pnpm-audit-hook 1.0.0

package/dist/static-db/data/packages/@fastify__middie.json

@@ -0,0 +1,27 @@
+{
+  "name": "@fastify/middie",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-cxrg-g7r8-w69p",
+      "title": "Fastify Middie Middleware Path Bypass",
+      "description": "### Summary\nA security vulnerability exists in `@fastify/middie` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints.\n\n### Details\nThe vulnerability is caused",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-cxrg-g7r8-w69p",
+      "publishedAt": "2026-01-20T16:34:50Z",
+      "modifiedAt": "2026-01-20T16:34:50Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-cxrg-g7r8-w69p"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2026-22031"
+        }
+      ],
+      "affectedRange": "<= 9.0.3",
+      "fixedVersion": "9.1.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__multipart.json

@@ -0,0 +1,48 @@
+{
+  "name": "@fastify/multipart",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-27c6-mcxv-x3fh",
+      "title": "Unlimited consumption of resources in @fastify/multipart",
+      "description": "### Impact\n\nThe `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request.\n\n### Patches\n\nFixed in version 8.3.1 and 9.0.3\n\n### Workarounds\n\nDo not use `saveRequestFiles`.\n\n### References\n\nThis was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.\n",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-27c6-mcxv-x3fh",
+      "publishedAt": "2025-01-23T18:02:07Z",
+      "modifiedAt": "2025-01-23T23:17:18Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-27c6-mcxv-x3fh"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2025-24033"
+        }
+      ],
+      "affectedRange": ">= 9.0.0, < 9.0.3",
+      "fixedVersion": "9.0.3"
+    },
+    {
+      "id": "GHSA-hpp2-2cr5-pf6g",
+      "title": "Denial of service due to unlimited number of parts",
+      "description": "### Impact\n\n* The multipart body parser accepts an unlimited number of file parts.\n* The multipart body parser accepts an unlimited number of field parts.\n* The multipart body parser accepts an unlimited number of empty parts as field\nparts.\n\n\n### Patches\n\nThis is fixed in v7.4.1 (for Fastify v4.x) and v6.0.1 (for Fastify v3.x).\n\n### Workarounds\n\nThere are no known workaround.  \n\n### References\n\nReported at https://hackerone.com/reports/1816195.",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-hpp2-2cr5-pf6g",
+      "publishedAt": "2023-02-14T21:49:55Z",
+      "modifiedAt": "2023-02-22T18:35:10Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-hpp2-2cr5-pf6g"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2023-25576"
+        }
+      ],
+      "affectedRange": ">= 7.0.0, < 7.4.1",
+      "fixedVersion": "7.4.1"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__oauth2.json

@@ -0,0 +1,44 @@
+{
+  "name": "@fastify/oauth2",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-hgxv-3497-3hhj",
+      "title": "Duplicate Advisory: @fastify/oauth2 Oauth2 state parameter reuse",
+      "description": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g8x5-p9qc-cf95. This link is maintained to preserve external references.\n\n## Original Description\nAll versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's sess",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-hgxv-3497-3hhj",
+      "publishedAt": "2023-07-04T18:30:58Z",
+      "modifiedAt": "2023-11-10T05:01:56Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-hgxv-3497-3hhj"
+        }
+      ],
+      "affectedRange": "< 7.2.0",
+      "fixedVersion": "7.2.0"
+    },
+    {
+      "id": "GHSA-g8x5-p9qc-cf95",
+      "title": "@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state",
+      "description": "### Impact\n\nAll versions of @fastify/oauth2 used a statically generated `state` parameter at startup time and were used across all requests for all users.\nThe purpose of the Oauth2 `state` parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it.\n\n### Patches\n\nv7.2.0 changes the default behavior to store the `state` in a cookie with the `http-only` and `sam",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-g8x5-p9qc-cf95",
+      "publishedAt": "2023-07-05T21:36:56Z",
+      "modifiedAt": "2023-11-10T05:01:55Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-g8x5-p9qc-cf95"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2023-31999"
+        }
+      ],
+      "affectedRange": "< 7.2.0",
+      "fixedVersion": "7.2.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__passport.json

