npm - @openrewrite/recipes-nodejs - Versions diffs - 0.38.0-20260111-170503 → 0.38.0-20260112-111009 - Mend

@openrewrite/recipes-nodejs 0.38.0-20260111-170503 → 0.38.0-20260112-111009

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/resources/advisories-npm.csv +61 -4
package/package.json +1 -1

package/dist/resources/advisories-npm.csv CHANGED Viewed

@@ -2770,7 +2770,7 @@ CVE-2023-37259,2023-07-18T16:58:01Z,"matrix-react-sdk vulnerable to XSS in Expor
 CVE-2023-37263,2023-09-13T16:31:43Z,"Strapi's field level permissions not being respected in relationship title","@strapi/plugin-content-manager",0,4.12.1,,MODERATE,CWE-200;CWE-400
 CVE-2023-37298,2023-06-30T15:30:22Z,"Joplin Cross-site Scripting vulnerability",joplin,0,2.11.5,,MODERATE,CWE-79
 CVE-2023-37299,2023-06-30T15:30:22Z,"Joplin Cross-site Scripting vulnerability",joplin,0,2.11.5,,MODERATE,CWE-79
-CVE-2023-37466,2023-07-13T17:02:02Z,"vm2 Sandbox Escape vulnerability",vm2,0,,3.9.19,CRITICAL,CWE-94
+CVE-2023-37466,2023-07-13T17:02:02Z,"vm2 Sandbox Escape vulnerability",vm2,0,3.10.0,,CRITICAL,CWE-94
 CVE-2023-37478,2023-08-01T17:00:55Z,"pnpm incorrectly parses tar archives relative to specification",@pnpm/cafs,0,7.0.5,,HIGH,CWE-284
 CVE-2023-37478,2023-08-01T17:00:55Z,"pnpm incorrectly parses tar archives relative to specification",@pnpm/exe,0,7.33.4,,HIGH,CWE-284
 CVE-2023-37478,2023-08-01T17:00:55Z,"pnpm incorrectly parses tar archives relative to specification",@pnpm/exe,8.0.0,8.6.8,,HIGH,CWE-284
@@ -2975,6 +2975,7 @@ CVE-2024-12537,2025-03-20T12:32:43Z,"Open WebUI Uncontrolled Resource Consumptio
 CVE-2024-12905,2025-03-27T18:31:28Z,"tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",tar-fs,0,1.16.4,,HIGH,CWE-22
 CVE-2024-12905,2025-03-27T18:31:28Z,"tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",tar-fs,2.0.0,2.1.2,,HIGH,CWE-22
 CVE-2024-12905,2025-03-27T18:31:28Z,"tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File",tar-fs,3.0.0,3.0.7,,HIGH,CWE-22
+CVE-2024-14020,2026-01-07T12:31:19Z,"carbone Code Injection vulnerability",carbone,0,3.5.6,,LOW,CWE-94
 CVE-2024-1631,2024-02-21T02:54:56Z,"agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`",@dfinity/auth-client,0.20.0-beta.0,1.0.1,,CRITICAL,CWE-321;CWE-330
 CVE-2024-1631,2024-02-21T02:54:56Z,"agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`",@dfinity/identity,0.20.0-beta.0,1.0.1,,CRITICAL,CWE-321;CWE-330
 CVE-2024-1648,2024-02-20T03:30:57Z,"Cross-site Scripting in electron-pdf",electron-pdf,0,,20.0.0,HIGH,CWE-79
@@ -3643,6 +3644,7 @@ CVE-2025-13877,2025-12-09T17:42:53Z,"Authentication Bypass via Default JWT Secre
 CVE-2025-13877,2025-12-09T17:42:53Z,"Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",@nocobase/auth,2.0.0-alpha.1,2.0.0-alpha.52,,MODERATE,CWE-1320;CWE-321
 CVE-2025-1398,2025-03-17T15:31:50Z,"Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection",mattermost-desktop,0,5.11.0,,LOW,CWE-426
