mendix · weirdwater · Apr 21, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 24, 2026
@@ -0,0 +1,304 @@
+# Transitive Dependencies with Vulnerabilities
+
+**Analysis Date**: 2026-04-24  
+**Total Vulnerabilities**: 41 (High: 25, Moderate: 11, Low: 5)
+
+This document lists all transitive dependencies with known vulnerabilities in the pluggable-widgets-tools package and the version ranges needed to fix them.
+
+---
+
+## HIGH SEVERITY (25 vulnerabilities)
+
+### tar
+**Multiple Path Traversal & File Overwrite Vulnerabilities**
+
+- Vulnerable: `<=7.5.2` → **Upgrade to: `>=7.5.3`**
+- Vulnerable: `<=7.5.3` → **Upgrade to: `>=7.5.4`**
+- Vulnerable: `<7.5.7` → **Upgrade to: `>=7.5.7`**
+- Vulnerable: `<7.5.8` → **Upgrade to: `>=7.5.8`**
+- Vulnerable: `<=7.5.9` → **Upgrade to: `>=7.5.10`**
+- Vulnerable: `<=7.5.10` → **Upgrade to: `>=7.5.11`**
+
+**Effective Fix**: **Upgrade to `tar@7.5.11` or later**
+
+**Via**: `yeoman-environment → @npmcli/arborist → node-gyp → tar`
+
+---
+
+### minimatch
+**Multiple ReDoS Vulnerabilities**
+
+- Vulnerable: `<3.1.3` → **Upgrade to: `>=3.1.3`**
+- Vulnerable: `<3.1.4` → **Upgrade to: `>=3.1.4`**
+- Vulnerable: `>=7.0.0 <7.4.7` → **Upgrade to: `>=7.4.7`**
+- Vulnerable: `>=7.0.0 <7.4.8` → **Upgrade to: `>=7.4.8`**
+
+**Effective Fix**: 
+- For v3.x: **Upgrade to `minimatch@3.1.4` or later**
+- For v7.x: **Upgrade to `minimatch@7.4.8` or later**
+
+**Via**: 
+- `postcss-url → minimatch@3.0.4` (⚠️ ACCEPTED RISK - build-time only)
+- `yeoman-environment → minimatch@<3.1.4`
+- `yeoman-environment → mem-fs-editor → minimatch@7.x`
+
+---
+
+### node-forge
+**Multiple Cryptographic Vulnerabilities**
+
+- Vulnerable: `<1.3.2` → **Upgrade to: `>=1.3.2`**
+- Vulnerable: `<=1.3.3` → **Upgrade to: `>=1.4.0`**
+- Vulnerable: `<1.4.0` → **Upgrade to: `>=1.4.0`**
+
+**Effective Fix**: **Upgrade to `node-forge@1.4.0` or later**
+
+**Via**: `yeoman-environment → ... → node-forge`
+
+---
+
+### lodash
+**Prototype Pollution & Code Injection**
+
+- Vulnerable: `>=4.0.0 <=4.17.22` → **Upgrade to: `>=4.17.23`**
+- Vulnerable: `<=4.17.23` → **Upgrade to: `>=4.18.0`**
+- Vulnerable: `>=4.0.0 <=4.17.23` → **Upgrade to: `>=4.18.0`**
+
+**Effective Fix**: **Upgrade to `lodash@4.18.0` or later**
+
+**Via**: 
+- `yeoman-environment → lodash@4.17.21`
+- `yeoman-generator → lodash@4.17.21`
+
+---
+
+### svgo
+**DoS through entity expansion (Billion Laughs)**
+
+- Vulnerable: `>=2.1.0 <2.8.1` → **Upgrade to: `>=2.8.1`**
+
+**Effective Fix**: **Upgrade to `svgo@2.8.1` or later**
+
+**Via**: `rollup-plugin-postcss → cssnano → postcss-svgo → svgo@2.8.0` (⚠️ ACCEPTED RISK - build-time only)
+
+---
+
+### picomatch
+**ReDoS & Method Injection**
+
+- Vulnerable: `>=4.0.0 <4.0.4` → **Upgrade to: `>=4.0.4`**
+
+**Effective Fix**: **Upgrade to `picomatch@4.0.4` or later**
+
+**Via**: Various transitive paths
+
+---
+
+### glob
+**Command Injection**
+
