fix(deps): vuln minor upgrades — 15 packages (minor: 6 · patch: 9)

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
protobufjs	7.2.4	7.6.4	minor	Transitive	3 CRITICAL, 5 HIGH, 5 MEDIUM
minimatch	3.1.2	3.1.5	patch	Transitive	6 HIGH
path-to-regexp	0.1.7	0.1.13	patch	Transitive	5 HIGH
flatted	3.2.7	3.4.2	minor	Transitive	4 HIGH
picomatch	2.3.1	2.3.2	patch	Transitive	2 HIGH, 2 MEDIUM
semver	7.3.8	7.8.4	minor	Transitive	2 HIGH
body-parser	1.20.1	1.20.5	patch	Transitive	2 HIGH
cross-spawn	7.0.3	7.0.6	patch	Transitive	2 HIGH
lodash	4.17.21	4.18.1	minor	Transitive	1 HIGH, 3 MEDIUM
lodash-es	4.17.21	4.18.1	minor	Transitive	1 HIGH, 3 MEDIUM
form-data	4.0.4	4.0.6	patch	Direct	1 HIGH
tmp	0.2.1	0.2.7	patch	Transitive	1 HIGH, 2 LOW
js-yaml	3.14.1	3.14.2	patch	Transitive	3 MEDIUM
qs	6.11.0	6.15.2	minor	Transitive	2 MEDIUM, 2 LOW
brace-expansion	1.1.11	1.1.15	patch	Transitive	2 MEDIUM, 2 LOW

---

Security Details

🚨 Critical & High Severity (35 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
protobufjs	GHSA-xq3m-2v4x-88gg	CRITICAL	Arbitrary code execution in protobufjs	7.2.4	8.0.1
protobufjs	GHSA-h755-8qp9-cq85	CRITICAL	protobufjs Prototype Pollution vulnerability	7.2.4	7.2.5
protobufjs	CVE-2023-36665	CRITICAL	-	7.2.4	-
body-parser	CVE-2024-45590	HIGH	body-parser vulnerable to denial of service when url encoding is enabled	1.20.1	-
body-parser	GHSA-qwcr-r2fm-qrc7	HIGH	body-parser vulnerable to denial of service when url encoding is enabled	1.20.1	1.20.3
cross-spawn	CVE-2024-21538	HIGH	-	7.0.3	-
cross-spawn	GHSA-3xgq-45jj-v275	HIGH	Regular Expression Denial of Service (ReDoS) in cross-spawn	7.0.3	7.0.5
flatted	GHSA-rf6f-7fwh-wjgh	HIGH	Prototype Pollution via parse() in NodeJS flatted	3.2.7	3.4.2
flatted	GHSA-25h7-pfq9-p65f	HIGH	flatted vulnerable to unbounded recursion DoS in parse() revive phase	3.2.7	3.4.0
flatted	CVE-2026-33228	HIGH	flatted: Prototype Pollution via parse()	3.2.7	-
flatted	CVE-2026-32141	HIGH	flatted: Unbounded recursion DoS in parse() revive phase	3.2.7	-
form-data	GHSA-hmw2-7cc7-3qxx	HIGH	form-data: CRLF injection in form-data via unescaped multipart field names and filenames	4.0.4	2.5.6
lodash	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.21	4.18.0
lodash-es	GHSA-r5fr-rjxr-66jc	HIGH	lodash vulnerable to Code Injection via _.template imports key names	4.17.21	4.18.0
minimatch	CVE-2026-27904	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	-
minimatch	GHSA-23c5-xmqv-rm74	HIGH	minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions	3.1.2	10.2.3
minimatch	CVE-2026-26996	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	-
minimatch	GHSA-3ppc-4f35-3m26	HIGH	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern	3.1.2	10.2.1
minimatch	CVE-2026-27903	HIGH	minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	-
minimatch	GHSA-7r86-cg39-jmmj	HIGH	minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments	3.1.2	10.2.3
path-to-regexp	GHSA-rhx6-c78j-4q9w	HIGH	path-to-regexp contains a ReDoS	0.1.7	0.1.12
path-to-regexp	CVE-2024-52798	HIGH	path-to-regexp Unpatched path-to-regexp ReDoS in 0.1.x	0.1.7	-
path-to-regexp	GHSA-37ch-88jc-xwx2	HIGH	path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters	0.1.7	0.1.13
path-to-regexp	GHSA-9wv6-86v2-598j	HIGH	path-to-regexp outputs backtracking regular expressions	0.1.7	1.9.0
path-to-regexp	CVE-2024-45296	HIGH	path-to-regexp outputs backtracking regular expressions	0.1.7	-
picomatch	GHSA-c2c7-rcm5-vvqj	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	4.0.4
picomatch	CVE-2026-33671	HIGH	Picomatch has a ReDoS vulnerability via extglob quantifiers	2.3.1	-
protobufjs	GHSA-jvwf-75h9-cwgg	HIGH	protobuf.js: Process-wide denial of service through unsafe option paths	7.2.4	7.5.6
protobufjs	GHSA-75px-5xx7-5xc7	HIGH	protobuf.js: Code generation gadget after prototype pollution	7.2.4	7.5.6
protobufjs	GHSA-wcpc-wj8m-hjx6	HIGH	protobufjs: Denial of service through unbounded Any expansion during JSON conversion	7.2.4	7.6.1
protobufjs	GHSA-66ff-xgx4-vchm	HIGH	protobuf.js: Code injection through bytes field defaults in generated toObject code	7.2.4	7.5.6
protobufjs	GHSA-685m-2w69-288q	HIGH	protobuf.js: Denial of service through unbounded protobuf recursion	7.2.4	7.5.6
semver	GHSA-c2qf-rxjj-qqgw	HIGH	semver vulnerable to Regular Expression Denial of Service	7.3.8	7.5.2
semver	CVE-2022-25883	HIGH	-	7.3.8	-
tmp	GHSA-ph9p-34f9-6g65	HIGH	tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape	0.2.1	0.2.6