 CVE-2025-14284,2025-12-09T18:30:35Z,"@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)",@tiptap/extension-link,0,2.10.4,,LOW,CWE-79
+CVE-2025-14505,2026-01-08T21:30:34Z,"Elliptic Uses a Cryptographic Primitive with a Risky Implementation",elliptic,0,,6.6.1,LOW,CWE-1240
 CVE-2025-1467,2025-02-23T18:30:24Z,"tarteaucitron Cross-site Scripting (XSS)",tarteaucitronjs,0,1.17.0,,LOW,CWE-79
 CVE-2025-14874,2025-12-18T09:30:30Z,"Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703
 CVE-2025-1520,2025-04-23T18:30:58Z,"PostHog Plugin Server SQL Injection Vulnerability",@posthog/plugin-server,0,,1.10.7,HIGH,CWE-89
@@ -4150,7 +4152,7 @@ CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of
 CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,2.0.0,2.0.2,,LOW,CWE-400
 CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,3.0.0,3.0.1,,LOW,CWE-400
 CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,4.0.0,4.0.1,,LOW,CWE-400
-CVE-2025-5891,2025-06-09T21:30:51Z,"pm2 Regular Expression Denial of Service vulnerability",pm2,0,,6.0.8,LOW,CWE-1333;CWE-400
+CVE-2025-5891,2025-06-09T21:30:51Z,"pm2 Regular Expression Denial of Service vulnerability",pm2,0,,6.0.14,LOW,CWE-1333;CWE-400
 CVE-2025-5896,2025-06-09T21:30:52Z,"taro-css-to-react-native Regular Expression Denial of Service vulnerability",taro-css-to-react-native,0,4.1.2,,MODERATE,CWE-1333;CWE-400
 CVE-2025-5897,2025-06-09T21:30:52Z,"@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability",@vue/cli-plugin-pwa,0,,5.0.8,MODERATE,CWE-1333;CWE-400
 CVE-2025-59037,2025-09-09T14:39:14Z,"DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware",@duckdb/duckdb-wasm,1.29.2,1.30.0,,HIGH,CWE-506
@@ -4171,6 +4173,8 @@ CVE-2025-59052,2025-09-10T21:56:01Z,"Angular SSR: Global Platform Injector Race
 CVE-2025-59052,2025-09-10T21:56:01Z,"Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage",@angular/ssr,20.0.0-next.0,20.3.0,,HIGH,CWE-362
 CVE-2025-59052,2025-09-10T21:56:01Z,"Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage",@angular/ssr,21.0.0-next.0,21.0.0-next.3,,HIGH,CWE-362
 CVE-2025-59052,2025-09-10T21:56:01Z,"Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage",@nguniversal/common,16.0.0-next.0,,16.2.0,HIGH,CWE-362
+CVE-2025-59057,2026-01-08T20:42:20Z,"React Router has XSS Vulnerability",@remix-run/react,1.15.0,2.17.1,,HIGH,CWE-79
+CVE-2025-59057,2026-01-08T20:42:20Z,"React Router has XSS Vulnerability",react-router,7.0.0,7.9.0,,HIGH,CWE-79
 CVE-2025-59139,2025-09-12T21:12:20Z,"Hono has Body Limit Middleware Bypass",hono,0,4.9.7,,MODERATE,CWE-400;CWE-770
 CVE-2025-59140,2025-09-15T21:21:25Z,"backslash@0.2.1 contains malware after npm account takeover",backslash,0.2.1,0.2.2,,HIGH,CWE-506
 CVE-2025-59141,2025-09-15T21:22:55Z,"simple-swizzle@0.2.3 contains malware after npm account takeover",simple-swizzle,0.2.3,0.2.4,,HIGH,CWE-506
@@ -4224,6 +4228,9 @@ CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS b
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,18.0.0,18.27.2,,HIGH,CWE-476;CWE-754
