransformRequest accept an async function in addition to a sync function. (#7184) (by @​kikuomax )

🐞 Bug fixes

• Fix incorrect popup location in case of terrain and jumpTo (#7267) (by @​HarelM)
• Fix memory leak in VideoSource: remove playing event listener and pause video on source removal (#7279) (by @​johanrd)
• Fix memory leak where typed array views retained StructArray buffers after GPU upload, preventing garbage collection (#7280) (by @​johanrd)
• Fix raster DEM tiles getting stuck in "reloading" state (#7284) (by @​katemihalikova)
• Fix GeolocateControl leaking a movestart listener on the map after removal, which could also crash if the control was in active tracking state when removed (#7286) (by @​johanrd)
• Cap tile texture reuse pool to prevent unbounded VRAM growth during rapid zoom/pan (#7289) (by @​johanrd)
• Fix Marker click listener not removed on remove(), leaking the handler added in #7028 (#7287) (by @​johanrd)
• Fix Terrain GPU resource leak: free FBO, textures, and meshes when terrain is disabled via setTerrain(null) (#7288) (by @​johanrd)
• Fix guard against partial layout in PauseablePlacement (#7079) (by @​garethbowker)
• Fix missing tile encoding for MLT queryRenderedFeatures (#7056) (by @​dannote and @​ted-piotrowski)
• Fix 3D Tiles example (#7275) (by @​hh-hang)

5.20.2

🐞 Bug fixes

• Fix update GeoJSON when using diff update by updating geojson-vt package (#7257) (by @​HarelM)

5.20.1

🐞 Bug fixes

• Fix cannot read properties of undefined (reading 'range') by updating geojson-vt package (#7245) (by @​HarelM)
• Fix a bug where raster-resampling: nearest was not applied as expected (#7247) (by @​yano-h)

5.20.0

✨ Features and improvements

... (truncated)

Commits

• 1fe69fd Bump js version to 5.21.1 (#7325)
• 1bf28ae Add missing promoteId parameter to geojson worker (#7320)
• 1557f52 chore(deps-dev): bump canvas from 3.2.1 to 3.2.2 (#7324)
• 73db19a chore(deps-dev): bump @​vitest/eslint-plugin in the vitest group (#7321)
• 9eeb0fd chore(deps-dev): bump rollup from 4.59.1 to 4.60.0 (#7322)
• a5a63bc chore(deps-dev): bump rollup from 4.59.0 to 4.59.1 (#7316)
• a54d7a1 chore(deps): bump github/codeql-action from 4.33.0 to 4.34.1 (#7317)
• a4c8bc8 chore(deps): bump ggilder/codecoverage from 1.3.0 to 1.3.1 (#7318)
• a8cf500 chore(deps-dev): bump devtools-protocol from 0.0.1596832 to 0.0.1602427 (#7312)
• 65766d2 chore(deps-dev): bump puppeteer from 24.39.1 to 24.40.0 (#7313)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for maplibre-gl since your current version.

Updates web-vitals from 5.1.0 to 5.2.0

Changelog

Sourced from web-vitals's changelog.

v5.2.0 (2026-03-25)

• Replace filter()[0] with find() for better performance (#658)
• Use queueMicrotask for microtask scheduling (#660)
• Simplify the event and LoAF entry clean up logic (#662)
• Remove obsolete FID polyfill types (#675)
• Use LargestContentfulPaint.id as fallback when element is removed from DOM (#676)
• Fix bug for onLCP when attached late (#697)
• FHandle initially hidden pages and onLCP registered on visibility change (#698)
• Ensure we clear idle callbacks in whenIdleOrHidden (#707)
• Limit pending events to conserve memory (#710)
• Add includeProcessedEventEntries option (#714)
• Reduce bundle size by refactoring (#713)

Commits

• c071fd0 Release v5.2.0
• 15cd449 Prep changelog for v.5.2.0 (#693)
• 384dd9c Reduce bundle size by refactoring (#713)
• 1742e6b Add includeProcessedEventEntries option (#714)
• 4733a93 Bump flatted from 3.3.3 to 3.4.2 (#718)
• efc4845 Bump fast-xml-parser from 5.5.6 to 5.5.7 (#717)
• 8e4e689 Bump undici from 6.23.0 to 6.24.1 (#716)
• 9750cc9 Bump fast-xml-parser from 5.4.2 to 5.5.6 (#715)
• 8fb24d7 Limit pending events to conserve memory (#710)
• 1a8233e Address flaky test (#711)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates zustand from 5.0.9 to 5.0.12

Release notes

Sourced from zustand's releases.

v5.0.12

Two small fixes.

What's Changed

• fix(persist): use latest state in post-rehydration callback by @​Shohjahon-n in pmndrs/zustand#3391
• fix(devtools): correct redux devtools config type extension by @​grigoriy-reshetniak in pmndrs/zustand#3414

New Contributors

• @​pavan-sh made their first contribution in pmndrs/zustand#3378
• @​Copilot made their first contribution in pmndrs/zustand#3395
• @​Aravindsreeni made their first contribution in pmndrs/zustand#3400
• @​wallzero made their first contribution in pmndrs/zustand#3401
• @​chaesunbak made their first contribution in pmndrs/zustand#3405
• @​Shohjahon-n made their first contribution in pmndrs/zustand#3391

Full Changelog: pmndrs/zustand@v5.0.11...v5.0.12

v5.0.11

This release includes small improvements in middleware thanks to contributors.

