@openrewrite/recipes-nodejs 0.37.0-20251221-170424 → 0.37.0-20251222-170441

package/dist/resources/advisories-npm.csv

@@ -3576,6 +3576,7 @@ CVE-2024-57082,2025-02-06T06:31:26Z,"@rpldy/uploader prototype pollution",@rpldy
 CVE-2024-57083,2025-03-28T21:30:47Z,"Redoc Prototype Pollution via `Module.mergeObjects` Component",redoc,0,2.4.0,,HIGH,CWE-1321
 CVE-2024-57085,2025-02-06T06:31:26Z,"@stryker-mutator/util vulnerable to Prototype Pollution",@stryker-mutator/util,0,8.7.1,,HIGH,CWE-1321;CWE-400
 CVE-2024-57086,2025-02-06T06:31:26Z,"node-opcua-alarm-condition prototype pollution vulnerability","node-opcua-alarm-condition",0,2.137.0,,HIGH,CWE-1321
+CVE-2024-57177,2025-02-10T21:31:39Z,"CouchAuth has a Server-Side Template Injection vulnerability in its email functionality",@perfood/couch-auth,0,,0.21.2,MODERATE,CWE-1336;CWE-74
 CVE-2024-57186,2025-06-10T18:32:27Z,"Erxes Path Traversal vulnerability",erxes,0,1.6.2,,HIGH,CWE-22
 CVE-2024-57189,2025-06-10T18:32:27Z,"Erxes Path Traversal vulnerability",erxes,0,1.6.2,,MODERATE,CWE-22;CWE-24
 CVE-2024-57190,2025-06-10T18:32:27Z,"Erxes Incorrect Access Control vulnerability",erxes,0,1.6.1,,HIGH,CWE-284;CWE-287
@@ -3633,6 +3634,7 @@ CVE-2025-1302,2025-02-15T06:30:51Z,"JSONPath Plus allows Remote Code Execution",
 CVE-2025-13033,2025-10-07T13:42:02Z,"Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict",nodemailer,0,7.0.7,,MODERATE,CWE-20;CWE-436
 CVE-2025-13204,2025-11-14T18:31:39Z,"expr-eval vulnerable to Prototype Pollution",expr-eval,0,,2.0.2,HIGH,CWE-1321
 CVE-2025-13204,2025-11-14T18:31:39Z,"expr-eval vulnerable to Prototype Pollution",expr-eval-fork,0,2.0.2,,HIGH,CWE-1321
+CVE-2025-13321,2025-12-17T21:30:48Z,"Mattermost Desktop App exposes sensitive information in its application logs",mattermost-desktop,0,,3.6.0,LOW,CWE-532
 CVE-2025-13437,2025-11-20T18:31:01Z,"zx Uses Incorrectly-Resolved Name or Reference",zx,0,8.8.5,,MODERATE,CWE-706
 CVE-2025-13466,2025-11-25T14:20:21Z,"body-parser is vulnerable to denial of service when url encoding is used",body-parser,2.2.0,2.2.1,,MODERATE,CWE-400
 CVE-2025-13877,2025-12-09T17:42:53Z,"Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",@nocobase/auth,0,1.9.0-beta.18,,MODERATE,CWE-1320;CWE-321
@@ -3641,6 +3643,7 @@ CVE-2025-13877,2025-12-09T17:42:53Z,"Authentication Bypass via Default JWT Secre
 CVE-2025-1398,2025-03-17T15:31:50Z,"Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection",mattermost-desktop,0,5.11.0,,LOW,CWE-426
 CVE-2025-14284,2025-12-09T18:30:35Z,"@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)",@tiptap/extension-link,0,2.10.4,,LOW,CWE-79
 CVE-2025-1467,2025-02-23T18:30:24Z,"tarteaucitron Cross-site Scripting (XSS)",tarteaucitronjs,0,1.17.0,,LOW,CWE-79
+CVE-2025-14874,2025-12-18T09:30:30Z,"Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703
 CVE-2025-1520,2025-04-23T18:30:58Z,"PostHog Plugin Server SQL Injection Vulnerability",@posthog/plugin-server,0,,1.10.7,HIGH,CWE-89
 CVE-2025-1691,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to Control Character Injection via autocomplete",mongosh,0,2.3.9,,HIGH,CWE-74
 CVE-2025-1692,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to control character injection via pasting",mongosh,0,2.3.9,,MODERATE,CWE-150
