dw-kit 1.9.0 → 1.9.2

package/.dw/security/advisory-snapshot.json

@@ -1,157 +0,0 @@
-{
-  "schema_version": "1.0",
-  "fetched_at": "2026-05-12T09:57:47.323Z",
-  "source": "osv.dev",
-  "ecosystem": "npm",
-  "package_count": 13,
-  "advisory_count": 2,
-  "advisories": [
-    {
-      "id": "GHSA-q3j6-qgpj-74h6",
-      "summary": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
-      "details": "### Impact\n\n`fast-uri` v3.1.0 and earlier decodes percent-encoded path separators (`%2F`) and dot segments (`%2E`) before applying dot-segment removal in `normalize()` and `equal()`. This makes encoded path data behave like real `/` and `..`, so distinct URIs collapse onto the same normalized path.\n\nFor example, `http://example.com/public/%2e%2e/admin` normalizes to `http://example.com/admin`, and `equal()` considers them the same URI.\n\nApplications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed. A path that looks confined under an allowed prefix can normalize to a different location.\n\n### Patches\n\nUpgrade to `fast-uri` >= 3.1.1.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
-      "aliases": [
-        "CVE-2026-6321"
-      ],
-      "modified": "2026-05-09T16:44:22.524341929Z",
-      "published": "2026-05-08T17:15:09Z",
-      "related": [
-        "CGA-9j5f-2hwm-8hfc"
-      ],
-      "database_specific": {
-        "cwe_ids": [
-          "CWE-22"
-        ],
-        "github_reviewed": true,
-        "github_reviewed_at": "2026-05-08T17:15:09Z",
-        "severity": "HIGH",
-        "nvd_published_at": "2026-05-04T20:16:20Z"
-      },
-      "references": [
-        {
-          "type": "WEB",
-          "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6"
-        },
-        {
-          "type": "ADVISORY",
-          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
-        },
-        {
-          "type": "WEB",
-          "url": "https://cna.openjsf.org/security-advisories.html"
-        },
-        {
-          "type": "PACKAGE",
-          "url": "https://github.com/fastify/fast-uri"
-        }
-      ],
-      "affected": [
-        {
-          "package": {
-            "name": "fast-uri",
-            "ecosystem": "npm",
-            "purl": "pkg:npm/fast-uri"
-          },
-          "ranges": [
-            {
-              "type": "SEMVER",
-              "events": [
-                {
-                  "introduced": "0"
-                },
-                {
-                  "fixed": "3.1.1"
-                }
-              ]
-            }
-          ],
-          "database_specific": {
-            "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q3j6-qgpj-74h6/GHSA-q3j6-qgpj-74h6.json",
-            "last_known_affected_version_range": "<= 3.1.0"
-          }
-        }
-      ],
-      "schema_version": "1.7.5",
-      "severity": [
-        {
-          "type": "CVSS_V3",
-          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
-        }
-      ]
-    },
-    {
-      "id": "GHSA-v39h-62p7-jpjc",
-      "summary": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
-      "details": "### Impact\n\n`fast-uri` v3.1.1 and earlier decodes percent-encoded authority delimiters (`%40` as `@`, `%3A` as `:`) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.\n\nFor example, `http://trusted.com%40evil.com/` normalizes to `http://trusted.com@evil.com/`, which reparses as host `evil.com` with userinfo `trusted.com`.\n\nApplications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.\n\n### Patches\n\nUpgrade to `fast-uri` >= 3.1.2.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
-      "aliases": [
-        "CVE-2026-6322"
-      ],
-      "modified": "2026-05-10T04:44:28.903255090Z",
-      "published": "2026-05-08T19:13:01Z",
-      "related": [
-        "CGA-5vr9-c8qr-fqvg"
-      ],
-      "database_specific": {
-        "cwe_ids": [
-          "CWE-436"
-        ],
-        "github_reviewed": true,
-        "github_reviewed_at": "2026-05-08T19:13:01Z",
-        "severity": "HIGH",
-        "nvd_published_at": "2026-05-05T11:16:33Z"
-      },
-      "references": [
-        {
-          "type": "WEB",
-          "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"
-        },
-        {
-          "type": "ADVISORY",
-          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
-        },
-        {
-          "type": "WEB",
-          "url": "https://cna.openjsf.org/security-advisories.html"
-        },
-        {
-          "type": "PACKAGE",
-          "url": "https://github.com/fastify/fast-uri"
-        }
-      ],
-      "affected": [
-        {
-          "package": {
-            "name": "fast-uri",
-            "ecosystem": "npm",
-            "purl": "pkg:npm/fast-uri"
-          },
-          "ranges": [
-            {
-              "type": "SEMVER",
-              "events": [
-                {
-                  "introduced": "0"
-                },
-                {
-                  "fixed": "3.1.2"
-                }
-              ]
-            }
-          ],
-          "database_specific": {
-            "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v39h-62p7-jpjc/GHSA-v39h-62p7-jpjc.json",
-            "last_known_affected_version_range": "<= 3.1.1"
-          }
-        }
-      ],
-      "schema_version": "1.7.5",
-      "severity": [
-        {
-          "type": "CVSS_V3",
-          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
-        }
-      ]
-    }
-  ],
-  "snapshot_sha": "sha256:0b6ca61019fb234c"
-}