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,19.0.0-alpha.1,19.0.0-alpha.6,,HIGH,CWE-476;CWE-754
 CVE-2025-61685,2025-09-24T20:05:15Z,"Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure",@mastra/mcp-docs-server,0,0.17.0,,MODERATE,CWE-548
+CVE-2025-61686,2026-01-08T20:45:07Z,"React Router has Path Traversal in File Session Storage",@react-router/node,7.0.0,7.9.4,,CRITICAL,CWE-22
+CVE-2025-61686,2026-01-08T20:45:07Z,"React Router has Path Traversal in File Session Storage",@remix-run/deno,0,2.17.2,,CRITICAL,CWE-22
+CVE-2025-61686,2026-01-08T20:45:07Z,"React Router has Path Traversal in File Session Storage",@remix-run/node,0,2.17.2,,CRITICAL,CWE-22
 CVE-2025-61687,2025-10-08T19:34:21Z,"FlowiseAI/Flosise has File Upload vulnerability",flowise,3.0.7,3.0.8,,HIGH,CWE-434
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",Flowise,0,3.0.8,,CRITICAL,CWE-22
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",flowise,0,3.0.8,,CRITICAL,CWE-22
@@ -4289,6 +4296,8 @@ CVE-2025-64767,2025-11-20T17:36:13Z,"@hpke/core reuses AEAD nonces",@hpke/core,0
 CVE-2025-65019,2025-11-19T20:09:12Z,"Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint",astro,0,5.15.9,,MODERATE,CWE-79
 CVE-2025-65099,2025-11-19T20:33:10Z,"Claude Code vulnerable to command execution prior to startup trust dialog","@anthropic-ai/claude-code",0,1.0.39,,HIGH,CWE-94
 CVE-2025-65108,2025-11-20T17:48:11Z,"md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter",md-to-pdf,0,5.2.5,,CRITICAL,CWE-94
+CVE-2025-65110,2026-01-05T22:56:59Z,"Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope",vega-selections,0,5.6.3,,HIGH,CWE-79
+CVE-2025-65110,2026-01-05T22:56:59Z,"Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope",vega-selections,6.0.0,6.1.2,,HIGH,CWE-79
 CVE-2025-6514,2025-07-09T15:30:44Z,"mcp-remote exposed to OS command injection via untrusted MCP server connections",mcp-remote,0.0.5,0.1.16,,CRITICAL,CWE-78
 CVE-2025-6545,2025-06-23T22:41:50Z,"pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos",pbkdf2,3.0.10,3.1.3,,CRITICAL,CWE-20
 CVE-2025-6547,2025-06-23T22:42:00Z,"pbkdf2 silently disregards Uint8Array input, returning static keys",pbkdf2,0,3.1.3,,CRITICAL,CWE-20
@@ -4346,6 +4355,10 @@ CVE-2025-66456,2025-12-09T17:11:53Z,"Elysia vulnerable to prototype pollution wi
 CVE-2025-66457,2025-12-09T17:12:05Z,"Elysia affected by arbitrary code injection through cookie config",elysia,0,1.4.18,,HIGH,CWE-94
 CVE-2025-66479,2025-12-04T16:55:06Z,"Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing ","@anthropic-ai/sandbox-runtime",0,0.0.16,,LOW,CWE-693
 CVE-2025-66482,2025-12-15T20:59:59Z,"Misskey has a login rate limit bypass via spoofed X-Forwarded-For header",misskey-js,2025.9.1,2025.12.0-alpha.2,,MODERATE,CWE-1188;CWE-307
+CVE-2025-66648,2026-01-05T22:58:07Z,"`vega-functions` vulnerable to Cross-site Scripting via `setdata` function",vega-functions,0,6.1.1,,HIGH,CWE-79
+CVE-2025-67364,2026-01-07T18:30:26Z,"fast-filesystem-mcp has a Path Traversal vulnerability",fast-filesystem-mcp,0,,3.4.0,HIGH,CWE-24
+CVE-2025-67419,2026-01-05T21:30:33Z,"evershop allows unauthenticated attackers to exhaust application server's resources via ""GET /images"" API",@evershop/evershop,0,,2.1.0,HIGH,CWE-1050
+CVE-2025-67427,2026-01-05T21:30:33Z,"evershop allows unauthenticated attackers to force server to initiate HTTP request via ""GET /images"" API",@evershop/evershop,0,,2.1.0,MODERATE,CWE-918
 CVE-2025-67489,2025-12-08T22:16:31Z,"@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server",@vitejs/plugin-rsc,0,0.5.6,,CRITICAL,CWE-94
 CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.11.0,4.11.2,,MODERATE,CWE-863
 CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.12.0,4.12.1,,MODERATE,CWE-863
@@ -4370,7 +4383,7 @@ CVE-2025-68115,2025-12-16T19:36:37Z,"Parse Server has a Cross-Site Scripting (XS
 CVE-2025-68130,2025-12-16T19:37:57Z,"tRPC has possible prototype pollution in `experimental_nextAppDirCaller`",@trpc/server,10.27.0,10.45.3,,HIGH,CWE-1321
 CVE-2025-68130,2025-12-16T19:37:57Z,"tRPC has possible prototype pollution in `experimental_nextAppDirCaller`",@trpc/server,11.0.0,11.8.0,,HIGH,CWE-1321
 CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,0,8.6.2,,HIGH,CWE-918
-CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,9.0.0,9.1.1.alpha.1,,HIGH,CWE-918
+CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,9.0.0,9.1.1-alpha.1,,HIGH,CWE-918
 CVE-2025-68154,2025-12-16T22:37:23Z,"systeminformation has a Command Injection vulnerability in fsSize() function on Windows",systeminformation,0,5.27.14,,HIGH,CWE-78
 CVE-2025-68155,2025-12-16T22:32:26Z,"@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint",@vitejs/plugin-rsc,0,0.5.8,,HIGH,CWE-22;CWE-73
 CVE-2025-68272,2026-01-02T15:20:05Z,"Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding",signalk-server,0,2.19.0,,HIGH,CWE-400;CWE-770
@@ -4378,11 +4391,14 @@ CVE-2025-68273,2026-01-02T15:22:11Z,"Signal K Server Vulnerable to Unauthenticat
 CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/cli,0,2.0.4,,HIGH,CWE-94
 CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/graphql,0,2.0.3,,HIGH,CWE-94
 CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",tinacms,0,3.1.1,,HIGH,CWE-94
+CVE-2025-68428,2026-01-05T17:35:29Z,"jsPDF has Local File Inclusion/Path Traversal vulnerability",jspdf,0,4.0.0,,CRITICAL,CWE-35;CWE-73
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,10.0.0,10.1.10,,HIGH,CWE-200;CWE-538;CWE-541
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,7.0.0,7.6.21,,HIGH,CWE-200;CWE-538;CWE-541
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,8.0.0,8.6.15,,HIGH,CWE-200;CWE-538;CWE-541
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,9.0.0,9.1.17,,HIGH,CWE-200;CWE-538;CWE-541
 CVE-2025-68457,2025-12-19T19:17:26Z,"Orejime has executable code in HTML attributes",orejime,0,2.3.2,,LOW,CWE-79
+CVE-2025-68470,2026-01-08T20:48:21Z,"React Router has unexpected external redirect via untrusted paths",react-router,6.0.0,6.30.2,,MODERATE,CWE-601