ℹ️ Other Vulnerabilities (26)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
brace-expansion	GHSA-f886-m6hf-6m8v	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	5.0.5
brace-expansion	CVE-2026-33750	MODERATE	brace-expansion: Zero-step sequence causes process hang and memory exhaustion	1.1.11	-
js-yaml	GHSA-h67p-54hq-rp68	MODERATE	JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases	3.14.1	4.2.0
js-yaml	GHSA-mh29-5h37-fv8m	MODERATE	js-yaml has prototype pollution in merge (<<)	3.14.1	4.1.1
js-yaml	CVE-2025-64718	MODERATE	js-yaml has prototype pollution in merge (<<)	3.14.1	-
lodash	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.21	4.18.0
lodash	CVE-2025-13465	MODERATE	-	4.17.21	-
lodash	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.21	4.17.23
lodash-es	GHSA-f23m-r3pf-42rh	MODERATE	lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit	4.17.21	4.18.0
lodash-es	CVE-2025-13465	MODERATE	-	4.17.21	-
lodash-es	GHSA-xxjr-mmjv-4gpg	MODERATE	Lodash has Prototype Pollution Vulnerability in _.unset and _.omit functions	4.17.21	4.17.23
picomatch	CVE-2026-33672	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	-
picomatch	GHSA-3v7f-55p6-f55p	MODERATE	Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching	2.3.1	4.0.4
protobufjs	GHSA-q6x5-8v7m-xcrf	MODERATE	protobufjs has overlong UTF-8 decoding	7.2.4	7.5.6
protobufjs	GHSA-fx83-v9x8-x52w	MODERATE	protobuf.js: Prototype injection in generated message constructors	7.2.4	7.5.6
protobufjs	GHSA-jggg-4jg4-v7c6	MODERATE	protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion	7.2.4	7.5.8
protobufjs	GHSA-2pr8-phx7-x9h3	MODERATE	protobuf.js: Denial of service from crafted field names in generated code	7.2.4	7.5.6
protobufjs	GHSA-f38q-mgvj-vph7	MODERATE	protobufjs : Schema-derived names can shadow runtime-significant properties	7.2.4	7.6.3
qs	GHSA-6rw7-vpxm-498p	MODERATE	qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion	6.11.0	6.14.1
qs	CVE-2025-15284	MODERATE	-	6.11.0	-
brace-expansion	CVE-2025-5889	LOW	-	1.1.11	-
brace-expansion	GHSA-v6h2-p8h4-qcjw	LOW	brace-expansion Regular Expression Denial of Service vulnerability	1.1.11	2.0.2
qs	CVE-2026-2391	LOW	-	6.11.0	-
qs	GHSA-w7fw-mjwx-w883	LOW	qs's arrayLimit bypass in comma parsing allows denial of service	6.11.0	6.14.2
tmp	GHSA-52f5-9888-hmc6	LOW	tmp allows arbitrary temporary file / directory write via symbolic link dir parameter	0.2.1	0.2.4
tmp	CVE-2025-54798	LOW	tmp does not restrict arbitrary temporary file / directory write via symbolic link dir parameter	0.2.1	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Ensure labels | changelog     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: abfe83e | Docs | Datadog PR Page | Give us feedback!}

[dd-prapprover]

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

• ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-06-16T22:57:47Z
• ⬜ CI tests passed
• ⬜ Approved
• ⬜ Merge Started
• ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.