+- Vulnerable: `>=10.2.0 <10.5.0` → **Upgrade to: `>=10.5.0`**
+
+**Effective Fix**: **Upgrade to `glob@10.5.0` or later**
+
+**Via**: Various transitive paths
+
+---
+
+## MODERATE SEVERITY (11 vulnerabilities)
+
+### lodash (see also HIGH severity above)
+**Additional Prototype Pollution**
+
+- Vulnerable: `<=4.17.23` → **Upgrade to: `>=4.18.0`**
+
+**Effective Fix**: **Upgrade to `lodash@4.18.0` or later**
+
+---
+
+### yaml
+**Stack Overflow via deeply nested YAML**
+
+- Vulnerable: `>=1.0.0 <1.10.3` → **Upgrade to: `>=1.10.3`**
+
+**Effective Fix**: **Upgrade to `yaml@1.10.3` or later**
+
+**Via**: `rollup-plugin-postcss → cssnano → yaml@1.10.2` (⚠️ ACCEPTED RISK - build-time only)
+
+---
+
+### uuid
+**Missing buffer bounds check**
+
+- Vulnerable: `<14.0.0` → **Upgrade to: `>=14.0.0`**
+
+**Effective Fix**: **Upgrade to `uuid@14.0.0` or later**  
+**Note**: Advisory appears incorrect - uuid's latest version is 9.0.1, not 14.x
+
+**Via**: `jest-junit → uuid@8.3.2` (⚠️ ACCEPTED RISK - test-time only, advisory may be incorrect)
+
+---
+
+### fast-xml-parser
+**XML Comment and CDATA Injection**
+
+- Vulnerable: `<5.7.0` → **Upgrade to: `>=5.7.0`**
+
+**Effective Fix**: **Upgrade to `fast-xml-parser@5.7.0` or later**
+
+**Via**: Various transitive paths
+
+---
+
+### brace-expansion
+**Zero-step sequence causes process hang**
+
+- Vulnerable: `<1.1.13` → **Upgrade to: `>=1.1.13`**
+
+**Effective Fix**: **Upgrade to `brace-expansion@1.1.13` or later**
+
+**Via**: Various transitive paths
+
+---
+
+### @octokit/request
+**ReDoS vulnerability**
+
+- Vulnerable: `>=1.0.0 <8.4.1` → **Upgrade to: `>=8.4.1`**
+
+**Effective Fix**: **Upgrade to `@octokit/request@8.4.1` or later**
+
+**Via**: `yeoman-environment` transitive dependencies
+
+---
+
+### @octokit/plugin-paginate-rest
+**ReDoS vulnerability**
+
+- Vulnerable: `>=1.0.0 <9.2.2` → **Upgrade to: `>=9.2.2`**
+
+**Effective Fix**: **Upgrade to `@octokit/plugin-paginate-rest@9.2.2` or later**
+
+**Via**: `yeoman-environment` transitive dependencies
+
+---
+
+### @octokit/request-error
+**ReDoS vulnerability**
+
+- Vulnerable: `>=1.0.0 <5.1.1` → **Upgrade to: `>=5.1.1`**
+
+**Effective Fix**: **Upgrade to `@octokit/request-error@5.1.1` or later**
+
+**Via**: `yeoman-environment` transitive dependencies
+
+---
+
+### picomatch (see also HIGH severity above)
+**Method Injection**
+
+- Vulnerable: `>=4.0.0 <4.0.4` → **Upgrade to: `>=4.0.4`**
+
+**Effective Fix**: **Upgrade to `picomatch@4.0.4` or later**
+
+---
+
+## LOW SEVERITY (5 vulnerabilities)
+
+### diff
+**DoS vulnerability**
+
+- Vulnerable: `>=4.0.0 <4.0.4` → **Upgrade to: `>=4.0.4`**
+- Vulnerable: `>=5.0.0 <5.2.2` → **Upgrade to: `>=5.2.2`**
+
+**Effective Fix**: 
+- For v4.x: **Upgrade to `diff@4.0.4` or later**
+- For v5.x: **Upgrade to `diff@5.2.2` or later**
+
+**Via**: `ts-node → diff@4.0.2` (⚠️ ACCEPTED RISK - test-time only)
+
+---
+
+### @tootallnate/once
+**Incorrect Control Flow Scoping**