@@ -0,0 +1,48 @@
+{
+  "name": "@fastify/passport",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-2ccf-ffrj-m4qw",
+      "title": "CSRF token fixation in fastify-passport",
+      "description": "The [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport`, can be bypassed by network and same-site attackers.\n\n## Details\n`fastify/csrf-protection` implements the [synchronizer token pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern) (using plugins `@fastify/session` and `@fastify/secure-session`) by storing ",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-2ccf-ffrj-m4qw",
+      "publishedAt": "2023-04-21T22:32:47Z",
+      "modifiedAt": "2023-11-09T05:00:59Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-2ccf-ffrj-m4qw"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2023-29020"
+        }
+      ],
+      "affectedRange": ">= 2.0.0, < 2.3.0",
+      "fixedVersion": "2.3.0"
+    },
+    {
+      "id": "GHSA-4m3m-ppvx-xgw9",
+      "title": "Session fixation in fastify-passport",
+      "description": "Applications using `@fastify/passport` for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to [session fixation attacks](https://owasp.org/www-community/attacks/Session_fixation) from network and same-site attackers.\n\n## Details\nfastify applications rely on the `@fastify/passport` library for user authentication. The login and user validation are performed by the `authenticate` function. When executing this function, the ",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-4m3m-ppvx-xgw9",
+      "publishedAt": "2023-04-21T22:33:30Z",
+      "modifiedAt": "2023-11-09T05:00:55Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-4m3m-ppvx-xgw9"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2023-29019"
+        }
+      ],
+      "affectedRange": ">= 2.0.0, < 2.3.0",
+      "fixedVersion": "2.3.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__reply-from.json

@@ -0,0 +1,48 @@
+{
+  "name": "@fastify/reply-from",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-2q7r-29rg-6m5h",
+      "title": "fastify-reply-from affected by bypass of reply forwarding",
+      "description": "### Summary\nBy crafting a malicious URL, an attacker could access routes that are not allowed, even though the `reply.from` is defined for specific routes in `@fastify/reply-from`.\n\n### Details\n\nAn attacker can bypass the route defined by the `@fastify/reply-from` package by adding a `..` symbol, which, for `curl` version `8.7.1`, is `%2e%2e`.\n\n### Impact\n\nEveryone is using this package with the routes option to protect a 3rd-party resource.",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-2q7r-29rg-6m5h",
+      "publishedAt": "2025-12-02T00:38:57Z",
+      "modifiedAt": "2025-12-02T00:39:01Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-2q7r-29rg-6m5h"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2025-66415"
+        }
+      ],
+      "affectedRange": "<= 12.4.0",
+      "fixedVersion": "12.5.0"
+    },
+    {
+      "id": "GHSA-v2v2-hph8-q5xp",
+      "title": "@fastify/reply-from JSON Content-Type parsing confusion",
+      "description": "### Impact\n\nThe main repo of fastify use [fast-content-type-parse](https://github.com/fastify/fast-content-type-parse) to parse request Content-Type, which will [trim after split](https://github.com/fastify/fast-content-type-parse/blob/2776d054dd48e9ce40b8d5e5ff9b46fee82b95f1/index.js#L59).\n\nThe [fastify-reply-from](https://github.com/fastify/fastify-reply-from/blob/b79a22d6eb9a0b52cfbe8eb2cb22ad65f5a39e64/index.js#L118C14-L118C14) have not use this repo to unify the parse of Content-Type, which",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-v2v2-hph8-q5xp",
+      "publishedAt": "2024-01-08T15:22:40Z",
+      "modifiedAt": "2024-01-08T16:47:58Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-v2v2-hph8-q5xp"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2023-51701"
+        }
+      ],
+      "affectedRange": "< 9.6.0",
+      "fixedVersion": "9.6.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__secure-session.json

@@ -0,0 +1,27 @@
+{
+  "name": "@fastify/secure-session",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-9wwp-q7wq-jx35",
+      "title": "@fastify/secure-session: Reuse of destroyed secure session cookie",
+      "description": "### Impact\n\nAt the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided with subsequent requests, it will decrypt the ciphertext to get the data. The plugin then creates a new session with the data in the ciphertext. Thus theoretically the web instance is still accessing",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-9wwp-q7wq-jx35",
+      "publishedAt": "2024-04-10T17:15:50Z",
+      "modifiedAt": "2024-05-15T19:40:33Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-9wwp-q7wq-jx35"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2024-31999"
+        }
+      ],
+      "affectedRange": "< 7.3.0",
+      "fixedVersion": "7.3.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__session.json

@@ -0,0 +1,27 @@
+{
+  "name": "@fastify/session",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-pj27-2xvp-4qxg",
+      "title": "@fastify/session reuses destroyed session cookie",
+      "description": "### Impact\n\nWhen restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set.\nThis means a cookie is never correctly detected as expired and thus expired sessions are not destroyed.\n\n### Patches\n\nUpdating to v10.9.0 will solve this.\n\n### Workarounds\n\nNone\n\n### References\n\nPublicly reported at: https://github.com/fastify/session/issues/251",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-pj27-2xvp-4qxg",
+      "publishedAt": "2024-05-21T18:09:57Z",
+      "modifiedAt": "2024-08-24T09:39:00Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-pj27-2xvp-4qxg"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2024-35220"
+        }
+      ],
+      "affectedRange": "< 10.9.0",
+      "fixedVersion": "10.9.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__swagger-ui.json

@@ -0,0 +1,27 @@
+{
+  "name": "@fastify/swagger-ui",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-62jr-84gf-wmg4",
+      "title": "Default swagger-ui configuration exposes all files in the module",
+      "description": "### Impact\n\nThe default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module.\n\n### Patches\n\nUpdate to v2.1.0\n\n### Workarounds\n\nUse  the `baseDir` option\n\n### References\n\n[HackerOne report\n](https://hackerone.com/reports/2312369).",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-62jr-84gf-wmg4",
+      "publishedAt": "2024-01-16T15:24:41Z",
+      "modifiedAt": "2024-02-16T15:30:26Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-62jr-84gf-wmg4"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2024-22207"
+        }
+      ],
+      "affectedRange": ">= 2.0.0, < 2.1.0",
+      "fixedVersion": "2.1.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastify__websocket.json

@@ -0,0 +1,27 @@
+{
+  "name": "@fastify/websocket",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-4pcg-wr6c-h9cq",
+      "title": "fastify/websocket vulnerable to uncaught exception via crash on malformed packet",
+      "description": "### Impact\n\nAny application using @fastify/websocket could crash if a specific, malformed packet is sent. \n\nAll versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched.\n\n### Patches\n\nThis has been patched in v7.1.1 (fastify v4) and v5.0.1 (fastify v3).\n\n### Workarounds\n\nNo known workaround is available. However, it should be possible to attach the error handler manually.\nThe recommended path is upgrading to the patched versions.\n\n## Credits\n\n[marcola",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-4pcg-wr6c-h9cq",
+      "publishedAt": "2022-11-07T21:13:57Z",
+      "modifiedAt": "2023-03-29T15:52:21Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-4pcg-wr6c-h9cq"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2022-39386"
+        }
+      ],
+      "affectedRange": ">= 5.0.0, < 5.0.1",
+      "fixedVersion": "5.0.1"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fastly__js-compute.json

