Skip to content

chore(deps): update npm to v11.7.0 #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update npm to v11.7.0 #353

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 1, 2025
edited
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change OpenSSF
npm (source) packageManager minor 11.4.211.7.0 OpenSSF Scorecard

Release Notes

npm/cli (npm)

v11.7.0

Compare Source

Features
Bug Fixes
Documentation
Chores
Dependencies

v11.6.4

Compare Source

Documentation
Dependencies

v11.6.3

Compare Source

Bug Fixes
Documentation
Dependencies
Chores

v11.6.2

Compare Source

Bug Fixes
Documentation
Dependencies
Chores

v11.6.1

Compare Source

Bug Fixes
Documentation
Dependencies
Chores

v11.6.0

Compare Source

Features
Bug Fixes
Dependencies

v11.5.2

Compare Source

Bug Fixes
Documentation

v11.5.1

Compare Source

Bug Fixes

v11.5.0

Compare Source

Features
Bug Fixes

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from Djaytan as a code owner December 1, 2025 01:17
@github-actions
Copy link

github-actions bot commented Dec 1, 2025
edited
Loading

Overview

Image reference djaytan/papermc-server:1.21.4 djaytan/papermc-server:test
- digest e5ddd5b8b4b2 31f0592ee5e1
- tag 1.21.4 test
- stream latest
- provenance 221f80c
- vulnerabilities critical: 0 high: 11 medium: 15 low: 2 critical: 2 high: 13 medium: 15 low: 3
- platform linux/amd64 linux/amd64
- size 133 MB 144 MB (+10 MB)
- packages 170 177 (+7)
Base Image alpine:3.22.0
also known as:
3
3.22
latest		 alpine:3
also known as:
3.22
latest
- vulnerabilities critical: 0 high: 1 medium: 3 low: 2 critical: 0 high: 1 medium: 3 low: 2
Policies (0 improved, 2 worsened, 3 missing data)
Policy Name djaytan/papermc-server:1.21.4 djaytan/papermc-server:test Change Standing
No unapproved base images ⚠️ 1 ❓ No data
Default non-root user No Change
No AGPL v3 licenses No Change
No fixable critical or high vulnerabilities ⚠️ 14 ⚠️ 15 +1 Worsened
No high-profile vulnerabilities No Change
No outdated base images ❓ No data
SonarQube quality gates passed ❓ No data ❓ No data
Supply chain attestations ⚠️ 2 +2 Worsened
Packages and Vulnerabilities (10 package changes and 5 vulnerability changes)
  • ➕ 8 packages added
  • ➖ 1 packages removed
  • ♾️ 1 packages changed
  • 164 packages unchanged
  • ❗ 5 vulnerabilities added
Changes for packages of type apk (8 changes)
Package Version
djaytan/papermc-server:1.21.4		 Version
djaytan/papermc-server:test
alpine-base 3.22.0-r0
ca-certificates 20241121-r2
gcc 14.2.0-r6
♾️ libxml2 2.13.9-r0 2.13.8-r0
critical: 2 high: 2 medium: 0 low: 1
Added vulnerabilities (5):
  • critical : CVE--2025--49796
  • critical : CVE--2025--49794
  • high : CVE--2025--6021
  • high : CVE--2025--49795
  • low : CVE--2025--6170
ncurses 6.5_p20250503-r0
openssl 3.5.0-r0
critical: 0 high: 1 medium: 3 low: 0
Added vulnerabilities (4):
  • high : CVE--2025--9230
  • medium : CVE--2025--9231
  • medium : CVE--2025--4575
  • medium : CVE--2025--9232
pax-utils 1.3.8-r1
xz 5.8.1-r0
Changes for packages of type generic (2 changes)
Package Version
djaytan/papermc-server:1.21.4		 Version
djaytan/papermc-server:test
openjdk 21.0.7
openjdk 21.0.7

@github-actions
Copy link

github-actions bot commented Dec 1, 2025
edited
Loading

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test
digestsha256:31f0592ee5e1de1930b20901f3f4ec4e9b3e0cbe8907b8381533e718752d478b
vulnerabilitiescritical: 2 high: 13 medium: 15 low: 3
platformlinux/amd64
size144 MB
packages177
📦 Base Image alpine:3
also known as
  • 3.22
  • 3.22.0
  • latest
digestsha256:08001109a7d679fe33b04fa51d681bd40b975d8f5cea8c3ef6c0eccb6a7338ce
vulnerabilitiescritical: 0 high: 1 medium: 3 low: 2
critical: 2 high: 2 medium: 0 low: 1 libxml2 2.13.8-r0 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22

critical : CVE--2025--49796

Affected range<2.13.9-r0
Fixed version2.13.9-r0
EPSS Score0.459%
EPSS Percentile63rd percentile
Description

critical : CVE--2025--49794

Affected range<2.13.9-r0
Fixed version2.13.9-r0
EPSS Score0.263%
EPSS Percentile49th percentile
Description

high : CVE--2025--6021

Affected range<2.13.9-r0
Fixed version2.13.9-r0
EPSS Score0.584%
EPSS Percentile68th percentile
Description

high : CVE--2025--49795

Affected range<2.13.9-r0
Fixed version2.13.9-r0
EPSS Score0.141%
EPSS Percentile35th percentile
Description

low : CVE--2025--6170

Affected range<2.13.9-r0
Fixed version2.13.9-r0
EPSS Score0.017%
EPSS Percentile3rd percentile
Description
critical: 0 high: 5 medium: 8 low: 0 stdlib 1.24.4 (golang)

