Describe the issue
Multiple known security vulnerabilities have been detected in project dependencies listed in package-lock.json for the packship-cli repository. These vulnerabilities range from low to critical severity and may expose the application to risks such as prototype pollution, arbitrary code execution, or denial of service if left unpatched.
To Reproduce
Steps to reproduce the behavior:
- Go to the repository
PackShip / packship-cli
- Open the
package-lock.json file
- Run
npm audit or review Dependabot alerts
- Observe reported vulnerabilities in dependencies including
tmp, js-yaml, axios, minimatch, flatted, handlebars, and picomatch
Expected behavior
All dependencies should be free of known vulnerabilities, or patched to secure versions. The project should pass security audits (e.g., npm audit) without reporting known CVEs.
Screenshots
If applicable, include screenshots from Dependabot alerts or npm audit results showing the vulnerabilities.
Your Machine's Specs (please complete the following information):
- OS: [e.g. MacOS / Windows / Linux]
- Version: [e.g. Sonoma 14.1 / Ubuntu 22.04]
Component (please complete the following information):
- Device Frameset: [e.g. N/A]
- Browser: [e.g. N/A]
- Framify Version: [e.g. N/A]
Additional context
The following vulnerable dependencies and recommended upgrades were identified:
tmp (<= 0.2.3) → upgrade to ~> 0.2.4 (CVE-2025-54798, Low)js-yaml (>= 4.0.0 < 4.1.1) → upgrade to ~> 4.1.1 (CVE-2025-64718, Moderate)axios (>= 1.0.0 <= 1.13.4) → upgrade to ~> 1.13.5 (CVE-2026-25639, High)minimatch (>= 9.0.0 < 9.0.7) → upgrade to ~> 9.0.7 (CVE-2026-27903, High)flatted (<= 3.4.1) → upgrade to ~> 3.4.2 (CVE-2026-33228, High)handlebars (>= 4.0.0 < 4.7.9) → upgrade to ~> 4.7.9 (Multiple CVEs including Critical severity)picomatch (< 2.3.2) → upgrade to ~> 2.3.2 (CVE-2026-33671, High; CVE-2026-33672, Moderate)
It is recommended to update these dependencies immediately to mitigate potential security risks. Running npm update or applying Dependabot pull requests should resolve the issues.
Describe the issue
Multiple known security vulnerabilities have been detected in project dependencies listed in
package-lock.jsonfor thepackship-clirepository. These vulnerabilities range from low to critical severity and may expose the application to risks such as prototype pollution, arbitrary code execution, or denial of service if left unpatched.To Reproduce
Steps to reproduce the behavior:
PackShip / packship-clipackage-lock.jsonfilenpm auditor review Dependabot alertstmp,js-yaml,axios,minimatch,flatted,handlebars, andpicomatchExpected behavior
All dependencies should be free of known vulnerabilities, or patched to secure versions. The project should pass security audits (e.g.,
npm audit) without reporting known CVEs.Screenshots
If applicable, include screenshots from Dependabot alerts or
npm auditresults showing the vulnerabilities.Your Machine's Specs (please complete the following information):
Component (please complete the following information):
Additional context
The following vulnerable dependencies and recommended upgrades were identified:
tmp(<= 0.2.3) → upgrade to~> 0.2.4(CVE-2025-54798, Low)js-yaml(>= 4.0.0 < 4.1.1) → upgrade to~> 4.1.1(CVE-2025-64718, Moderate)axios(>= 1.0.0 <= 1.13.4) → upgrade to~> 1.13.5(CVE-2026-25639, High)minimatch(>= 9.0.0 < 9.0.7) → upgrade to~> 9.0.7(CVE-2026-27903, High)flatted(<= 3.4.1) → upgrade to~> 3.4.2(CVE-2026-33228, High)handlebars(>= 4.0.0 < 4.7.9) → upgrade to~> 4.7.9(Multiple CVEs including Critical severity)picomatch(< 2.3.2) → upgrade to~> 2.3.2(CVE-2026-33671, High; CVE-2026-33672, Moderate)It is recommended to update these dependencies immediately to mitigate potential security risks. Running
npm updateor applying Dependabot pull requests should resolve the issues.