@@ -3991,8 +3994,8 @@ CVE-2025-54313,2025-07-19T18:30:33Z,"eslint-config-prettier, eslint-plugin-prett
 CVE-2025-54313,2025-07-19T18:30:33Z,"eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code",got-fetch,5.1.11,6.0.0,,HIGH,CWE-506
 CVE-2025-54313,2025-07-19T18:30:33Z,"eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code",napi-postinstall,0.3.1,0.3.2,,HIGH,CWE-506
 CVE-2025-54313,2025-07-19T18:30:33Z,"eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code",synckit,0.11.9,0.11.10,,HIGH,CWE-506
-CVE-2025-54369,2025-07-25T14:08:50Z,"Node-SAML SAML Authentication Bypass",@node-saml/node-saml,0,5.1.0,,CRITICAL,CWE-287;CWE-347
-CVE-2025-54369,2025-07-25T14:08:50Z,"Node-SAML SAML Authentication Bypass",node-saml,0,,3.1.2,CRITICAL,CWE-287;CWE-347
+CVE-2025-54369,2025-07-25T14:08:50Z,"Node-SAML SAML Authentication Bypass",@node-saml/node-saml,0,5.1.0,,CRITICAL,CWE-287;CWE-347;CWE-87
+CVE-2025-54369,2025-07-25T14:08:50Z,"Node-SAML SAML Authentication Bypass",node-saml,0,,3.1.2,CRITICAL,CWE-287;CWE-347;CWE-87
 CVE-2025-54371,2025-07-23T16:49:38Z,"Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data",axios,1.10.0,1.11.0,,HIGH,
 CVE-2025-54378,2025-07-25T20:10:22Z,"HAX CMS API Lacks Authorization Checks",@haxtheweb/haxcms-nodejs,0,11.0.14,,HIGH,CWE-285;CWE-862
 CVE-2025-54387,2025-08-04T14:48:25Z,"IPX Allows Path Traversal via Prefix Matching Bypass",ipx,0,1.3.2,,MODERATE,CWE-22
@@ -4317,6 +4320,7 @@ CVE-2025-66219,2025-11-26T22:09:27Z,"willitmerge has a Command Injection vulnera
 CVE-2025-6624,2025-06-26T06:31:04Z,"Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode",snyk,0,1.1297.3,,LOW,CWE-532
 CVE-2025-66400,2025-12-02T01:25:46Z,"mdast-util-to-hast has unsanitized class attribute",mdast-util-to-hast,13.0.0,13.2.1,,MODERATE,CWE-20;CWE-915
 CVE-2025-66401,2025-12-02T00:38:14Z,"MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL",mcp-watch,0,,0.1.2,CRITICAL,CWE-78
+CVE-2025-66402,2025-12-15T20:55:27Z,"misskey.js's export data contains private post data",misskey-js,13.0.0-beta.16,2025.12.0,,HIGH,CWE-862
 CVE-2025-66404,2025-12-03T20:44:45Z,"mcp-server-kubernetes has potential security issue in exec_in_pod tool",mcp-server-kubernetes,0,2.9.8,,MODERATE,CWE-77
 CVE-2025-66405,2025-12-02T01:08:37Z,"Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host",@portkey-ai/gateway,0,1.14.0,,MODERATE,CWE-918
 CVE-2025-66412,2025-12-02T01:20:30Z,"Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes",@angular/compiler,0,,18.2.14,HIGH,CWE-79
@@ -4336,6 +4340,7 @@ CVE-2025-66421,2025-11-30T03:30:26Z,"Tryton sao allows XSS because it does not e
 CVE-2025-66456,2025-12-09T17:11:53Z,"Elysia vulnerable to prototype pollution with multiple standalone schema validation",elysia,1.4.0,1.4.17,,CRITICAL,CWE-1321
 CVE-2025-66457,2025-12-09T17:12:05Z,"Elysia affected by arbitrary code injection through cookie config",elysia,0,1.4.18,,HIGH,CWE-94
 CVE-2025-66479,2025-12-04T16:55:06Z,"Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing ","@anthropic-ai/sandbox-runtime",0,0.0.16,,LOW,CWE-693
+CVE-2025-66482,2025-12-15T20:59:59Z,"Misskey has a login rate limit bypass via spoofed X-Forwarded-For header",misskey-js,2025.9.1,2025.12.0-alpha.2,,MODERATE,CWE-1188;CWE-307
 CVE-2025-67489,2025-12-08T22:16:31Z,"@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server",@vitejs/plugin-rsc,0,0.5.6,,CRITICAL,CWE-94
 CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.11.0,4.11.2,,MODERATE,CWE-863
 CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.12.0,4.12.1,,MODERATE,CWE-863
@@ -4353,6 +4358,24 @@ CVE-2025-67779,2025-12-12T16:32:43Z,"Denial of Service Vulnerability in React Se
 CVE-2025-67779,2025-12-12T16:32:43Z,"Denial of Service Vulnerability in React Server Components",react-server-dom-webpack,19.0.2,19.0.3,,HIGH,CWE-400;CWE-502
 CVE-2025-67779,2025-12-12T16:32:43Z,"Denial of Service Vulnerability in React Server Components",react-server-dom-webpack,19.1.3,19.1.4,,HIGH,CWE-400;CWE-502
 CVE-2025-67779,2025-12-12T16:32:43Z,"Denial of Service Vulnerability in React Server Components",react-server-dom-webpack,19.2.2,19.2.3,,HIGH,CWE-400;CWE-502
+CVE-2025-67898,2025-12-15T00:30:25Z,"MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827",mjml,0,,4.18.0,MODERATE,CWE-36
+CVE-2025-68113,2025-12-16T00:43:52Z,"ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay",altcha-lib,0,1.4.1,,MODERATE,CWE-115;CWE-347
+CVE-2025-68115,2025-12-16T19:36:37Z,"Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables",parse-server,0,8.6.1,,MODERATE,CWE-79
+CVE-2025-68115,2025-12-16T19:36:37Z,"Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables",parse-server,9.0.0,9.1.0-alpha.3,,MODERATE,CWE-79
+CVE-2025-68130,2025-12-16T19:37:57Z,"tRPC has possible prototype pollution in `experimental_nextAppDirCaller`",@trpc/server,10.27.0,10.45.3,,HIGH,CWE-1321
+CVE-2025-68130,2025-12-16T19:37:57Z,"tRPC has possible prototype pollution in `experimental_nextAppDirCaller`",@trpc/server,11.0.0,11.8.0,,HIGH,CWE-1321
+CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,0,8.6.2,,HIGH,CWE-918
+CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,9.0.0,9.1.1.alpha.1,,HIGH,CWE-918
+CVE-2025-68154,2025-12-16T22:37:23Z,"systeminformation has a Command Injection vulnerability in fsSize() function on Windows",systeminformation,0,5.27.14,,HIGH,CWE-78
+CVE-2025-68155,2025-12-16T22:32:26Z,"@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint",@vitejs/plugin-rsc,0,0.5.8,,HIGH,CWE-22;CWE-73
+CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/cli,0,2.0.4,,HIGH,CWE-94
+CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/graphql,0,2.0.3,,HIGH,CWE-94
+CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",tinacms,0,3.1.1,,HIGH,CWE-94
+CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,10.0.0,10.1.10,,HIGH,CWE-200;CWE-538;CWE-541
+CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,7.0.0,7.6.21,,HIGH,CWE-200;CWE-538;CWE-541
+CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,8.0.0,8.6.15,,HIGH,CWE-200;CWE-538;CWE-541
+CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,9.0.0,9.1.17,,HIGH,CWE-200;CWE-538;CWE-541
+CVE-2025-68457,2025-12-19T19:17:26Z,"Orejime has executable code in HTML attributes",orejime,0,2.3.2,,LOW,CWE-79
 CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248
 CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241
 CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330
