Skip to content

Dependency audit: vulnerabilities found (2026-06-08) #560

Description

@github-actions

npm audit results

# npm audit report

@nuxt/nitro-server  >=3.20.0
Severity: moderate
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning - https://github.com/advisories/GHSA-g8wj-3cr3-6w7v
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` - https://github.com/advisories/GHSA-hg3f-28rg-4jxj
Depends on vulnerable versions of nitropack
fix available via `npm audit fix --force`
Will install nuxt@3.21.7, which is outside the stated dependency range
node_modules/@nuxt/nitro-server
  nuxt  3.1.0 - 3.21.5
  Depends on vulnerable versions of @nuxt/nitro-server
  Depends on vulnerable versions of @nuxt/vite-builder
  node_modules/nuxt
    @nuxt/vite-builder  3.20.0 - 3.21.5
    Depends on vulnerable versions of nuxt
    node_modules/@nuxt/vite-builder


serialize-javascript  5.0.0 - 7.0.4
Severity: moderate
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install nuxt@3.21.7, which is outside the stated dependency range
node_modules/serialize-javascript
  @rollup/plugin-terser  0.2.0 - 0.4.4
  Depends on vulnerable versions of serialize-javascript
  node_modules/@rollup/plugin-terser
    nitropack  >=2.0.0-rc.0
    Depends on vulnerable versions of @rollup/plugin-terser
    node_modules/nitropack

unhead  <2.1.13
Severity: moderate
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() - https://github.com/advisories/GHSA-95h2-gj7x-gx9w
fix available via `npm audit fix`
node_modules/unhead
  @unhead/vue  <=0.6.3 || 1.0.22 - 2.1.12
  Depends on vulnerable versions of unhead
  node_modules/@unhead/vue

ws  8.0.0 - 8.20.0
Severity: moderate
ws: Uninitialized memory disclosure - https://github.com/advisories/GHSA-58qx-3vcg-4xpx
No fix available
node_modules/viem/node_modules/ws
  viem  <=0.0.0-wagmiv2-20230628182101 || 0.2.2 - 2.49.3
  Depends on vulnerable versions of ws
  node_modules/viem
    @eulerxyz/euler-v2-sdk  *
    Depends on vulnerable versions of viem
    node_modules/@eulerxyz/euler-v2-sdk

11 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible, run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run npm audit locally for details. Use overrides in package.json to patch transitive dependencies.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filesecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions