Bump the npm_and_yarn group across 2 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
vite	5.4.11	5.4.21
astro	5.4.1	5.15.9
dompurify	3.1.7	3.2.4
js-yaml	4.1.0	4.1.1
@nuxt/devtools	1.6.3	2.6.4
glob	10.4.2	10.5.0
nuxt	3.14.1592	3.19.0

Bumps the npm_and_yarn group with 5 updates in the /apps/frontend directory:

Package	From	To
dompurify	3.1.7	3.2.4
js-yaml	4.1.0	4.1.1
@nuxt/devtools	1.6.3	2.6.4
glob	10.4.2	10.5.0
nuxt	3.14.1592	3.19.0

Updates vite from 5.4.11 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates astro from 5.4.1 to 5.15.9

Release notes

Sourced from astro's releases.

astro@5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

astro@5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

astro@5.15.7

Patch Changes

... (truncated)

Changelog

Sourced from astro's changelog.

5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

5.15.7

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates dompurify from 3.1.7 to 3.2.4

Release notes

Sourced from dompurify's releases.

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

DOMPurify 3.2.2

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
• Fixed several minor issues with the type definitions, thanks again @​reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

DOMPurify 3.2.1

• Fixed several minor issues with the type definitions, thanks @​reduckted @​ghiscoding @​asamuzaK @​MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @​reduckted

DOMPurify 3.2.0

• Added type declarations, thanks @​reduckted , @​philmayfield, @​aloisklink, @​ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @​kevin-mizu

Commits

• ec29e65 Merge pull request #1062 from cure53/main
• 1c1b183 chore: Preparing 3.2.4 release
• d18ffcb fix: Changed the template literal regex to avoid a config-dependent bypass
• 0d64d2b Merge pull request #1060 from yehuya/initializeTestImprovements
• 9ad7933 tests: DOMPurify custom window tests improvements
• 72760ca Merge pull request #1059 from yehuya/fixMissingWindowElement
• bc72d44 Fix tests
• 363a89d fix: handle undefined Element in DOMPurify initialization
• f41b45d Update LICENSE
• b25bf26 Update README.md
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates @nuxt/devtools from 1.6.3 to 2.6.4

Release notes

Sourced from @​nuxt/devtools's releases.

v2.6.4

   🐞 Bug Fixes

• Using textContent instead of innerHtml for auth pagechore: update lock  -  by @​antfu (7cadb)

    View changes on GitHub

v2.6.3

No significant changes

    View changes on GitHub

v2.6.2

   🐞 Bug Fixes

• Panel dragging issue, close #874, close #871, close #873  -  by @​antfu in nuxt/devtools#874, nuxt/devtools#871 and nuxt/devtools#873 (619de)

    View changes on GitHub

v2.6.1

   🐞 Bug Fixes

• deps: Do not depend on @nuxt/schema  -  by @​danielroe in nuxt/devtools#872 (62443)

    View changes on GitHub

v2.6.0

   🚀 Features

• Update deps  -  by @​antfu (eef2c)

   🐞 Bug Fixes

• Timing labels wrapping  -  by @​DallasHoff in nuxt/devtools#866 (fd01e)

    View changes on GitHub

v2.5.0

   🚀 Features

• Use webcomponents for embedded views  -  by @​antfu in nuxt/devtools#864 (ad8f3)

   🐞 Bug Fixes

• Inspector interaction  -  by @​antfu (bbc62)

    View changes on GitHub

v2.5.0-beta.2

   🐞 Bug Fixes

... (truncated)

Changelog

Sourced from @​nuxt/devtools's changelog.

2.6.4 (2025-09-19)

Bug Fixes

• using textContent instead of innerHtml for auth pagechore: update lock (7cadbbe)

2.6.3 (2025-08-22)

2.6.2 (2025-07-02)

Bug Fixes

• panel dragging issue, close #874, close #871, close #873 (619de37)

2.6.1 (2025-07-01)

Bug Fixes

• deps: do not depend on @nuxt/schema (#872) (62443ec)

2.6.0 (2025-06-29)

Bug Fixes

• timing labels wrapping (#866) (fd01e60)

Features

• update deps (eef2c09)

2.5.0 (2025-06-04)

2.5.0-beta.2 (2025-06-04)

... (truncated)

Commits

• 39a0677 chore: release v2.6.4
• 7cadbbe fix: using textContent instead of innerHtml for auth pagechore: update lock
• 27f80d0 chore: release v2.6.3
• d602a81 chore: release v2.6.2
• 619de37 fix: panel dragging issue, close #874, close #871, close #873
• 8d2ca01 chore: release v2.6.1
• 0af979e chore: update deps
• e07326b chore: release v2.6.0
• b3754b8 chore: lint
• fd01e60 fix: timing labels wrapping (#866)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nuxt/devtools since your current version.

Updates glob from 10.4.2 to 10.5.0

Commits

• 56774ef 10.5.0
• 1e4e297 bin: Do not expose filenames to shell expansion
• 1f0c1ca 10.4.5
• eaf31dc whatever, just allow any engines
• 7827516 10.4.4
• d06c8f8 restore support for node 14.latest and 16.latest
• c14b787 10.4.3
• 8a69def node 14 no longer supported
• See full diff in compare view

Updates nuxt from 3.14.1592 to 3.19.0

Release notes

Sourced from nuxt's releases.

v3.19.0

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#32858)
• kit: Add onInstall and onUpgrade module hooks (#32397)
• nuxt,vite: Add experimental support for rolldown-vite (#31812)
• nuxt: Extract defineRouteRules to page rules property (#32897)
• nuxt,vite: Use importmap to increase chunk stability (#33075)
• nuxt: Lazy hydration macros without auto-imports (#33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#32877)
• nuxt: Stop watching app manifest once a change has been detected (#32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#32902)
• nuxt: Type response in useFetch hooks (#32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#32914)
• nuxt: Use correct unit thresholds for relative time (#32893)
• nuxt: Handle uncached current build manifests (#32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#32857)
• schema,vite: Bump requestTimeout + allow configuration (#32874)
• nuxt: Deep merge extracted route meta (#32887)
• nuxt: Do not expose app components until fully resolved (#32993)
• kit: Only exclude node_modules/ if no custom srcDir (#32987)
• nuxt: Compare final matched routes when syncing route object (#32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#33016)
• kit: Ensure local layers are prioritised alphabetically (#33030)
• kit,nuxt: Expose global types to vue compiler (#33026)
• nuxt: Support config type inference for defineNuxtModule().with() (#33081)
• nuxt: Search for colliding names in route children (31a9282c2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#33025)
• nuxt: Add validation for nuxt island reviver key (#33069)

... (truncated)

Commits

• 8956505 v3.19.0
• 9a3b445 test: update test for app creation
• ae8b0d2 fix(kit): prioritise local layers over extended layers
• 2fd3bc2 feat(kit,nuxt): add getLayerDirectories util and refactor to use it (#33098)
• 6cc79dd feat(kit,nuxt,schema): allow modules to specify dependencies (#33063)
• 78153ba fix(nuxt): add validation for nuxt island reviver key (#33069)
• f4e38b7 fix(nuxt): delete nuxtApp._runningTransition on resolve (#33025)
• 31a9282 fix(nuxt): search for colliding names in route children
• 10fd012 refactor(kit,nuxt,ui-templates,vite): address deprecations + improve regexp p...
• 04dda84 feat(nuxt): lazy hydration macros without auto-imports (#33037)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nuxt since your current version.

Updates @nuxt/vite-builder from 3.14.1592 to 3.19.0

Release notes

Sourced from @​nuxt/vite-builder's releases.

v3.19.0

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#32858)
• kit: Add onInstall and onUpgrade module hooks (#32397)
• nuxt,vite: Add experimental support for rolldown-vite (#31812)
• nuxt: Extract defineRouteRules to page rules property (#32897)
• nuxt,vite: Use importmap to increase chunk stability (#33075)
• nuxt: Lazy hydration macros without auto-imports (#33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#32877)
• nuxt: Stop watching app manifest once a change has been detected (#32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#32902)
• nuxt: Type response in useFetch hooks (#32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#32914)
• nuxt: Use correct unit thresholds for relative time (#32893)
• nuxt: Handle uncached current build manifests (#32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#32857)
• schema,vite: Bump requestTimeout + allow configuration (#32874)
• nuxt: Deep merge extracted route meta (#32887)
• nuxt: Do not expose app components until fully resolved (#32993)
• kit: Only exclude node_modules/ if no custom srcDir (#32987)
• nuxt: Compare final matched routes when syncing route object (#32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#33016)
• kit: Ensure local layers are prioritised alphabetically (#33030)
• kit,nuxt: Expose global types to vue compiler (#33026)
• nuxt: Support config type inference for defineNuxtModule().with() (#33081)
• nuxt: Search for colliding names in route children (31a9282c2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#33025)
• nuxt: Add validation for nuxt island reviver key (#33069)

... (truncated)

Commits

• 8956505 v3.19.0
• 2fd3bc2 feat(kit,nuxt): add getLayerDirectories util and refactor to use it (#33098)
• 10fd012 refactor(kit,nuxt,ui-templates,vite): address deprecations + improve regexp p...
• 9ea90fc refactor(vite): simplify inline chunk iteration
• e6618e2 feat(nuxt,vite): use importmap to increase chunk stability (#33075)
• 6ae620e feat(nuxt,vite): add experimental support for rolldown-vite (#31812)
• bebdbf5 fix(schema,vite): bump requestTimeout + allow configuration (#32874)
• cf7175d chore(deps): update all non-major dependencies (3.x) (#33095)
• 436cf01 chore(deps): update all non-major dependencies (3.x) (#33062)
• 4b5b219 chore(deps): update all non-major dependencies (3.x) (#33055)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nuxt/vite-builder since your current version.

Updates devalue from 5.1.1 to 5.6.1

Release notes

Sourced from devalue's releases.

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

v5.3.1

Patch Changes

• ae904c5: fix: correctly differentiate between +0 and -0

v5.3.0

Minor Changes

• 2896e7b: feat: support Temporal

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

5.3.1

... (truncated)

Commits

• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• 83de81d Version Packages (#127)
• a3d09d4 Add value and root properties in DevalueError instances (#126)
• f4b37f3 Version Packages (#124)
• 828fa1c Enable support for custom reducer/reviver for "function" values (#123)
• 6f4eb8b Version Packages (#119)
• 5c26c0d fix: allow custom revivers to revive things serialized by buitin reducers (#118)
• 8b0c28d Version Packages (#117)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed t...

    Description has been truncated

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dependabot]

Superseded by #4.