Vulnerable dependency packages #826
Description
Describe the bug
Our routine security review identified couple of vulnerable npm dependencies referenced by this package. Some of these are present for more than half of year already
Vulnerable packages:
• valibot 0.42.0, 1.1.0 - CVE-2025-66020
• mdast-util-to-hast 13.2.0 - CVE-2025-66400
• @babel/runtime-corejs3 7.20.13 - CVE-2025-27789
• @babel/runtime 7.20.7, 7.19.0, 7.15.4, 7.14.8 - CVE-2025-27789
• esbuild 0.14.54 - GHSA-67mh-4wv8-2f99
To Reproduce
Steps to reproduce the behavior:
- Check lockfile and notice vulnerable version
- Go to specific vulnerability page, e.g. GHSA-vqpr-j7v3-hqw9
Expected behavior
References to patched versions. In some cases "^x.x.x" reference pattern could help end users like me to fix it on our end.