@@ -0,0 +1,48 @@
+{
+  "name": "@fastly/js-compute",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-mp3g-vpm9-9vqv",
+      "title": "@fastly/js-compute has a use-after-free in some host call implementations",
+      "description": "### Impact\nThe implementation of the following functions were determined to include a use-after-free bug:\n\n* `FetchEvent.client.tlsCipherOpensslName`\n* `FetchEvent.client.tlsProtocol`\n* `FetchEvent.client.tlsClientCertificate`\n* `FetchEvent.client.tlsJA3MD5`\n* `FetchEvent.client.tlsClientHello`\n* `CacheEntry.prototype.userMetadata` of the `fastly:cache` subsystem\n* `Device.lookup` of the `fastly:device` subsystem\n\nThis bug could allow for an unintended data leak if the result of the preceding fu",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-mp3g-vpm9-9vqv",
+      "publishedAt": "2024-06-26T19:12:23Z",
+      "modifiedAt": "2024-06-26T21:56:17Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-mp3g-vpm9-9vqv"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2024-38375"
+        }
+      ],
+      "affectedRange": ">= 3.0.0, < 3.16.0",
+      "fixedVersion": "3.16.0"
+    },
+    {
+      "id": "GHSA-cmr8-5w4c-44v8",
+      "title": "Fastly Compute@Edge JS Runtime has fixed random number seed during compilation",
+      "description": "### Impact\n\n`Math.random` and `crypto.getRandomValues` methods failed to use sufficiently random values. The initial value to seed the CSPRNG (cryptographically secure pseudorandom number generator) was baked-in to the final WebAssembly module meaning the sequence of numbers generated was predictable for that specific WebAssembly module. An attacker with access to that same WebAssembly module that calls the affected methods could use the fixed seed to predict random numbers generated by these fu",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-cmr8-5w4c-44v8",
+      "publishedAt": "2022-09-20T20:45:10Z",
+      "modifiedAt": "2023-01-30T05:03:57Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-cmr8-5w4c-44v8"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2022-39218"
+        }
+      ],
+      "affectedRange": ">= 0.4.0, < 0.5.3",
+      "fixedVersion": "0.5.3"
+    }
+  ]
+}

package/dist/static-db/data/packages/@feathersjs__socketio.json

@@ -0,0 +1,27 @@
+{
+  "name": "@feathersjs/socketio",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-hhr9-rh25-hvf9",
+      "title": "Feathers socket handler allows abusing implicit toString",
+      "description": "### Impact\n\nFeathers socket handler did not catch invalid string conversion errors like:\n\n```ts\nconst message = `${{ toString: '' }}`\n```\n\nCausing the NodeJS process to crash when sending an unexpected Socket.io message like\n\n```ts\nsocket.emit('find', { toString: '' })\n```\n\n### Patches\n\nA fix has been released in\n\n- `v5.0.8` via #3241\n- `v4.5.18` via #3242\n\n### Workarounds\n\nSince it is in the core Socket handling code upgrading to the latest version is necessary.\n### References\n\n- [v5.0.8 Change",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-hhr9-rh25-hvf9",
+      "publishedAt": "2023-07-20T14:54:30Z",
+      "modifiedAt": "2023-11-07T05:04:42Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-hhr9-rh25-hvf9"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2023-37899"
+        }
+      ],
+      "affectedRange": ">= 5.0.0, <= 5.0.7",
+      "fixedVersion": "5.0.8"
+    }
+  ]
+}

package/dist/static-db/data/packages/@feathersjs__transport-commons.json

@@ -0,0 +1,27 @@
+{
+  "name": "@feathersjs/transport-commons",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-hhr9-rh25-hvf9",
+      "title": "Feathers socket handler allows abusing implicit toString",
+      "description": "### Impact\n\nFeathers socket handler did not catch invalid string conversion errors like:\n\n```ts\nconst message = `${{ toString: '' }}`\n```\n\nCausing the NodeJS process to crash when sending an unexpected Socket.io message like\n\n```ts\nsocket.emit('find', { toString: '' })\n```\n\n### Patches\n\nA fix has been released in\n\n- `v5.0.8` via #3241\n- `v4.5.18` via #3242\n\n### Workarounds\n\nSince it is in the core Socket handling code upgrading to the latest version is necessary.\n### References\n\n- [v5.0.8 Change",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-hhr9-rh25-hvf9",
+      "publishedAt": "2023-07-20T14:54:30Z",
+      "modifiedAt": "2023-11-07T05:04:42Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-hhr9-rh25-hvf9"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2023-37899"
+        }
+      ],
+      "affectedRange": ">= 5.0.0, <= 5.0.7",
+      "fixedVersion": "5.0.8"
+    }
+  ]
+}