@@ -4386,6 +4409,7 @@ GHSA-22rr-f3p8-5gf8,2023-09-15T17:12:42Z,"Directus affected by VM2 sandbox escap
 GHSA-23q2-5gf8-gjpp,2024-04-19T17:26:32Z,"Enabling Authentication does not close all logged in socket connections immediately ",uptime-kuma,0,1.23.12,,LOW,CWE-384
 GHSA-23vw-mhv5-grv5,2020-09-03T15:48:43Z,"Denial of Service in @hapi/hapi",@hapi/hapi,0,18.4.1,,HIGH,
 GHSA-23vw-mhv5-grv5,2020-09-03T15:48:43Z,"Denial of Service in @hapi/hapi",@hapi/hapi,19.0.0,19.1.1,,HIGH,
+GHSA-24v3-254g-jv85,2025-12-19T21:32:35Z,"Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature",@tutao/tutanota-utils,0,314.251111.0,,LOW,CWE-1021;CWE-79
 GHSA-255r-pghp-r5wh,2020-09-03T17:05:34Z,"Malicious Package in hdeky",hdeky,0.0.0,,,CRITICAL,CWE-506
 GHSA-2563-83p7-f34p,2020-09-02T20:24:41Z,"Malicious Package in requestt",requestt,0,,,CRITICAL,CWE-506
 GHSA-25v4-mcx4-hh35,2020-09-04T17:28:28Z,"Cross-Site Scripting in atlasboard-atlassian-package","atlasboard-atlassian-package",0.0.0,,,HIGH,CWE-79
@@ -5297,6 +5321,7 @@ GHSA-vp93-gcx5-4w52,2020-09-11T21:21:19Z,"Cross-Site Scripting in swagger-ui",sw
 GHSA-vpgc-7h78-gx8f,2020-09-04T18:05:14Z,"personnummer/js vulnerable to Improper Input Validation",personnummer,0,3.1.0,,LOW,
 GHSA-vpj4-89q8-rh38,2020-09-03T18:16:59Z,"Cross-Site Scripting in bpmn-js-properties-panel",bpmn-js-properties-panel,0,0.31.0,,HIGH,CWE-79
 GHSA-vpq5-4rc8-c222,2019-06-05T14:10:45Z,"Denial of Service in canvas",canvas,0,1.6.10,,MODERATE,
+GHSA-vr6p-vq2p-6j74,2025-12-15T22:00:17Z,"LikeC4 has RCE through vulnerable React and Next.js versions",likec4,0,,1.46.1,CRITICAL,CWE-502
 GHSA-vrxj-4qhw-5vwq,2020-09-03T17:03:41Z,"Malicious Package in scryptys",scryptys,0.0.0,,,CRITICAL,CWE-506
 GHSA-vv52-3mrp-455m,2020-09-03T15:53:36Z,"Malicious Package in m-backdoor",m-backdoor,0.0.0,,,CRITICAL,CWE-506
 GHSA-vv7g-pjw9-4qj9,2020-09-03T17:03:56Z,"Malicious Package in scrytsy",scrytsy,0.0.0,,,CRITICAL,CWE-506
@@ -5403,6 +5428,7 @@ GHSA-x565-32qp-m3vf,2024-04-11T21:30:30Z,"phin may include sensitive headers in
 GHSA-x6ch-c6rv-f7wh,2020-09-02T18:34:22Z,"Malicious Package in asymc",asymc,0,,,CRITICAL,CWE-506
 GHSA-x6gq-467r-hwcc,2020-09-01T21:14:05Z,"Malicious Package in soket.js",soket.js,0,,,CRITICAL,CWE-506
 GHSA-x6m6-5hrf-fh6r,2020-09-01T21:26:50Z,"Denial of Service in markdown-it-toc-and-anchor","markdown-it-toc-and-anchor",0,4.2.0,,HIGH,CWE-400
+GHSA-x732-6j76-qmhm,2025-12-16T21:22:45Z,"Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits",better-auth,0,1.4.5,,HIGH,CWE-400;CWE-41
 GHSA-x7rp-qj2h-ghgw,2025-11-14T20:50:36Z,"Flowise Fails to Invalidate Existing Sessions After Password Changes",flowise,0,3.0.10,,HIGH,CWE-613
 GHSA-x87g-rgrh-r6g3,2020-09-03T17:07:15Z,"Malicious Package in rpc-websocket",rpc-websocket,0.7.7,,,CRITICAL,CWE-506
 GHSA-x8m7-cv39-xmg9,2020-09-03T22:56:10Z,"Malicious Package in jq-sha3",jq-sha3,0.0.0,,,CRITICAL,CWE-506

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openrewrite/recipes-nodejs",
-  "version": "0.37.0-20251221-170424",
+  "version": "0.37.0-20251222-170441",
   "license": "Moderne Source Available License",
   "description": "OpenRewrite recipes for Node.js library migrations.",
   "homepage": "https://github.com/moderneinc/rewrite-node",