pkg:golang/[email protected]

high : CVE--2025--61729

Affected range<1.24.11
Fixed version1.24.11
EPSS Score0.016%
EPSS Percentile3rd percentile
Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

high : CVE--2025--61725

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.026%
EPSS Percentile7th percentile
Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

high : CVE--2025--61723

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.026%
EPSS Percentile7th percentile
Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

high : CVE--2025--58188

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.014%
EPSS Percentile2nd percentile
Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

high : CVE--2025--58187

Affected range<1.24.9
Fixed version1.24.9
EPSS Score0.015%
EPSS Percentile3rd percentile
Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

medium : CVE--2025--61727

Affected range<1.24.11
Fixed version1.24.11
EPSS Score0.021%
EPSS Percentile5th percentile
Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

medium : CVE--2025--47906

Affected range>=1.24.0
<1.24.6
Fixed version1.24.6
EPSS Score0.020%
EPSS Percentile5th percentile
Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

medium : CVE--2025--61724

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.025%
EPSS Percentile6th percentile
Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

medium : CVE--2025--58189

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.019%
EPSS Percentile4th percentile
Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

medium : CVE--2025--58186

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.029%
EPSS Percentile7th percentile
Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

medium : CVE--2025--58185

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.033%
EPSS Percentile9th percentile
Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

medium : CVE--2025--47912

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.025%
EPSS Percentile6th percentile
Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

medium : CVE--2025--58183

Affected range<1.24.8
Fixed version1.24.8
EPSS Score0.014%
EPSS Percentile2nd percentile
Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

critical: 0 high: 4 medium: 1 low: 0 org.apache.commons/commons-compress 1.5 (maven)

pkg:maven/org.apache.commons/[email protected]

high 7.5: CVE--2021--36090 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.802%
EPSS Percentile73rd percentile
Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

high 7.5: CVE--2021--35517 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score1.437%
EPSS Percentile80th percentile
Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

high 7.5: CVE--2021--35516 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score1.893%
EPSS Percentile83rd percentile
Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

high 7.5: CVE--2021--35515 Excessive Iteration

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.843%
EPSS Percentile74th percentile
Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

medium 5.9: CVE--2024--25710 Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range>=1.3
<1.26.0
Fixed version1.26.0
CVSS Score5.9
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score0.018%
EPSS Percentile4th percentile
Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

critical: 0 high: 1 medium: 3 low: 0 openssl 3.5.0-r0 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22

high : CVE--2025--9230

Affected range<3.5.4-r0
Fixed version3.5.4-r0
EPSS Score0.026%
EPSS Percentile6th percentile
Description

medium : CVE--2025--9231

Affected range<3.5.4-r0
Fixed version3.5.4-r0
EPSS Score0.016%
EPSS Percentile3rd percentile
Description

medium : CVE--2025--4575

Affected range<3.5.1-r0
Fixed version3.5.1-r0
EPSS Score0.015%
EPSS Percentile2nd percentile
Description

medium : CVE--2025--9232

Affected range<3.5.4-r0
Fixed version3.5.4-r0
EPSS Score0.027%
EPSS Percentile7th percentile
Description
critical: 0 high: 1 medium: 0 low: 0 com.google.protobuf/protobuf-java 4.26.1 (maven)

pkg:maven/com.google.protobuf/[email protected]

high 8.7: CVE--2024--7254 Improper Input Validation

Affected range>=4.0.0-RC1
<4.27.5
Fixed version4.27.5
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.085%
EPSS Percentile25th percentile
Description

Summary

When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected]

Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.

Remediation and Mitigation

We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:

  • protobuf-java (3.25.5, 4.27.5, 4.28.2)
  • protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
  • protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
  • protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
  • com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
critical: 0 high: 0 medium: 2 low: 0 golang.org/x/net 0.34.0 (golang)

pkg:golang/golang.org/x/[email protected]

medium 5.3: CVE--2025--22872 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<0.38.0
Fixed version0.38.0
CVSS Score5.3
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS Score0.021%
EPSS Percentile5th percentile
Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

medium 4.4: CVE--2025--22870 Misinterpretation of Input

Affected range<0.36.0
Fixed version0.36.0
CVSS Score4.4
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
EPSS Score0.023%
EPSS Percentile5th percentile
Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

critical: 0 high: 0 medium: 1 low: 0 commons-lang/commons-lang 2.6 (maven)

pkg:maven/commons-lang/[email protected]

medium 6.5: CVE--2025--48924 Uncontrolled Recursion

Affected range>=2.0
<=2.6
Fixed versionNot Fixed
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score0.014%
EPSS Percentile2nd percentile
Description

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

critical: 0 high: 0 medium: 0 low: 2 busybox 1.37.0-r18 (apk)

pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22

low : CVE--2025--46394

Affected range<1.37.0-r20
Fixed version1.37.0-r20
EPSS Score0.017%
EPSS Percentile3rd percentile
Description

low : CVE--2024--58251

Affected range<1.37.0-r20
Fixed version1.37.0-r20
EPSS Score0.020%
EPSS Percentile4th percentile
Description

@renovate renovate bot force-pushed the renovate/npm-11.x branch from 7874318 to df2b1ce Compare December 12, 2025 23:04
@renovate renovate bot changed the title chore(deps): update npm to v11.6.4 chore(deps): update npm to v11.7.0 Dec 12, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 12, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Djaytan Djaytan Awaiting requested review from Djaytan Djaytan is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

t:dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant