@openrewrite/recipes-nodejs 0.37.0-20251224-170410 → 0.37.0-20260101-170532

package/dist/index.d.ts

@@ -1,3 +1,6 @@
-import { RecipeRegistry } from "@openrewrite/rewrite";
-export declare function activate(registry: RecipeRegistry): void;
+import { CategoryDescriptor, RecipeMarketplace } from "@openrewrite/rewrite";
+export declare const NodeJS: CategoryDescriptor[];
+export declare const Migrate: CategoryDescriptor[];
+export declare const Security: CategoryDescriptor[];
+export declare function activate(marketplace: RecipeMarketplace): Promise<void>;
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AA0BpD,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,cAAc,QAwBhD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,kBAAkB,EAAE,iBAAiB,EAAC,MAAM,sBAAsB,CAAC;AAyB3E,eAAO,MAAM,MAAM,EAAE,kBAAkB,EAA+B,CAAC;AACvE,eAAO,MAAM,OAAO,EAAE,kBAAkB,EAA0C,CAAC;AACnF,eAAO,MAAM,QAAQ,EAAE,kBAAkB,EAA2C,CAAC;AAErF,wBAAsB,QAAQ,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAyB5E"}

package/dist/index.js

@@ -1,5 +1,15 @@
 "use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.Security = exports.Migrate = exports.NodeJS = void 0;
 exports.activate = activate;
 const util_type_checking_1 = require("./migrate/util-type-checking");
 const buffer_slice_1 = require("./migrate/buffer-slice");
@@ -24,29 +34,34 @@ const net_set_simultaneous_accepts_1 = require("./migrate/net-set-simultaneous-a
 const upgrade_node_22_1 = require("./migrate/upgrade-node-22");
 const upgrade_node_24_1 = require("./migrate/upgrade-node-24");
 const security_1 = require("./security");
-function activate(registry) {
-    registry.register(util_type_checking_1.UseNativeTypeCheckingMethods);
-    registry.register(buffer_slice_1.ReplaceDeprecatedBufferSlice);
-    registry.register(process_features_tls_1.RemoveUsageOfProcessFeaturesTlsConstants);
-    registry.register(crypto_constructors_1.ReplaceCryptoConstructors);
-    registry.register(util_log_1.ReplaceUtilLog);
-    registry.register(util_extend_1.ReplaceUtilExtend);
-    registry.register(fs_stats_constructor_1.ReplaceFsStatsConstructor);
-    registry.register(crypto_fips_1.ReplaceCryptoFips);
-    registry.register(slow_buffer_1.ReplaceSlowBuffer);
-    registry.register(fs_access_constants_1.ReplaceFsAccessConstants);
-    registry.register(promisify_on_promise_1.RemovePromisifyOnPromise);
-    registry.register(process_exit_code_1.AvoidImplicitCoercionOfExitCode);
-    registry.register(dirent_path_1.ReplaceDirentPath);
-    registry.register(util_types_wasm_1.ReplaceIsWebAssemblyCompiledModule);
-    registry.register(zlib_bytes_read_1.ReplaceZlibBytesRead);
-    registry.register(fs_truncate_1.ReplaceFsTruncateWithFd);
-    registry.register(outgoing_message_headers_1.ReplaceOutgoingMessageHeaders);
-    registry.register(tls_internal_modules_1.ReplaceTlsInternalModules);
-    registry.register(stream_internal_modules_1.ReplaceStreamInternalModules);
-    registry.register(net_set_simultaneous_accepts_1.RemoveNetSetSimultaneousAccepts);
-    registry.register(upgrade_node_22_1.UpgradeNode22);
-    registry.register(upgrade_node_24_1.UpgradeNode24);