What's Changed

• chore: improve typing in devtools middleware by @​grigoriy-reshetniak in pmndrs/zustand#3362
• fix(persist): avoid relying on global localStorage by @​honuuk in pmndrs/zustand#3367
• fix(immer): Proper typing for immer middleware in combination with slices by @​wheerd in pmndrs/zustand#3371

New Contributors

• @​SeongYongLee made their first contribution in pmndrs/zustand#3355
• @​grigoriy-reshetniak made their first contribution in pmndrs/zustand#3351
• @​DormancyWang made their first contribution in pmndrs/zustand#3363
• @​Ea-st-ring made their first contribution in pmndrs/zustand#3369
• @​winner07 made their first contribution in pmndrs/zustand#3373
• @​honuuk made their first contribution in pmndrs/zustand#3367
• @​wheerd made their first contribution in pmndrs/zustand#3371

Full Changelog: pmndrs/zustand@v5.0.10...v5.0.11

v5.0.10

This version includes a fix to the persist middleware for an edge case.

What's Changed

• fix(persist): prevent race condition during concurrent rehydrate calls by @​Niyaz-Mazhitov in pmndrs/zustand#3336

New Contributors

• @​max-programming made their first contribution in pmndrs/zustand#3310
• @​oleksandr-danylchenko made their first contribution in pmndrs/zustand#3319
• @​MateuszSobiech made their first contribution in pmndrs/zustand#3334
• @​EduardoRangelG made their first contribution in pmndrs/zustand#3326
• @​1mehdifaraji made their first contribution in pmndrs/zustand#3339
• @​kamja44 made their first contribution in pmndrs/zustand#3349
• @​Niyaz-Mazhitov made their first contribution in pmndrs/zustand#3336

... (truncated)

Commits

• 206012d 5.0.12
• d714065 chore(deps): update dev dependencies (#3427)
• 89ebcd7 fix(devtools): correct redux devtools config type extension (#3414)
• 6213fc1 fix(persist): use latest state in post-rehydration callback (#3391)
• a3869ca docs: fix broken links in beginner TypeScript guide (#3423)
• c49df38 Hotfix section linking (#3410)
• 5561e9b Fix indentation for actions in index.md (#3406)
• 4966a15 fix(readme) : comparison documentaion link (#3405)
• da381c3 Fix README internal links for GitHub rendering (#3403)
• 0d250b3 fix persist documentation link (#3401)
• Additional commits viewable in compare view

Updates @playwright/test from 1.58.0 to 1.58.2

Release notes

Sourced from @​playwright/test's releases.

v1.58.2

Highlights

#39121 fix(trace viewer): make paths via stdin work #39129 fix: do not force swiftshader on chromium mac

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

v1.58.1

Highlights

#39036 fix(msedge): fix local network permissions #39037 chore: update cft download location #38995 chore(webkit): disable frame sessions on fronzen builds

Browser Versions

• Chromium 145.0.7632.6
• Mozilla Firefox 146.0.1
• WebKit 26.0

Commits

• ce480a9 cherry-pick(#39171): devops: add ubuntu-22.04-arm bot
• e40c137 chore: mark v1.58.2 (#39155)
• 50b7296 cherry-pick(#39152): chore: fix execSync inheriting stdio
• f3dcf50 cherry-pick(#39129): fix: do not force swiftshader on chromium mac
• 8684e08 cherry-pick(#39121): fix(trace viewer): make paths via stdin work
• 97bc385 cherry-pick(#38995): chore(webkit): disable frame sessions on fronzen builds
• ad625fe chore: mark v1.58.1 (#39055)
• f07234d cherry-pick(#39036): fix(msedge): fix local network permissions (#39053)
• ab8136c cherry-pick(#39037): chore: update cft download location (#39052)
• aa6ffeb cherry-pick(#39014): docs: add 1.58 release notes for Java, Python, and C#
• See full diff in compare view

Updates @testing-library/react from 16.3.0 to 16.3.2

Release notes

Sourced from @​testing-library/react's releases.

v16.3.2

16.3.2 (2026-01-19)

Bug Fixes

• Update 'onCaughtError' type inference in 'RenderOptions' to work with React v19 (#1438) (f32bd1b)

v16.3.1

16.3.1 (2025-12-15)

Bug Fixes

• Switch to trusted publishing (#1437) (a2d37ff)

Commits

• f32bd1b fix: Update 'onCaughtError' type inference in 'RenderOptions' to work with Re...
• a2d37ff fix: Switch to trusted publishing (#1437)
• cd6a175 chore: fix action permissions (#1436)
• 22b8c28 chore: fix release (#1435)
• d996673 chore: new release workflow (#1434)
• 205ce17 chore: fix typo in jest.config.js (#1427)
• aba5740 [test] Fix tests for react@experimental (#1424)
• 590bc18 [test] Fix npm run typecheck (#1423)
• 1c931a6 chore(deps): use npm-run-all2 (#1411)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​testing-library/react since your current version.