+CVE-2025-68470,2026-01-08T20:48:21Z,"React Router has unexpected external redirect via untrusted paths",react-router,7.0.0,7.9.6,,MODERATE,CWE-601
 CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,0,1.6.13,,HIGH,CWE-1333
 CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,1.7.0,1.7.14,,HIGH,CWE-1333
 CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,1.8.0,1.8.15,,HIGH,CWE-1333
@@ -4397,11 +4413,14 @@ CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerabi
 CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",langchain,1.0.0,1.2.3,,HIGH,CWE-502
 CVE-2025-68668,2025-12-26T18:18:05Z,"n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node ",n8n,1.0.0,2.0.0,,CRITICAL,CWE-693
 CVE-2025-68697,2025-12-26T18:26:38Z,"Self-hosted n8n has Legacy Code node that enables arbitrary file read/write",n8n,1.2.1,2.0.0,,HIGH,CWE-269;CWE-749
-CVE-2025-69202,2025-12-30T15:37:55Z,"axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header",axios-cache-interceptor,0,1.11.1,,MODERATE,CWE-524
+CVE-2025-69202,2025-12-30T15:37:55Z,"axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header",axios-cache-interceptor,0,1.11.1,,MODERATE,CWE-524;CWE-639
 CVE-2025-69203,2026-01-02T15:26:11Z,"Signal K Server Vulnerable to Access Request Spoofing",signalk-server,0,2.19.0,,MODERATE,CWE-290
 CVE-2025-69206,2025-12-29T21:31:04Z,"hemmelig allows SSRF Filter bypass via Secret Request functionality",hemmelig,0,7.3.3,,MODERATE,CWE-918
 CVE-2025-69211,2025-12-30T15:32:44Z,"Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)",@nestjs/platform-fastify,0,11.1.11,,MODERATE,CWE-367
 CVE-2025-69256,2025-12-31T22:05:32Z,"serverless MCP Server vulnerable to Command Injection in list-projects tool",serverless,4.29.0,4.29.3,,HIGH,CWE-77
+CVE-2025-69262,2026-01-07T18:51:07Z,"pnpm vulnerable to Command Injection via environment variable substitution",pnpm,6.25.0,10.27.0,,HIGH,CWE-78;CWE-94
+CVE-2025-69263,2026-01-07T19:06:59Z,"pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies",pnpm,0,10.26.0,,HIGH,CWE-494
+CVE-2025-69264,2026-01-07T19:07:43Z,"pnpm v10+ Bypass ""Dependency lifecycle scripts execution disabled by default""",pnpm,10.0.0,10.26.0,,HIGH,CWE-693
 CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248
 CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241
 CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330
@@ -4421,12 +4440,46 @@ CVE-2025-9096,2025-08-18T00:30:30Z,"ExpressGateway Cross-Site Scripting Vulnerab
 CVE-2025-9262,2025-08-21T00:30:20Z,"wong2 mcp-cli Command Injection Vulnerability",@wong2/mcp-cli,0,,1.13.0,LOW,CWE-77;CWE-78
 CVE-2025-9287,2025-08-21T14:47:35Z,"cipher-base is missing type checks, leading to hash rewind and passing on crafted data",cipher-base,0,1.0.5,,CRITICAL,CWE-20
 CVE-2025-9288,2025-08-21T14:47:55Z,"sha.js is missing type checks leading to hash rewind and passing on crafted data",sha.js,0,2.4.12,,CRITICAL,CWE-20