-    registry.register(security_1.DependencyVulnerabilityCheck);
+exports.NodeJS = [{ displayName: "Node.js" }];
+exports.Migrate = [...exports.NodeJS, { displayName: "Migrate" }];
+exports.Security = [...exports.NodeJS, { displayName: "Security" }];
+function activate(marketplace) {
+    return __awaiter(this, void 0, void 0, function* () {
+        yield marketplace.install(util_type_checking_1.UseNativeTypeCheckingMethods, exports.Migrate);
+        yield marketplace.install(buffer_slice_1.ReplaceDeprecatedBufferSlice, exports.Migrate);
+        yield marketplace.install(process_features_tls_1.RemoveUsageOfProcessFeaturesTlsConstants, exports.Migrate);
+        yield marketplace.install(crypto_constructors_1.ReplaceCryptoConstructors, exports.Migrate);
+        yield marketplace.install(util_log_1.ReplaceUtilLog, exports.Migrate);
+        yield marketplace.install(util_extend_1.ReplaceUtilExtend, exports.Migrate);
+        yield marketplace.install(fs_stats_constructor_1.ReplaceFsStatsConstructor, exports.Migrate);
+        yield marketplace.install(crypto_fips_1.ReplaceCryptoFips, exports.Migrate);
+        yield marketplace.install(slow_buffer_1.ReplaceSlowBuffer, exports.Migrate);
+        yield marketplace.install(fs_access_constants_1.ReplaceFsAccessConstants, exports.Migrate);
+        yield marketplace.install(promisify_on_promise_1.RemovePromisifyOnPromise, exports.Migrate);
+        yield marketplace.install(process_exit_code_1.AvoidImplicitCoercionOfExitCode, exports.Migrate);
+        yield marketplace.install(dirent_path_1.ReplaceDirentPath, exports.Migrate);
+        yield marketplace.install(util_types_wasm_1.ReplaceIsWebAssemblyCompiledModule, exports.Migrate);
+        yield marketplace.install(zlib_bytes_read_1.ReplaceZlibBytesRead, exports.Migrate);
+        yield marketplace.install(fs_truncate_1.ReplaceFsTruncateWithFd, exports.Migrate);
+        yield marketplace.install(outgoing_message_headers_1.ReplaceOutgoingMessageHeaders, exports.Migrate);
+        yield marketplace.install(tls_internal_modules_1.ReplaceTlsInternalModules, exports.Migrate);
+        yield marketplace.install(stream_internal_modules_1.ReplaceStreamInternalModules, exports.Migrate);
+        yield marketplace.install(net_set_simultaneous_accepts_1.RemoveNetSetSimultaneousAccepts, exports.Migrate);
+        yield marketplace.install(upgrade_node_22_1.UpgradeNode22, exports.Migrate);
+        yield marketplace.install(upgrade_node_24_1.UpgradeNode24, exports.Migrate);
+        yield marketplace.install(security_1.DependencyVulnerabilityCheck, exports.Security);
+    });
 }
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;AA0BA,4BAwBC;AAjDD,qEAA0E;AAC1E,yDAAoE;AACpE,yEAAwF;AACxF,uEAAwE;AACxE,iDAAkD;AAClD,uDAAwD;AACxD,yEAAyE;AACzE,uDAAwD;AACxD,uDAAwD;AACxD,uEAAuE;AACvE,yEAAwE;AACxE,mEAA4E;AAC5E,uDAAwD;AACxD,+DAA6E;AAC7E,+DAA+D;AAC/D,uDAA8D;AAC9D,iFAAiF;AACjF,yEAAyE;AACzE,+EAA+E;AAC/E,yFAAuF;AACvF,+DAAwD;AACxD,+DAAwD;AACxD,yCAAwD;AAGxD,SAAgB,QAAQ,CAAC,QAAwB;IAC7C,QAAQ,CAAC,QAAQ,CAAC,iDAA4B,CAAC,CAAC;IAChD,QAAQ,CAAC,QAAQ,CAAC,2CAA4B,CAAC,CAAC;IAChD,QAAQ,CAAC,QAAQ,CAAC,+DAAwC,CAAC,CAAC;IAC5D,QAAQ,CAAC,QAAQ,CAAC,+CAAyB,CAAC,CAAC;IAC7C,QAAQ,CAAC,QAAQ,CAAC,yBAAc,CAAC,CAAC;IAClC,QAAQ,CAAC,QAAQ,CAAC,+BAAiB,CAAC,CAAC;IACrC,QAAQ,CAAC,QAAQ,CAAC,gDAAyB,CAAC,CAAC;IAC7C,QAAQ,CAAC,QAAQ,CAAC,+BAAiB,CAAC,CAAC;IACrC,QAAQ,CAAC,QAAQ,CAAC,+BAAiB,CAAC,CAAC;IACrC,QAAQ,CAAC,QAAQ,CAAC,8CAAwB,CAAC,CAAC;IAC5C,QAAQ,CAAC,QAAQ,CAAC,+CAAwB,CAAC,CAAC;IAC5C,QAAQ,CAAC,QAAQ,CAAC,mDAA+B,CAAC,CAAC;IACnD,QAAQ,CAAC,QAAQ,CAAC,+BAAiB,CAAC,CAAC;IACrC,QAAQ,CAAC,QAAQ,CAAC,oDAAkC,CAAC,CAAC;IACtD,QAAQ,CAAC,QAAQ,CAAC,sCAAoB,CAAC,CAAC;IACxC,QAAQ,CAAC,QAAQ,CAAC,qCAAuB,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,CAAC,wDAA6B,CAAC,CAAC;IACjD,QAAQ,CAAC,QAAQ,CAAC,gDAAyB,CAAC,CAAC;IAC7C,QAAQ,CAAC,QAAQ,CAAC,sDAA4B,CAAC,CAAC;IAChD,QAAQ,CAAC,QAAQ,CAAC,8DAA+B,CAAC,CAAC;IACnD,QAAQ,CAAC,QAAQ,CAAC,+BAAa,CAAC,CAAC;IACjC,QAAQ,CAAC,QAAQ,CAAC,+BAAa,CAAC,CAAC;IACjC,QAAQ,CAAC,QAAQ,CAAC,uCAA4B,CAAC,CAAC;AACpD,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AA6BA,4BAyBC;AArDD,qEAA0E;AAC1E,yDAAoE;AACpE,yEAAwF;AACxF,uEAAwE;AACxE,iDAAkD;AAClD,uDAAwD;AACxD,yEAAyE;AACzE,uDAAwD;AACxD,uDAAwD;AACxD,uEAAuE;AACvE,yEAAwE;AACxE,mEAA4E;AAC5E,uDAAwD;AACxD,+DAA6E;AAC7E,+DAA+D;AAC/D,uDAA8D;AAC9D,iFAAiF;AACjF,yEAAyE;AACzE,+EAA+E;AAC/E,yFAAuF;AACvF,+DAAwD;AACxD,+DAAwD;AACxD,yCAAwD;AAE3C,QAAA,MAAM,GAAyB,CAAC,EAAC,WAAW,EAAE,SAAS,EAAC,CAAC,CAAC;AAC1D,QAAA,OAAO,GAAyB,CAAC,GAAG,cAAM,EAAE,EAAC,WAAW,EAAE,SAAS,EAAC,CAAC,CAAC;AACtE,QAAA,QAAQ,GAAyB,CAAC,GAAG,cAAM,EAAE,EAAC,WAAW,EAAE,UAAU,EAAC,CAAC,CAAC;AAErF,SAAsB,QAAQ,CAAC,WAA8B;;QACzD,MAAM,WAAW,CAAC,OAAO,CAAC,iDAA4B,EAAE,eAAO,CAAC,CAAC;QACjE,MAAM,WAAW,CAAC,OAAO,CAAC,2CAA4B,EAAE,eAAO,CAAC,CAAC;QACjE,MAAM,WAAW,CAAC,OAAO,CAAC,+DAAwC,EAAE,eAAO,CAAC,CAAC;QAC7E,MAAM,WAAW,CAAC,OAAO,CAAC,+CAAyB,EAAE,eAAO,CAAC,CAAC;QAC9D,MAAM,WAAW,CAAC,OAAO,CAAC,yBAAc,EAAE,eAAO,CAAC,CAAC;QACnD,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,gDAAyB,EAAE,eAAO,CAAC,CAAC;QAC9D,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,8CAAwB,EAAE,eAAO,CAAC,CAAC;QAC7D,MAAM,WAAW,CAAC,OAAO,CAAC,+CAAwB,EAAE,eAAO,CAAC,CAAC;QAC7D,MAAM,WAAW,CAAC,OAAO,CAAC,mDAA+B,EAAE,eAAO,CAAC,CAAC;QACpE,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,oDAAkC,EAAE,eAAO,CAAC,CAAC;QACvE,MAAM,WAAW,CAAC,OAAO,CAAC,sCAAoB,EAAE,eAAO,CAAC,CAAC;QACzD,MAAM,WAAW,CAAC,OAAO,CAAC,qCAAuB,EAAE,eAAO,CAAC,CAAC;QAC5D,MAAM,WAAW,CAAC,OAAO,CAAC,wDAA6B,EAAE,eAAO,CAAC,CAAC;QAClE,MAAM,WAAW,CAAC,OAAO,CAAC,gDAAyB,EAAE,eAAO,CAAC,CAAC;QAC9D,MAAM,WAAW,CAAC,OAAO,CAAC,sDAA4B,EAAE,eAAO,CAAC,CAAC;QACjE,MAAM,WAAW,CAAC,OAAO,CAAC,8DAA+B,EAAE,eAAO,CAAC,CAAC;QACpE,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAa,EAAE,eAAO,CAAC,CAAC;QAClD,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAa,EAAE,eAAO,CAAC,CAAC;QAElD,MAAM,WAAW,CAAC,OAAO,CAAC,uCAA4B,EAAE,gBAAQ,CAAC,CAAC;IACtE,CAAC;CAAA"}

package/dist/resources/advisories-npm.csv

@@ -2006,7 +2006,7 @@ CVE-2021-46440,2022-05-04T00:00:22Z,"Insecure password handling vulnerability in
 CVE-2021-46704,2022-03-07T00:00:40Z,"OS Command Injection in GenieACS",genieacs,0,1.2.8,,CRITICAL,CWE-78
 CVE-2021-46708,2022-03-12T00:00:36Z,"Spoofing attack in swagger-ui-dist",swagger-ui-dist,0,4.1.3,,MODERATE,CWE-1021
