fix(deps): vuln minor upgrades — 15 packages (minor: 4 · patch: 11)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
form-data	3.0.1	3.0.5	patch	Transitive	2 CRITICAL, 1 HIGH
@babel/traverse	7.18.11	7.29.7	minor	Transitive	2 CRITICAL
protobufjs	7.2.6	7.6.4	minor	Direct	1 CRITICAL, 5 HIGH, 5 MEDIUM
minimatch	3.1.2	3.1.5	patch	Transitive	6 HIGH
flatted	3.2.6	3.4.2	minor	Transitive	4 HIGH
ws	7.5.9	7.5.11	patch	Transitive	3 HIGH
picomatch	2.3.1	2.3.2	patch	Transitive	2 HIGH, 2 MEDIUM
braces	3.0.2	3.0.3	patch	Transitive	2 HIGH
cross-spawn	6.0.5	6.0.6	patch	Transitive	2 HIGH
decode-uri-component	0.2.0	0.2.2	patch	Transitive	2 HIGH
json5	2.2.1	2.2.3	patch	Transitive	2 HIGH
semver	5.7.1	5.7.2	patch	Transitive	2 HIGH
lodash	4.17.21	4.18.1	minor	Transitive	1 HIGH, 3 MEDIUM
js-yaml	3.14.1	3.14.2	patch	Transitive	3 MEDIUM
brace-expansion	1.1.11	1.1.15	patch	Transitive	2 MEDIUM, 2 LOW

---

Security Details

🚨 Critical & High Severity (37 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
@babel/traverse	CVE-2023-45133	CRITICAL	Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code	7.18.11	-
@babel/traverse	GHSA-67hx-6x53-jw92	CRITICAL	Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code	7.18.11	7.23.2
form-data	CVE-2025-7783	CRITICAL	-	3.0.1	-
form-data	GHSA-fjxv-7rqg-78g4	CRITICAL	form-data uses unsafe random function in form-data for choosing boundary	3.0.1	2.5.4
protobufjs	GHSA-xq3m-2v4x-88gg	CRITICAL	Arbitrary code execution in protobufjs	7.2.6	8.0.1
braces	CVE-2024-4068	HIGH	-	3.0.2	-
braces	GHSA-grv7-fg5c-xmjg	HIGH	Uncontrolled resource consumption in braces	3.0.2	3.0.3
cross-spawn	GHSA-3xgq-45jj-v275	HIGH	Regular Expression Denial of Service (ReDoS) in cross-spawn	6.0.5	7.0.5
cross-spawn	CVE-2024-21538	HIGH	-	6.0.5	-
decode-uri-component	GHSA-w573-4hg7-7wgq	HIGH	decode-uri-component vulnerable to Denial of Service (DoS)	0.2.0	0.2.1
decode-uri-component	CVE-2022-38900	HIGH	-	0.2.0	-
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.2.6	3.4.2
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.2.6	-
flatted	CVE-2026-32141	HIGH	flatted: Unbounded recursion DoS in parse() revive phase	3.2.6	-
flatted	GHSA-25h7-pfq9-p65f	HIGH	flatted vulnerable to unbounded recursion DoS in parse() revive phase	3.2.6	3.4.0
form-data	GHSA-hmw2-7cc7-3qxx	HIGH	form-data: CRLF injection in form-data via unescaped multipart field names and filenames	3.0.1	2.5.6
json5	GHSA-9c47-m6qq-7p4h	HIGH	Prototype Pollution in JSON5 via Parse Method	2.2.1	2.2.2
json5	CVE-2022-46175	HIGH	-	2.2.1	-
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.21	4.18.0
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	10.2.1
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	-
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	10.2.3
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	10.2.3
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	-
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	4.0.4
protobufjs	GHSA-75px-5xx7-5xc7	HIGH	protobuf.js: Code generation gadget after prototype pollution	7.2.6	7.5.6
protobufjs	GHSA-jvwf-75h9-cwgg	HIGH	protobuf.js: Process-wide denial of service through unsafe option paths	7.2.6	7.5.6
protobufjs	GHSA-wcpc-wj8m-hjx6	HIGH	protobufjs: Denial of service through unbounded Any expansion during JSON conversion	7.2.6	7.6.1
protobufjs	GHSA-66ff-xgx4-vchm	HIGH	protobuf.js: Code injection through bytes field defaults in generated toObject code	7.2.6	7.5.6
protobufjs	GHSA-685m-2w69-288q	HIGH	protobuf.js: Denial of service through unbounded protobuf recursion	7.2.6	7.5.6
semver	CVE-2022-25883	HIGH	-	5.7.1	-
semver	GHSA-c2qf-rxjj-qqgw	HIGH	semver vulnerable to Regular Expression Denial of Service	5.7.1	7.5.2
ws	GHSA-96hv-2xvq-fx4p	HIGH	ws: Memory exhaustion DoS from tiny fragments and data chunks	7.5.9	5.2.5
ws	CVE-2024-37890	HIGH	Denial of service when handling a request with many HTTP headers in ws	7.5.9	-
ws	GHSA-3h5v-q93c-6h6q	HIGH	ws affected by a DoS when handling a request with many HTTP headers	7.5.9	5.2.4

ℹ️ Other Vulnerabilities (17)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	-
js-yaml	GHSA-mh29-5h37-fv8m	MODERATE	js-yaml has prototype pollution in merge (<<)	3.14.1	4.1.1
js-yaml	GHSA-h67p-54hq-rp68	MODERATE	JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases	3.14.1	4.2.0
js-yaml	CVE-2025-64718	MODERATE	js-yaml has prototype pollution in merge (<<)	3.14.1	-
lodash	CVE-2025-13465	MODERATE	-	4.17.21	-
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.21	4.17.23
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.21	4.18.0
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	4.0.4
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	-
protobufjs	GHSA-q6x5-8v7m-xcrf	MODERATE	protobufjs has overlong UTF-8 decoding	7.2.6	7.5.6
protobufjs	GHSA-f38q-mgvj-vph7	MODERATE	protobufjs : Schema-derived names can shadow runtime-significant properties	7.2.6	7.6.3
protobufjs	GHSA-jggg-4jg4-v7c6	MODERATE	protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion	7.2.6	7.5.8
protobufjs	GHSA-2pr8-phx7-x9h3	MODERATE	protobuf.js: Denial of service from crafted field names in generated code	7.2.6	7.5.6
protobufjs	GHSA-fx83-v9x8-x52w	MODERATE	protobuf.js: Prototype injection in generated message constructors	7.2.6	7.5.6
brace-expansion	CVE-2025-5889	LOW	-	1.1.11	-
brace-expansion	GHSA-v6h2-p8h4-qcjw	LOW	brace-expansion Regular Expression Denial of Service vulnerability	1.1.11	2.0.2

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System