js
js bulletins.
ESLint 10.5.0 Released
ESLint version 10.5.0 is now available. This is an AST-based pattern checker for JavaScript.
tailwindcss 4.3.1 released
Release of tailwindcss version 4.
@langchain/langgraph-checkpoint-mongodb NoSQL injection vulnerability fixed in 1.3.1
A NoSQL injection vulnerability in MongoDBSaver where checkpoint identifier fields from config.
Budibase executeQuery SSRF via automation step queryId
The executeQuery automation step accepts a queryId from inputs and passes it to the query execution controller without validation,
@budibase/backend-core CSRF bypass via unanchored route regex
The buildMatcherRegex() and matches() functions in packages/backend-core/src/middleware/matchers.
esbuild dev server path traversal on Windows
The esbuild development server on Windows has a path traversal vulnerability.
Fabric.js XSS via Gradient ColorStops in toSVG()
A Cross-Site Scripting (XSS) vulnerability was discovered in Fabric.
@budibase/server: OAuth2 token fetch and REST integration lack SSRF protection
OAuth2 token fetch in packages/server/src/sdk/workspace/oauth2/utils.
@budibase/server: Unauthenticated webhook schema update vulnerability
The webhook schema-building endpoint at POST /api/webhooks/schema/:instance/:id is incorrectly bypassed by authorization middlewar
esbuild Deno module lacks binary integrity verification
The esbuild Deno module (lib/deno/mod.
@hapi/wreck: credential stripping now uses full-origin comparison
Wreck now compares scheme, host, and port (full origin) instead of hostname only when deciding to strip credential headers before
joi: Denial of service via untrapped exception in recursive link schemas
Denial of service via untrapped exception in services validating user-supplied JSON/object input with recursive link schemas.
@hapi/inert Path Traversal via Confinement Check
A path traversal vulnerability in @hapi/inert's confinement check allows reading files from sibling directories whose names share
@element-hq/element-call-embedded: analytics leak of URL fragments (CVE-like)
Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, including full URLs with fragments (e.g., e
@openzeppelin/wizard: Code injection in generated test files via unescaped strings
The OpenZeppelin Contracts Wizard generated example test files that interpolated user-supplied strings without escaping, allowing
@grpc/grpc-js crash on invalid compressed message
An invalid incoming compressed message can cause a crash in @grpc/grpc-js clients and servers.
@grpc/grpc-js: Invalid HTTP/2 stream initiation causes server crash
An invalid incoming HTTP/2 stream initiation can crash the server process.
Vue 3.5.36 released
Vue 3.5.36 is a new version of the progressive JavaScript framework for building modern web UI.
Vue 3.5.37 Patch Release
Vue 3.5.37 is a patch release of the progressive JavaScript framework for building modern web UI.
Vue 3.5.38 Released
Vue 3.5.38 is now available. This is a release of the progressive JavaScript framework for building modern web UI.
@hulumi/baseline < 1.4.0: GuardDuty and Security Hub reuse bugs fixed
In @hulumi/baseline < 1.4.0, AccountFoundation's reuse mode for GuardDuty and Security Hub had two bugs: (1) GuardDuty reuse did n
@papra/webhooks SSRF Protection Bypass via Redirect Following
The webhook delivery HTTP client follows redirects without validating the redirect target against the blocklist, enabling authenti
@hulumi/policies: AWS IAM trust policy multi-provider detection fix
AWS IAM trust policies listing multiple federated identity providers (e.
@hulumi/policies <1.4.0 URN Spoofing Vulnerability
A security vulnerability in @hulumi/policies <1.
@hulumi/policies <1.4.0: HULUMI-H5 exemption validation bypass
HULUMI-H5 policy in @hulumi/policies <1.
@hulumi/baseline: Audit log S3 bucket immutability bypass in AccountFoundation
AccountFoundation's S3 bucket for CloudTrail and AWS Config audit logs had three vulnerabilities: (1) Object Lock disabled on star
@hulumi/drift: classifier bugs mask attacks and fire false positives
Two bugs in @hulumi/drift classifier: (1) adapter failures were cached as 'all clear' (None/none) for 6 hours, masking real attack
baileys: Message spoofing via placeholderResendMessage
A security vulnerability in baileys allows malicious payloads via placeholderResendMessage to spoof messages, corrupt app state sy
Vue 3.5.35 Patch Release
Patch version 3.5.35 of the progressive JavaScript framework Vue.js has been released.
Vite 8.0.15 released
Version 8.0.15 of Vite, a native-ESM powered web dev build tool, was released.