package/dist/static-db/data/packages/@fedify__fedify.json

@@ -0,0 +1,90 @@
+{
+  "name": "@fedify/fedify",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-rchf-xwx2-hm93",
+      "title": "Fedify has ReDoS Vulnerability in HTML Parsing Regex",
+      "description": "Hi Fedify team! 👋\n\nThank you for your work on Fedify—it's a fantastic library for building federated applications. While reviewing the codebase, I discovered a Regular Expression Denial of Service (ReDoS) vulnerability that I'd like to report. I hope this helps improve the project's security.\n\n---\n\n## Summary\n\nA Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at `packages/fedify/src/runtime/docloader.ts:259` contains nested q",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-rchf-xwx2-hm93",
+      "publishedAt": "2025-12-22T21:36:55Z",
+      "modifiedAt": "2025-12-23T16:01:13Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-rchf-xwx2-hm93"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2025-68475"
+        }
+      ],
+      "affectedRange": ">= 1.9.0, < 1.9.2",
+      "fixedVersion": "1.9.2"
+    },
+    {
+      "id": "GHSA-6jcc-xgcr-q3h4",
+      "title": "@fedify/fedify has Improper Authentication and Incorrect Authorization",
+      "description": "### Summary\n An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances\n\n### Details\nThe vulnerability exists in handleInboxInternal function in fedify/federation/handler.ts. The critical flaw is in the order of operations:\n\n  1. Line 1",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-6jcc-xgcr-q3h4",
+      "publishedAt": "2025-08-08T14:29:48Z",
+      "modifiedAt": "2025-08-11T13:56:22Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-6jcc-xgcr-q3h4"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2025-54888"
+        }
+      ],
+      "affectedRange": ">= 1.8.0-dev.909, < 1.8.5",
+      "fixedVersion": "1.8.5"
+    },
+    {
+      "id": "GHSA-c59p-wq67-24wx",
+      "title": "Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify",
+      "description": "### Summary\nThis vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service.\nMoreover, this issue can also be maneuvered into performing a Blind SSRF attack.\n\n### Details\nThe Webfinger endpoint takes a remote domain for checking accounts as a feature, however, as per the ActivityPub spe",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-c59p-wq67-24wx",
+      "publishedAt": "2025-01-21T19:58:29Z",
+      "modifiedAt": "2025-01-21T19:58:30Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-c59p-wq67-24wx"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2025-23221"
+        }
+      ],
+      "affectedRange": "= 1.3.3",
+      "fixedVersion": "1.3.4"
+    },
+    {
+      "id": "GHSA-p9cg-vqcc-grcx",
+      "title": "Server Side Request Forgery (SSRF) attack in Fedify",
+      "description": "### Summary\n \nAt present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id` or other resources present within the activity it has received from the web. This activity could reference an `@id` that points to an internal IP address, allowing an attacker to send request to resources internal to the fedify server's network.\n\nThis applies to not just resolution of documents containing activities or objects, but also to media URL",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-p9cg-vqcc-grcx",
+      "publishedAt": "2024-07-05T20:07:54Z",
+      "modifiedAt": "2024-11-18T16:26:50Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-p9cg-vqcc-grcx"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2024-39687"
+        }
+      ],
+      "affectedRange": ">= 0.11.0, < 0.11.2",
+      "fixedVersion": "0.11.2"
+    }
+  ]
+}