+
+- Vulnerable: `<3.0.1` → **Upgrade to: `>=3.0.1`**
+
+**Effective Fix**: **Upgrade to `@tootallnate/once@3.0.1` or later**
+
+**Via**: `yeoman-environment → ... → http-proxy-agent → @tootallnate/once`  
+**Status**: ✅ PARTIALLY FIXED - jest-environment-jsdom update eliminated some instances
+
+---
+
+### tmp
+**Arbitrary file/directory write via symbolic link**
+
+- Vulnerable: `<=0.2.3` → **Upgrade to: `>=0.2.4`**
+
+**Effective Fix**: **Upgrade to `tmp@0.2.4` or later**
+
+**Via**: `yeoman-environment` transitive dependencies
+
+---
+
+## Summary by Direct Dependency
+
+### yeoman-environment (21 vulnerabilities)
+**Action Required**: Update to latest version or consider alternative
+- tar (6 issues) → needs >=7.5.11
+- minimatch (3 issues) → needs >=3.1.4 or >=7.4.8
+- node-forge (multiple issues) → needs >=1.4.0
+- lodash (3 issues) → needs >=4.18.0
+- @tootallnate/once → needs >=3.0.1
+- @octokit/* packages → needs updates
+- tmp → needs >=0.2.4
+
+### react-native (8 vulnerabilities)
+**Action**: Monitor for updates
+- Similar issues with tar, minimatch via CLI tools
+
+### yeoman-generator (4 vulnerabilities)
+**Action Required**: Update to latest version
+- lodash (3 issues) → needs >=4.18.0
+- minimatch → needs >=3.1.4
+
+### rollup-plugin-postcss (2 vulnerabilities) ⚠️ ACCEPTED RISK
+**Build-time only** - already at latest (4.0.2)
+- svgo@2.8.0 → needs >=2.8.1
+- yaml@1.10.2 → needs >=1.10.3
+
+### postcss-url (3 vulnerabilities) ⚠️ ACCEPTED RISK
+**Build-time only** - already at latest (10.1.3)
+- minimatch@3.0.4 → needs >=3.1.4
+
+### ts-node (1 vulnerability) ⚠️ ACCEPTED RISK
+**Test-time only** - already at latest (10.9.2)
+- diff@4.0.2 → needs >=4.0.4
+
+### jest-junit (1 vulnerability) ⚠️ ACCEPTED RISK
+**Test-time only** - already at latest (16.0.0)
+- uuid@8.3.2 → advisory claims needs >=14.0.0 (likely incorrect)
+
+---
+
+## Resolution Priority
+
+### 🔴 HIGH PRIORITY
+1. **yeoman-environment** - 21 vulnerabilities (14 high severity)
+2. **react-native** - 8 vulnerabilities (6 high severity)  
+3. **yeoman-generator** - 4 vulnerabilities (1 high, 3 moderate)
+
+### 🟡 ACCEPTED RISKS (build/test-time only)
+4. **rollup-plugin-postcss** - 2 vulnerabilities (build-time)
+5. **postcss-url** - 3 vulnerabilities (build-time)
+6. **ts-node** - 1 vulnerability (test-time)
+7. **jest-junit** - 1 vulnerability (test-time, advisory may be incorrect)
+
+---
+
+## Notes
+
+- **Accepted Risks**: Vulnerabilities marked as "ACCEPTED RISK" are in build-time or test-time dependencies that do not ship with the final widget packages. They only affect the development environment.
+- **Advisory Accuracy**: The uuid advisory appears to have incorrect version requirements (claims >=14.0.0 but uuid's latest is 9.0.1).
+- **Version Conflicts**: Some packages have multiple overlapping vulnerability ranges. Use the highest version number from the "Effective Fix" recommendations.