 CVE-2021-46871,2023-01-10T06:30:25Z,"phoenix_html allows Cross-site Scripting in HEEx class attributes",phoenix_html,0,3.0.4,,MODERATE,CWE-79
-CVE-2022-0086,2022-01-06T22:24:35Z,"uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF)",uppy,0,2.3.3,,HIGH,CWE-918
+CVE-2022-0086,2022-01-06T22:24:35Z,"uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF)",@uppy/companion,0,3.1.5,,HIGH,CWE-918
 CVE-2022-0087,2022-01-12T21:55:40Z,"Reflected cross-site scripting (XSS) vulnerability",@keystone-6/auth,0,1.0.2,,HIGH,CWE-79
 CVE-2022-0087,2022-01-12T21:55:40Z,"Reflected cross-site scripting (XSS) vulnerability",@keystone-next/auth,0,,37.0.0,HIGH,CWE-79
 CVE-2022-0122,2022-01-21T23:36:19Z,"Open Redirect in node-forge",node-forge,0,1.0.0,,MODERATE,CWE-601
@@ -3632,6 +3632,7 @@ CVE-2025-12816,2025-11-26T22:07:19Z,"node-forge has an Interpretation Conflict v
 CVE-2025-12919,2025-11-09T21:30:16Z,"EverShop is vulnerable to Unauthorized Order Information Access (IDOR)",@evershop/evershop,0,,2.1.0,LOW,CWE-639;CWE-99
 CVE-2025-1302,2025-02-15T06:30:51Z,"JSONPath Plus allows Remote Code Execution",jsonpath-plus,0,10.3.0,,HIGH,CWE-94
 CVE-2025-13033,2025-10-07T13:42:02Z,"Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict",nodemailer,0,7.0.7,,MODERATE,CWE-20;CWE-436
+CVE-2025-13158,2025-12-26T18:30:26Z,"apidoc-core has a prototype pollution vulnerability",apidoc-core,0.2.0,,0.15.0,CRITICAL,CWE-1321
 CVE-2025-13204,2025-11-14T18:31:39Z,"expr-eval vulnerable to Prototype Pollution",expr-eval,0,,2.0.2,HIGH,CWE-1321
 CVE-2025-13204,2025-11-14T18:31:39Z,"expr-eval vulnerable to Prototype Pollution",expr-eval-fork,0,2.0.2,,HIGH,CWE-1321
 CVE-2025-13321,2025-12-17T21:30:48Z,"Mattermost Desktop App exposes sensitive information in its application logs",mattermost-desktop,0,,3.6.0,LOW,CWE-532
@@ -3704,6 +3705,7 @@ CVE-2025-25299,2025-02-20T20:16:31Z,"Cross-site scripting (XSS) in the CKEditor
 CVE-2025-25300,2019-09-13T13:22:33Z,"smartbanner.js rel noopener vulnerability",smartbanner.js,0,1.14.1,,LOW,CWE-601;CWE-79
 CVE-2025-25304,2025-02-14T17:33:58Z,"Vega allows Cross-site Scripting via the vlSelectionTuples function",vega,0,5.26.0,,MODERATE,CWE-79
 CVE-2025-25304,2025-02-14T17:33:58Z,"Vega allows Cross-site Scripting via the vlSelectionTuples function",vega-selections,0,5.4.2,,MODERATE,CWE-79
+CVE-2025-25341,2025-12-26T15:30:17Z,"libxmljs has segmentation fault, potentially leading to a denial-of-service (DoS)",libxmljs,0,,1.0.11,HIGH,CWE-400
 CVE-2025-25975,2025-03-12T21:31:29Z,"Prototype Pollution Vulnerability in parse-git-config",parse-git-config,0,,3.0.0,HIGH,CWE-1321;CWE-200
 CVE-2025-25977,2025-03-10T18:31:56Z,"canvg Prototype Pollution vulnerability",canvg,0,3.0.11,,HIGH,CWE-1321
 CVE-2025-25977,2025-03-10T18:31:56Z,"canvg Prototype Pollution vulnerability",canvg,4.0.0,4.0.3,,HIGH,CWE-1321
@@ -4225,6 +4227,7 @@ CVE-2025-61687,2025-10-08T19:34:21Z,"FlowiseAI/Flosise has File Upload vulnerabi
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",Flowise,0,3.0.8,,CRITICAL,CWE-22
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",flowise,0,3.0.8,,CRITICAL,CWE-22