package/dist/static-db/data/packages/@finastra__nestjs-proxy.json

@@ -0,0 +1,48 @@
+{
+  "name": "@finastra/nestjs-proxy",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-j562-c3cw-3p5g",
+      "title": "Potential Authorization Header Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy",
+      "description": "The nestjs-proxy library did not have a way to control when Authorization headers should should be forwarded for specific backend services configured by the application developer. This could have resulted in sensitive information such as OAuth bearer access tokens being inadvertently exposed to such services that should not see them.\n\nA new feature has been introduced in the patched version of nestjs-proxy that allows application developers to opt out of forwarding the Authorization headers on a",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-j562-c3cw-3p5g",
+      "publishedAt": "2022-06-17T21:39:48Z",
+      "modifiedAt": "2023-01-27T05:04:40Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-j562-c3cw-3p5g"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2022-31069"
+        }
+      ],
+      "affectedRange": "< 0.7.0",
+      "fixedVersion": "0.7.0"
+    },
+    {
+      "id": "GHSA-77mv-4rg7-r8qv",
+      "title": "Potential Sensitive Cookie Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy",
+      "description": "The nestjs-proxy library did not have a way to block sensitive cookies (e.g. session cookies) from being forwarded to backend services configured by the application developer. This could have led to sensitive cookies being inadvertently exposed to such services that should not see them.\n\nThe patched version now blocks cookies from being forwarded by default. However developers can configure an allow-list of cookie names by using the `allowedCookies` config setting. Further details of this featur",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-77mv-4rg7-r8qv",
+      "publishedAt": "2022-06-17T21:43:45Z",
+      "modifiedAt": "2023-01-27T05:04:20Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-77mv-4rg7-r8qv"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2022-31070"
+        }
+      ],
+      "affectedRange": "< 0.7.0",
+      "fixedVersion": "0.7.0"
+    }
+  ]
+}

package/dist/static-db/data/packages/@finastra__ssr-pages.json

@@ -0,0 +1,48 @@
+{
+  "name": "@finastra/ssr-pages",
+  "lastUpdated": "2026-01-31T15:05:26.294Z",
+  "vulnerabilities": [
+    {
+      "id": "GHSA-w6cx-qg2q-rvq8",
+      "title": "Path Traversal in @finastra/ssr-pages",
+      "description": "A path traversal issue can occur when providing untrusted input to the `svg` property as an argument to the `build(MessagePageOptions)` function.\n\n### References\n- https://github.com/Finastra/ssr-pages/pull/1\n- https://github.com/Finastra/ssr-pages/pull/1/commits/c3e4c563384ae3ba3892f37dd190218577620780\n",
+      "severity": "high",
+      "url": "https://github.com/advisories/GHSA-w6cx-qg2q-rvq8",
+      "publishedAt": "2022-03-01T22:09:18Z",
+      "modifiedAt": "2023-02-03T05:06:27Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-w6cx-qg2q-rvq8"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2022-24718"
+        }
+      ],
+      "affectedRange": "< 0.1.4",
+      "fixedVersion": "0.1.4"
+    },
+    {
+      "id": "GHSA-7f63-h6g3-7cwm",
+      "title": "Cross Site Scripting (XSS) in @finastra/ssr-pages",
+      "description": "A cross site scripting (XSS) issue can occur when providing untrusted input to the `redirect.link` property as an argument to the `build(MessagePageOptions)` function.\n\n### References\n- https://github.com/Finastra/ssr-pages/pull/2\n- https://github.com/Finastra/ssr-pages/pull/2/commits/133606ffaec2edd9918d9fba5771ed21da7876a5\n- https://github.com/Finastra/ssr-pages/commit/98abc59e28fec48246be0d59ac144675d6361073\n",
+      "severity": "medium",
+      "url": "https://github.com/advisories/GHSA-7f63-h6g3-7cwm",
+      "publishedAt": "2022-03-01T22:09:25Z",
+      "modifiedAt": "2023-02-03T05:06:26Z",
+      "identifiers": [
+        {
+          "type": "GHSA",
+          "value": "GHSA-7f63-h6g3-7cwm"
+        },
+        {
+          "type": "CVE",
+          "value": "CVE-2022-24717"
+        }
+      ],
+      "affectedRange": "< 0.1.5",
+      "fixedVersion": "0.1.5"
+    }
+  ]
+}