Updates @types/maplibre-gl from 1.13.2 to 1.14.0

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.0.18 to 4.1.2

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in vitest-dev/vitest#9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in vitest-dev/vitest#9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in vitest-dev/vitest#9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in vitest-dev/vitest#9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9851 (6f97b)

    View changes on GitHub

v4.1.1

   🚀 Features

• experimental:
  • Expose matchesTags to test if the current filter matches tags  -  by @​sheremet-va in vitest-dev/vitest#9913 (eec53)
  • Introduce experimental.vcsProvider  -  by @​sheremet-va in vitest-dev/vitest#9928 (56115)

   🐞 Bug Fixes

• Mark TestProject.testFilesList internal properly  -  by @​sapphi-red in vitest-dev/vitest#9867 (54f26)
• Detect fixture that returns without calling use  -  by @​oilater in vitest-dev/vitest#9831 and vitest-dev/vitest#9861 (633ae)
• Drop vite 8.beta support  -  by @​AriPerkkio in vitest-dev/vitest#9862 (b78f5)
• Type regression in vi.mocked() static class methods  -  by @​purepear and @​hi-ogawa in vitest-dev/vitest#9857 (90926)
• Properly re-evaluate actual modules of mocked external  -  by @​hi-ogawa in vitest-dev/vitest#9898 (ae5ec)
• Preserve coverage report when html reporter overlaps  -  by @​hi-ogawa in vitest-dev/vitest#9889 (2d81a)
• Provide vi.advanceTimers to the preview provider  -  by @​sheremet-va in vitest-dev/vitest#9891 (1bc3e)
• Don't leak event listener in playwright provider  -  by @​sheremet-va in vitest-dev/vitest#9910 (d9355)
• Open browser in --standalone mode without running tests  -  by @​sheremet-va in vitest-dev/vitest#9911 (e78ad)
• Guard disposable and optional body  -  by @​sheremet-va in vitest-dev/vitest#9912 (6fdb2)
• Resolve retry.condition RegExp serialization issue  -  by @​nstepien and @​hi-ogawa in vitest-dev/vitest#9942 (7b605)
• collect:
  • Don't treat extra props on test return as tests  -  by @​sheremet-va in vitest-dev/vitest#9871 (141e7)
• coverage:
  • Simplify provider types  -  by @​AriPerkkio in vitest-dev/vitest#9931 (aaf9f)
  • Load built-in provider without module runner  -  by @​AriPerkkio in vitest-dev/vitest#9939 (bf892)
• expect:
  • Soft assertions continue after .resolves/.rejects promise errors  -  by @​mixelburg, Maks Pikov, Claude Opus 4.6 (1M context) and @​hi-ogawa in vitest-dev/vitest#9843 (6d74b)
  • Fix sinon-chai style API  -  by @​hi-ogawa in vitest-dev/vitest#9943 (0f08d)
• pretty-format:
  • Limit output for large object  -  by Description has been truncated

[dependabot]

Labels

The following labels could not be found: frontend, npm, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	1
Moderate	0
Low	1
Total	2

Click to see details

# npm audit report

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

2 vulnerabilities (1 low, 1 high)

To address all issues, run:
  npm audit fix

[github-actions]

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	3
Moderate	2
Low	0
Total	5

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <1.1.13
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/brace-expansion

minimatch  <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/minimatch

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/rollup-plugin-visualizer/node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
node_modules/vitest/node_modules/picomatch

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

5 vulnerabilities (2 moderate, 3 high)

To address all issues, run:
  npm audit fix

[github-actions]

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity	Count
Critical	0
High	0
Medium	3
Low	3
Total	6

Click to see details

Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.19.9) │ alpine │        6        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.19.9)
======================================
Total: 6 (LOW: 3, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2024-58251 │ MEDIUM   │ fixed  │ 1.36.1-r20        │ 1.36.1-r21    │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2024-58251 │ MEDIUM   │        │                   │               │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2024-58251 │ MEDIUM   │        │                   │               │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                   │               │ of networ...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                   │               │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                   │               │ filenames...                                                 │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[github-actions]

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	1
High	2
Medium	1
Low	1
Total	5

Click to see details

Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.13) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │        5        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 5 (LOW: 1, MEDIUM: 1, HIGH: 2, CRITICAL: 1)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk │ CVE-2026-24051 │ HIGH     │ fixed  │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution │
│                              │                │          │        │                   │                │ via PATH Hijacking                                          │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                  │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3         │ gRPC-Go has an authorization bypass via missing leading     │
│                              │                │          │        │                   │                │ slash in :path                                              │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-33186                  │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│                              ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27142 │ MEDIUM   │        │                   │                │ html/template: URLs in meta content attribute actions are   │
│                              │                │          │        │                   │                │ not escaped in html/template...                             │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│                              ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│                              │ CVE-2026-27139 │ LOW      │        │                   │                │ os: FileInfo can escape from a Root in golang os module     │
│                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.