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",flowise-components,0,3.0.8,,CRITICAL,CWE-22
+CVE-2025-61914,2025-12-26T17:30:19Z,"n8n's Possible Stored XSS in ""Respond to Webhook"" Node May Execute Outside iframe Sandbox",n8n,0,1.114.0,,HIGH,CWE-79
 CVE-2025-61925,2025-10-10T23:41:29Z,"Astro's `X-Forwarded-Host` is reflected without validation",astro,0,5.14.3,,MODERATE,CWE-20;CWE-470
 CVE-2025-61927,2025-10-10T23:46:42Z,"Happy DOM: VM Context Escape can lead to Remote Code Execution",happy-dom,0,20.0.0,,CRITICAL,CWE-94
 CVE-2025-61928,2025-10-09T15:40:50Z,"Better Auth: Unauthenticated API key creation through api-key plugin",better-auth,0,1.3.26,,HIGH,CWE-285;CWE-306
@@ -4376,6 +4379,18 @@ CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environ
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,8.0.0,8.6.15,,HIGH,CWE-200;CWE-538;CWE-541
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,9.0.0,9.1.17,,HIGH,CWE-200;CWE-538;CWE-541
 CVE-2025-68457,2025-12-19T19:17:26Z,"Orejime has executable code in HTML attributes",orejime,0,2.3.2,,LOW,CWE-79
+CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,0,1.6.13,,HIGH,CWE-1333
+CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,1.7.0,1.7.14,,HIGH,CWE-1333
+CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,1.8.0,1.8.15,,HIGH,CWE-1333
+CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,1.9.0,1.9.2,,HIGH,CWE-1333
+CVE-2025-68613,2025-12-22T16:19:13Z,"n8n Vulnerable to Remote Code Execution via Expression Injection",n8n,0.211.0,1.120.4,,CRITICAL,CWE-913
+CVE-2025-68613,2025-12-22T16:19:13Z,"n8n Vulnerable to Remote Code Execution via Expression Injection",n8n,1.121.0,1.121.1,,CRITICAL,CWE-913
+CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",@langchain/core,0,0.3.80,,HIGH,CWE-502
+CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",@langchain/core,1.0.0,1.1.8,,HIGH,CWE-502
+CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",langchain,0,0.3.37,,HIGH,CWE-502
+CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",langchain,1.0.0,1.2.3,,HIGH,CWE-502
+CVE-2025-68668,2025-12-26T18:18:05Z,"n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node ",n8n,1.0.0,2.0.0,,CRITICAL,CWE-693
+CVE-2025-68697,2025-12-26T18:26:38Z,"Self-hosted n8n has Legacy Code node that enables arbitrary file read/write",n8n,0,2.0.0,,HIGH,CWE-269;CWE-749
 CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248
 CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241
 CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330
@@ -5321,7 +5336,7 @@ GHSA-vp93-gcx5-4w52,2020-09-11T21:21:19Z,"Cross-Site Scripting in swagger-ui",sw
 GHSA-vpgc-7h78-gx8f,2020-09-04T18:05:14Z,"personnummer/js vulnerable to Improper Input Validation",personnummer,0,3.1.0,,LOW,
 GHSA-vpj4-89q8-rh38,2020-09-03T18:16:59Z,"Cross-Site Scripting in bpmn-js-properties-panel",bpmn-js-properties-panel,0,0.31.0,,HIGH,CWE-79
 GHSA-vpq5-4rc8-c222,2019-06-05T14:10:45Z,"Denial of Service in canvas",canvas,0,1.6.10,,MODERATE,
-GHSA-vr6p-vq2p-6j74,2025-12-15T22:00:17Z,"LikeC4 has RCE through vulnerable React and Next.js versions",likec4,0,,1.46.1,CRITICAL,CWE-502
+GHSA-vr6p-vq2p-6j74,2025-12-15T22:00:17Z,"Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions",likec4,0,,1.46.1,CRITICAL,CWE-502
 GHSA-vrxj-4qhw-5vwq,2020-09-03T17:03:41Z,"Malicious Package in scryptys",scryptys,0.0.0,,,CRITICAL,CWE-506
 GHSA-vv52-3mrp-455m,2020-09-03T15:53:36Z,"Malicious Package in m-backdoor",m-backdoor,0.0.0,,,CRITICAL,CWE-506
 GHSA-vv7g-pjw9-4qj9,2020-09-03T17:03:56Z,"Malicious Package in scrytsy",scrytsy,0.0.0,,,CRITICAL,CWE-506

package/dist/security/dependency-vulnerability-check.d.ts

@@ -1,6 +1,6 @@
-import { ExecutionContext, Recipe, ScanningRecipe, TreeVisitor } from "@openrewrite/rewrite";
-import { DependencyScope, ResolvedDependency, PackageManager, DependencyRecipeAccumulator } from "@openrewrite/rewrite/javascript";
-import { Vulnerability, VulnerabilityDatabase } from "./vulnerability";
+import { ExecutionContext, ScanningRecipe, TreeVisitor } from "@openrewrite/rewrite";
+import { DependencyRecipeAccumulator, DependencyScope, PackageManager, ResolvedDependency } from "@openrewrite/rewrite/javascript";
+import { Severity, Vulnerability, VulnerabilityDatabase } from "./vulnerability";
 export type UpgradeDelta = 'none' | 'patch' | 'minor' | 'major';
 interface PathSegment {
     name: string;
@@ -20,17 +20,23 @@ interface VulnerabilityFix {
     isTransitive: boolean;
     cves: string[];
     scope?: DependencyScope;
+    originalMajorVersion?: number;
 }
 interface ProjectUpdateInfo {
-    projectDir: string;
     packageJsonPath: string;
     originalPackageJson: string;
     packageManager: PackageManager;
+    configFiles?: Record<string, string>;
 }
 interface Accumulator extends DependencyRecipeAccumulator<ProjectUpdateInfo> {
     db: VulnerabilityDatabase;
     vulnerableByProject: Map<string, VulnerableDependency[]>;
     fixesByProject: Map<string, VulnerabilityFix[]>;
+    originalLockFiles: Map<string, string>;
+    allPackageJsonContents: Map<string, string>;
+    workspaceRoots: Map<string, string[]>;
+    modifiedWorkspaceMemberContents: Map<string, string>;
+    workspaceDetectionComplete: boolean;
 }
 export declare class DependencyVulnerabilityCheck extends ScanningRecipe<Accumulator> {
     readonly name = "org.openrewrite.node.dependency-vulnerability-check";
@@ -40,23 +46,38 @@ export declare class DependencyVulnerabilityCheck extends ScanningRecipe<Accumul
     scope?: DependencyScope;
     overrideTransitive?: boolean;
     maximumUpgradeDelta?: UpgradeDelta;
-    minimumSeverity?: string;
+    minimumSeverity?: Severity;
     cvePattern?: string;
+    fixDeclaredVersions?: boolean;
+    private cvePatternRegex?;
+    constructor(options?: {
+        scope?: DependencyScope;
+        overrideTransitive?: boolean;
+        maximumUpgradeDelta?: UpgradeDelta;
+        minimumSeverity?: string;
+        cvePattern?: string;
+        fixDeclaredVersions?: boolean;
+    });
     initialValue(_ctx: ExecutionContext): Accumulator;
-    private getMinimumSeverity;
-    private getMaximumUpgradeDelta;
     private isReportOnly;
     private matchesCvePattern;
     private isVersionAffected;