+CVE-2025-9611,2026-01-07T12:31:25Z,"Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools",@playwright/mcp,0,0.0.40,,HIGH,CWE-749
 CVE-2025-9654,2025-08-29T15:30:38Z,"AiondaDotCom mcp-ssh command injection vulnerability in SSH operations",@aiondadotcom/mcp-ssh,0,1.1.0,,MODERATE,CWE-74
 CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark",ghost,5.99.0,5.130.4,,MODERATE,CWE-918
 CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark",ghost,6.0.0,6.0.9,,MODERATE,CWE-918
 CVE-2025-9910,2025-09-11T06:30:23Z,"jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin",jsondiffpatch,0,0.7.2,,MODERATE,CWE-79
+CVE-2026-0621,2026-01-05T21:30:33Z,"Anthropic's MCP TypeScript SDK has a ReDoS vulnerability","@modelcontextprotocol/sdk",0,1.25.2,,HIGH,CWE-1333
 CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,0,10.1.2,,CRITICAL,CWE-22
 CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.6,,CRITICAL,CWE-22
+CVE-2026-21858,2026-01-07T19:20:19Z,"n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling",n8n,1.65.0,1.121.0,,CRITICAL,CWE-20
+CVE-2026-21877,2026-01-06T17:48:24Z,"n8n Vulnerable to RCE via Arbitrary File Write",n8n,0.123.0,1.121.3,,CRITICAL,CWE-434
+CVE-2026-21884,2026-01-08T20:50:05Z,"React Router SSR XSS in ScrollRestoration",@remix-run/react,0,2.17.3,,HIGH,CWE-79
+CVE-2026-21884,2026-01-08T20:50:05Z,"React Router SSR XSS in ScrollRestoration",react-router,7.0.0,7.12.0,,HIGH,CWE-79
+CVE-2026-21894,2026-01-07T19:22:54Z,"n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks",n8n,0.150.0,2.2.2,,MODERATE,CWE-290
+CVE-2026-22028,2026-01-07T19:28:15Z,"Preact has JSON VNode Injection issue",preact,10.26.5,10.26.10,,HIGH,CWE-843
+CVE-2026-22028,2026-01-07T19:28:15Z,"Preact has JSON VNode Injection issue",preact,10.27.0,10.27.3,,HIGH,CWE-843
+CVE-2026-22028,2026-01-07T19:28:15Z,"Preact has JSON VNode Injection issue",preact,10.28.0,10.28.2,,HIGH,CWE-843
+CVE-2026-22029,2026-01-08T20:54:18Z,"React Router vulnerable to XSS via Open Redirects",@remix-run/router,0,1.23.2,,HIGH,CWE-79
+CVE-2026-22029,2026-01-08T20:54:18Z,"React Router vulnerable to XSS via Open Redirects",react-router,7.0.0,7.12.0,,HIGH,CWE-79
+CVE-2026-22030,2026-01-08T20:57:09Z,"React Router has CSRF issue in Action/Server Action Request Processing","@remix-run/server-runtime",0,2.17.3,,MODERATE,CWE-346;CWE-352
+CVE-2026-22030,2026-01-08T20:57:09Z,"React Router has CSRF issue in Action/Server Action Request Processing",react-router,7.0.0,7.12.0,,MODERATE,CWE-346;CWE-352
+CVE-2026-22032,2026-01-06T19:22:38Z,"Directus has open redirect in SAML",@directus/api,0,32.1.1,,MODERATE,CWE-601
+CVE-2026-22032,2026-01-06T19:22:38Z,"Directus has open redirect in SAML",directus,0,11.14.0,,MODERATE,CWE-601
+CVE-2026-22594,2026-01-08T21:29:47Z,"Ghost has Staff 2FA bypass",ghost,5.105.0,5.130.6,,HIGH,CWE-287
+CVE-2026-22594,2026-01-08T21:29:47Z,"Ghost has Staff 2FA bypass",ghost,6.0.0,6.11.0,,HIGH,CWE-287
+CVE-2026-22595,2026-01-08T21:32:53Z,"Ghost has Staff Token permission bypass",ghost,5.105.0,5.130.6,,HIGH,CWE-863
+CVE-2026-22595,2026-01-08T21:32:53Z,"Ghost has Staff Token permission bypass",ghost,6.0.0,6.11.0,,HIGH,CWE-863
+CVE-2026-22596,2026-01-08T21:36:37Z,"Ghost has SQL Injection in Members Activity Feed",ghost,5.105.0,5.130.6,,MODERATE,CWE-89
+CVE-2026-22596,2026-01-08T21:36:37Z,"Ghost has SQL Injection in Members Activity Feed",ghost,6.0.0,6.11.0,,MODERATE,CWE-89
+CVE-2026-22597,2026-01-08T21:36:03Z,"Ghost has SSRF via External Media Inliner",ghost,5.105.0,5.130.6,,MODERATE,CWE-918
+CVE-2026-22597,2026-01-08T21:36:03Z,"Ghost has SSRF via External Media Inliner",ghost,6.0.0,6.11.0,,MODERATE,CWE-918
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/compiler,0,,18.2.14,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/compiler,19.0.0-next.0,19.2.18,,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/compiler,20.0.0-next.0,20.3.16,,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/compiler,21.0.0-next.0,21.0.7,,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/compiler,21.1.0-next.0,21.1.0-rc.0,,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/core,0,,18.2.14,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/core,19.0.0-next.0,19.2.18,,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/core,20.0.0-next.0,20.3.16,,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/core,21.0.0-next.0,21.0.7,,HIGH,CWE-79
+CVE-2026-22610,2026-01-09T18:52:14Z,"Angular has XSS Vulnerability via Unsanitized SVG Script Attributes",@angular/core,21.1.0-next.0,21.1.0-rc.0,,HIGH,CWE-79
 GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22
 GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400
 GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506
@@ -4635,6 +4688,7 @@ GHSA-629c-j867-3v45,2020-09-04T16:41:04Z,"Malicious Package in bitcoisnj-lib",bi
 GHSA-6343-m2qr-66gf,2020-09-03T23:10:41Z,"Malicious Package in js-sja3",js-sja3,0.0.0,,,CRITICAL,CWE-506
 GHSA-6394-6h9h-cfjg,2019-06-07T21:12:35Z,"Regular Expression Denial of Service",nwmatcher,0,1.4.4,,MODERATE,CWE-400
 GHSA-644f-hrff-mf96,2025-12-02T18:30:35Z,"Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",@nocobase/auth,0,1.9.23,,LOW,
+GHSA-6475-r3vj-m8vf,2026-01-08T21:52:45Z,"AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value",@smithy/config-resolver,0,4.4.0,,LOW,CWE-20
 GHSA-6495-8jvh-f28x,2020-10-02T15:39:54Z,"File restriction bypass in socket.io-file",socket.io-file,0,,2.0.31,HIGH,CWE-20
 GHSA-64g7-mvw6-v9qj,2022-01-14T21:09:50Z,"Improper Privilege Management in shelljs",shelljs,0,0.8.5,,MODERATE,CWE-269
 GHSA-657v-jjf8-83gh,2020-09-03T23:14:55Z,"Malicious Package in jsmsha3",jsmsha3,0.0.0,,,CRITICAL,CWE-506
@@ -4818,6 +4872,7 @@ GHSA-9272-59x2-gwf2,2020-09-03T17:04:13Z,"Malicious Package in ripedm160",ripedm
 GHSA-9298-m7jf-55h2,2020-09-04T16:42:08Z,"Malicious Package in bitconid-rpc",bitconid-rpc,0.0.0,,,CRITICAL,CWE-506
