Summary
@vis.gl/dev-tools@1.0.1 has multiple high and critical severity vulnerabilities in its transitive dependency tree. These affect all downstream consumers (including deck.gl-community).
Vulnerabilities
| Package |
Severity |
Advisory |
Via |
form-data < 2.5.4 |
critical |
GHSA-fjxv-7rqg-78g4 |
coveralls -> request |
axios <= 1.13.4 |
high |
GHSA-43fc-jf86-j433 |
lerna -> nx |
tar <= 7.5.2 (3 CVEs) |
high |
GHSA-4r9x-wfcq-p4qr, GHSA-9pj4-f7r4-9m3v, GHSA-jppv-jxq6-24cw |
lerna |
qs < 6.14.1 |
high |
GHSA-hx3m-959f-v3r5 |
coveralls -> request |
trim < 0.0.3 |
high |
GHSA-w5p7-h5w8-2hfq |
tap-spec -> tap-out |
glob 10.x/11.x (2 CVEs) |
high |
GHSA-rsm9-g255-8vv4 |
lerna -> @npmcli |
cross-spawn < 6.0.6 |
high |
GHSA-3xgq-45jj-v275 |
various |
esbuild <= 0.24.2 |
moderate |
GHSA-67mh-4wv8-2f99 |
direct dep (^0.16.7) |
eslint 8.x |
moderate |
deprecated |
direct dep |
Root cause dependencies in dev-tools
These are the direct dependencies that pull in the vulnerable packages:
coveralls: ^3.0.3 -- pulls in request which pulls in form-data, qs, etc.lerna: ^8.1.0 -- pulls in nx (axios), tar, globtap-spec: ^5.0.0 -- pulls in tap-out -> trimesbuild: ^0.16.7 -- outdated, current is 0.25.xeslint: ^8.52.0 -- deprecated, current is 9.xvite: ^4.5.0 -- outdated, current is 7.x
Suggested fixes
- Drop
coveralls -- it depends on the abandoned request package. Modern alternatives: codecov or GitHub Actions coverage reporting
- Bump
lerna to latest or consider replacing with turbo/nx directly
- Drop
tap-spec -- replace with vitest or another modern test reporter
- Bump
esbuild to ^0.25.0
- Bump
eslint to 9.x with flat config
- Bump
vite to ^7.3.1
Context
Found during a security audit of visgl/deck.gl-community. The 1.0.0-alpha.21 and 1.0.1 releases have identical dependency trees, so bumping dev-tools alone does not resolve these.
Summary
@vis.gl/dev-tools@1.0.1has multiple high and critical severity vulnerabilities in its transitive dependency tree. These affect all downstream consumers (includingdeck.gl-community).Vulnerabilities
form-data< 2.5.4axios<= 1.13.4tar<= 7.5.2 (3 CVEs)qs< 6.14.1trim< 0.0.3glob10.x/11.x (2 CVEs)cross-spawn< 6.0.6esbuild<= 0.24.2eslint8.xRoot cause dependencies in dev-tools
These are the direct dependencies that pull in the vulnerable packages:
coveralls: ^3.0.3-- pulls inrequestwhich pulls inform-data,qs, etc.lerna: ^8.1.0-- pulls innx(axios),tar,globtap-spec: ^5.0.0-- pulls intap-out->trimesbuild: ^0.16.7-- outdated, current is 0.25.xeslint: ^8.52.0-- deprecated, current is 9.xvite: ^4.5.0-- outdated, current is 7.xSuggested fixes
coveralls-- it depends on the abandonedrequestpackage. Modern alternatives:codecovor GitHub Actions coverage reportinglernato latest or consider replacing withturbo/nxdirectlytap-spec-- replace with vitest or another modern test reporteresbuildto^0.25.0eslintto 9.x with flat configviteto^7.3.1Context
Found during a security audit of
visgl/deck.gl-community. The 1.0.0-alpha.21 and 1.0.1 releases have identical dependency trees, so bumping dev-tools alone does not resolve these.