     private isUpgradeableWithinDelta;
     private getUpgradeVersion;
+    private getVersionPrefixForDelta;
     private renderPath;
     private findVulnerabilities;
+    private findPreventiveFixes;
+    private isUpgradeWithinDelta;
+    private extractMinimumVersion;
+    private findHighestSafeVersion;
+    private isVersionWithinDelta;
     private computeFixes;
     scanner(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>>;
-    getRecipeList(): Promise<Recipe[]>;
     editorWithData(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>>;
     private runPackageManagerInstall;
+    private runWorkspacePackageManagerInstall;
+    private createModifiedPackageJsonDirectOnly;
     private createModifiedPackageJson;
 }
 export declare function extractVersionPrefix(versionString: string): {

package/dist/security/dependency-vulnerability-check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dependency-vulnerability-check.d.ts","sourceRoot":"","sources":["../../src/security/dependency-vulnerability-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAAoB,gBAAgB,EAAU,MAAM,EAAE,cAAc,EAAQ,WAAW,EAAa,MAAM,sBAAsB,CAAC;AAKxI,OAAO,EACH,eAAe,EAEf,kBAAkB,EAClB,cAAc,EAEd,2BAA2B,EAM9B,MAAM,iCAAiC,CAAC;AAGzC,OAAO,EAA2C,aAAa,EAAE,qBAAqB,EAAC,MAAM,iBAAiB,CAAC;AAM/G,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAsHhE,UAAU,WAAW;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACnB;AAKD,UAAU,oBAAoB;IAE1B,QAAQ,EAAE,kBAAkB,CAAC;IAE7B,aAAa,EAAE,aAAa,CAAC;IAE7B,KAAK,EAAE,MAAM,CAAC;IAEd,QAAQ,EAAE,OAAO,CAAC;IAElB,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB,IAAI,EAAE,WAAW,EAAE,CAAC;CACvB;AAKD,UAAU,gBAAgB;IAEtB,WAAW,EAAE,MAAM,CAAC;IAEpB,UAAU,EAAE,MAAM,CAAC;IAEnB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,EAAE,CAAC;IAEf,KAAK,CAAC,EAAE,eAAe,CAAC;CAC3B;AAKD,UAAU,iBAAiB;IAEvB,UAAU,EAAE,MAAM,CAAC;IAEnB,eAAe,EAAE,MAAM,CAAC;IAExB,mBAAmB,EAAE,MAAM,CAAC;IAE5B,cAAc,EAAE,cAAc,CAAC;CAClC;AAKD,UAAU,WAAY,SAAQ,2BAA2B,CAAC,iBAAiB,CAAC;IAExE,EAAE,EAAE,qBAAqB,CAAC;IAE1B,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,oBAAoB,EAAE,CAAC,CAAC;IAEzD,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;CACnD;AAgBD,qBAAa,4BAA6B,SAAQ,cAAc,CAAC,WAAW,CAAC;IACzE,QAAQ,CAAC,IAAI,yDAAyD;IACtE,QAAQ,CAAC,WAAW,8CAA8C;IAClE,QAAQ,CAAC,WAAW,SAI8D;IAElF,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAKlC;IAUF,KAAK,CAAC,EAAE,eAAe,CAAC;IAUxB,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAa7B,mBAAmB,CAAC,EAAE,YAAY,CAAC;IAWnC,eAAe,CAAC,EAAE,MAAM,CAAC;IAWzB,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,WAAW;IAWjD,OAAO,CAAC,kBAAkB;IAI1B,OAAO,CAAC,sBAAsB;IAI9B,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,iBAAiB;IAezB,OAAO,CAAC,iBAAiB;IAwCzB,OAAO,CAAC,wBAAwB;IAwDhC,OAAO,CAAC,iBAAiB;IAczB,OAAO,CAAC,UAAU;IAclB,OAAO,CAAC,mBAAmB;IAyE3B,OAAO,CAAC,YAAY;IAyDd,OAAO,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IA0EtE,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAMlC,cAAc,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;YAiLrE,wBAAwB;IAuBtC,OAAO,CAAC,yBAAyB;CAiBpC;AAMD,wBAAgB,oBAAoB,CAAC,aAAa,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAU/F;AAKD,wBAAgB,kBAAkB,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAGtF"}
+{"version":3,"file":"dependency-vulnerability-check.d.ts","sourceRoot":"","sources":["../../src/security/dependency-vulnerability-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAGH,gBAAgB,EAGhB,cAAc,EAGd,WAAW,EACd,MAAM,sBAAsB,CAAC;AAI9B,OAAO,EAGH,2BAA2B,EAC3B,eAAe,EAIf,cAAc,EACd,kBAAkB,EAMrB,MAAM,iCAAiC,CAAC;AAGzC,OAAO,EAAgB,QAAQ,EAAmB,aAAa,EAAE,qBAAqB,EAAC,MAAM,iBAAiB,CAAC;AAa/G,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAsHhE,UAAU,WAAW;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACnB;AAKD,UAAU,oBAAoB;IAE1B,QAAQ,EAAE,kBAAkB,CAAC;IAE7B,aAAa,EAAE,aAAa,CAAC;IAE7B,KAAK,EAAE,MAAM,CAAC;IAEd,QAAQ,EAAE,OAAO,CAAC;IAElB,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB,IAAI,EAAE,WAAW,EAAE,CAAC;CACvB;AAKD,UAAU,gBAAgB;IAEtB,WAAW,EAAE,MAAM,CAAC;IAEpB,UAAU,EAAE,MAAM,CAAC;IAEnB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,EAAE,CAAC;IAEf,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACjC;AAKD,UAAU,iBAAiB;IAEvB,eAAe,EAAE,MAAM,CAAC;IAExB,mBAAmB,EAAE,MAAM,CAAC;IAE5B,cAAc,EAAE,cAAc,CAAC;IAE/B,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAKD,UAAU,WAAY,SAAQ,2BAA2B,CAAC,iBAAiB,CAAC;IAExE,EAAE,EAAE,qBAAqB,CAAC;IAE1B,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,oBAAoB,EAAE,CAAC,CAAC;IAEzD,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAEhD,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEvC,sBAAsB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE5C,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAEtC,+BAA+B,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAErD,0BAA0B,EAAE,OAAO,CAAC;CACvC;AAgBD,qBAAa,4BAA6B,SAAQ,cAAc,CAAC,WAAW,CAAC;IACzE,QAAQ,CAAC,IAAI,yDAAyD;IACtE,QAAQ,CAAC,WAAW,8CAA8C;IAClE,QAAQ,CAAC,WAAW,SAI8D;IAElF,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAKlC;IAUF,KAAK,CAAC,EAAE,eAAe,CAAC;IAUxB,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAa7B,mBAAmB,CAAC,EAAE,YAAY,CAAC;IAWnC,eAAe,CAAC,EAAE,QAAQ,CAAC;IAW3B,UAAU,CAAC,EAAE,MAAM,CAAC;IAYpB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAG9B,OAAO,CAAC,eAAe,CAAC,CAAS;gBAErB,OAAO,CAAC,EAAE;QAClB,KAAK,CAAC,EAAE,eAAe,CAAC;QACxB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,mBAAmB,CAAC,EAAE,YAAY,CAAC;QACnC,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,mBAAmB,CAAC,EAAE,OAAO,CAAC;KACjC;IAkBQ,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,WAAW;IAgB1D,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,iBAAiB;IAUzB,OAAO,CAAC,iBAAiB;IAwCzB,OAAO,CAAC,wBAAwB;IAwDhC,OAAO,CAAC,iBAAiB;IAkBzB,OAAO,CAAC,wBAAwB;IAgBhC,OAAO,CAAC,UAAU;IAclB,OAAO,CAAC,mBAAmB;IA0E3B,OAAO,CAAC,mBAAmB;IA6E3B,OAAO,CAAC,oBAAoB;IAW5B,OAAO,CAAC,qBAAqB;IA8B7B,OAAO,CAAC,sBAAsB;IAsD9B,OAAO,CAAC,oBAAoB;IAgC5B,OAAO,CAAC,YAAY;IAyGL,OAAO,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IA6KtE,cAAc,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;YAkY9E,wBAAwB;YAkCxB,iCAAiC;IAyF/C,OAAO,CAAC,mCAAmC;IA6B3C,OAAO,CAAC,yBAAyB;CAgJpC;AAMD,wBAAgB,oBAAoB,CAAC,aAAa,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAU/F;AAKD,wBAAgB,kBAAkB,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAGtF"}