🟡 Medium Security Finding
Scanner: Trivy
Rule: CVE-2026-30226
Severity: MEDIUM
File: pnpm-lock.yaml:1
Description
Package: devalue
Installed Version: 5.6.3
Vulnerability CVE-2026-30226
Severity: MEDIUM
Fixed Version: 5.6.4
Link: CVE-2026-30226
Remediation Guidance
Vulnerability CVE-2026-30226
Severity: MEDIUM
Package: devalue
Fixed Version: 5.6.4
Link: CVE-2026-30226
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
References
This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.
🟡 Medium Security Finding
Scanner: Trivy
Rule:
CVE-2026-30226Severity: MEDIUM
File:
pnpm-lock.yaml:1Description
Package: devalue
Installed Version: 5.6.3
Vulnerability CVE-2026-30226
Severity: MEDIUM
Fixed Version: 5.6.4
Link: CVE-2026-30226
Remediation Guidance
Vulnerability CVE-2026-30226
Severity: MEDIUM
Package: devalue
Fixed Version: 5.6.4
Link: CVE-2026-30226
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
References
This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.