 GHSA-929m-phjg-qwcc,2025-04-01T21:31:30Z,"Duplicate Advisory: MathLive's Lack of Escaping of HTML allows for XSS",mathlive,0,0.104.0,,MODERATE,CWE-79
 GHSA-95cg-3r4g-7w6j,2020-09-03T23:01:29Z,"Malicious Package in js-rha3",js-rha3,0.0.0,,,CRITICAL,CWE-506
+GHSA-96qw-h329-v5rg,2026-01-08T21:13:37Z,"Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles",shakapacker,0,9.5.0,,HIGH,CWE-200
 GHSA-97mg-3cr6-3x4c,2020-09-04T17:27:23Z,"Remote Code Execution in mongodb-query-parser",mongodb-query-parser,0,2.0.0,,CRITICAL,
 GHSA-97mp-9g5c-6c93,2020-09-04T16:50:48Z,"Malicious Package in bs58chcek",bs58chcek,0.0.0,,,CRITICAL,CWE-506
 GHSA-984p-xq9m-4rjw,2019-06-07T21:01:53Z,"Rate Limiting Bypass in express-brute",express-brute,0,,1.0.1,MODERATE,CWE-77
@@ -5045,6 +5100,7 @@ GHSA-hpfq-8wx8-cgqw,2019-06-13T18:59:18Z,"Cross-Site Scripting in ids-enterprise
 GHSA-hpr5-wp7c-hh5q,2020-09-01T19:37:29Z,"Cross-Site Scripting in mrk.js",mrk.js,0,2.0.1,,HIGH,CWE-79
 GHSA-hq75-xg7r-rx6c,2025-07-11T17:09:53Z,"Better Call routing bug can lead to Cache Deception",better-call,0,1.0.12,,MODERATE,CWE-525
 GHSA-hq8g-qq57-5275,2020-09-11T21:24:33Z,"SQL Injection in untitled-model",untitled-model,0,,,HIGH,CWE-89
+GHSA-hqf9-8xv5-x8xw,2026-01-05T19:57:46Z,"ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.","@openzeppelin/confidential-contracts",0,0.3.1,,MODERATE,CWE-190
 GHSA-hrpp-f84w-xhfg,2020-09-04T16:55:06Z,"Outdated Static Dependency in vue-moment",vue-moment,0,4.1.0,,MODERATE,CWE-1104
 GHSA-hv4w-jhcj-6wfw,2020-09-03T20:34:23Z,"Cross-Site Scripting in snekserve",snekserve,0.0.0,,,HIGH,CWE-79
 GHSA-hvgc-mggg-pxr2,2020-09-03T23:02:33Z,"Malicious Package in js-sha7",js-sha7,0.0.0,,,CRITICAL,CWE-506
@@ -5077,6 +5133,7 @@ GHSA-j8hw-49gg-vq3w,2020-09-03T17:45:41Z,"Malicious Package in retcodelog",retco
 GHSA-j8qr-rvcv-crhv,2020-09-11T21:18:05Z,"Malicious Package in electron-native-notify",electron-native-notify,0,,,CRITICAL,
 GHSA-j8r2-2x94-2q67,2020-09-11T21:19:09Z,"Cross-Site Scripting in diagram-js-direct-editing","diagram-js-direct-editing",0,1.4.3,,MODERATE,CWE-79
 GHSA-j95h-wmx9-4279,2021-02-25T17:15:39Z,"Denial of Service",sails,0,0.12.0,,HIGH,
+GHSA-j965-2qgj-vjmq,2026-01-08T22:04:26Z,"JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3",aws-sdk,2.0.0,,3.0.0,LOW,CWE-20
 GHSA-j9f8-8h89-j69x,2019-06-11T16:16:34Z,"Remote Code Execution in node-os-utils",node-os-utils,0,1.1.0,,HIGH,CWE-94
 GHSA-jcgq-xh2f-2hfm,2021-02-25T01:20:42Z,"Regular Expression Denial of Service",eslint,0,4.18.2,,MODERATE,
 GHSA-jcgr-9698-82jx,2021-05-28T15:53:40Z,"Improper Neutralization of Special Elements used in a Command ('Command Injection') in @floffah/build",@floffah/build,0,1.0.0,,LOW,CWE-77

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openrewrite/recipes-nodejs",
-  "version": "0.38.0-20260111-170503",
+  "version": "0.38.0-20260112-111009",
   "license": "Moderne Source Available License",
   "description": "OpenRewrite recipes for Node.js library migrations.",
   "homepage": "https://github.com/moderneinc/rewrite-node",