fix(deps): security update — 4 package(s) [risk: LOW]

[aniket-shikhare-cstk]

Security Fix — SnykrAI

Verification

• Dependencies resolve
• Build passes (npm run build --if-present)
• Tests pass (npm test)

Risk: LOW

Patch-level upgrade. Bug/security fixes only, safe to merge.

Vulnerabilities Addressed

CRITICAL: Unintended Proxy or Intermediary ('Confused Deputy')

Detail	Value
Package	axios@1.13.6
Dependency type	Direct
CVE	CVE-2025-62718
CWE	CWE-441
CVSS	9.1
Vulnerable range	<1.15.0
Fixed in	1.15.0
Snyk ID	SNYK-JS-AXIOS-15965856
Published	2026-04-10

HIGH: HTTP Response Splitting

Detail	Value
Package	axios@1.13.6
Dependency type	Direct
CVE	CVE-2026-40175
CWE	CWE-113
CVSS	7
Vulnerable range	<1.15.0
Fixed in	1.15.0
Snyk ID	SNYK-JS-AXIOS-15969258
Published	2026-04-10

HIGH: Arbitrary Code Injection

Detail	Value
Package	lodash@4.17.23
Dependency type	Transitive
CVE	CVE-2026-4800
CWE	CWE-94
CVSS	8.6
Vulnerable range	<4.18.1
Fixed in	4.18.1
Snyk ID	SNYK-JS-LODASH-15869625
Published	2026-04-01

HIGH: Regular Expression Denial of Service (ReDoS)

Detail	Value
Package	picomatch@4.0.3
Dependency type	Transitive
CVE	CVE-2026-33671
CWE	CWE-1333
CVSS	8.7
Vulnerable range	<2.3.2
Fixed in	2.3.2
Snyk ID	SNYK-JS-PICOMATCH-15765511
Published	2026-03-26

HIGH: Infinite loop

Detail	Value
Package	brace-expansion@5.0.4
Dependency type	Transitive
CVE	CVE-2026-33750
CWE	CWE-835
CVSS	7.1
Vulnerable range	<1.1.13
Fixed in	1.1.13
Snyk ID	SNYK-JS-BRACEEXPANSION-15789759
Published	2026-03-27

MEDIUM: Prototype Pollution

Detail	Value
Package	lodash@4.17.23
Dependency type	Transitive
CVE	CVE-2026-2950
CWE	CWE-1321
CVSS	6.9
Vulnerable range	>=4.0.0 <4.18.1
Fixed in	4.18.1
Snyk ID	SNYK-JS-LODASH-15869619
Published	2026-04-01

MEDIUM: Prototype Pollution

Detail	Value
Package	picomatch@2.3.1
Dependency type	Transitive
CVE	CVE-2026-33672
CWE	CWE-1321
CVSS	6.9
Vulnerable range	<2.3.2
Fixed in	2.3.2
Snyk ID	SNYK-JS-PICOMATCH-15765513
Published	2026-03-26

Dependency Upgrades

Package	From	To	Risk	Reasoning
axios	^1.15.0	^1.15.0	patch	Upgrading to 1.15.0 as specified in Snyk's fixed_in field, resolving both the critical and high severity vulnerabilit...
lodash	4.18.1	4.18.1	patch	Upgrading to 4.18.1 as specified in Snyk's fixed_in field; the existing override is already set to 4.18.1, confirming...
picomatch	2.3.2	2.3.2	patch	Upgrading to 2.3.2 as specified in Snyk's fixed_in field; the existing override is already set to 2.3.2, pinning the ...
brace-expansion	1.1.13	1.1.13	patch	Upgrading to 1.1.13 as specified in Snyk's fixed_in field; the existing override is already set to 1.1.13, pinning th...

Changelog & Impact Analysis

axios (^1.15.0 → ^1.15.0)

Registry: https://www.npmjs.com/package/axios?activeTab=versions

Files using this package (41):

• ./node_modules/@contentstack/management/types/contentstackClient.d.ts
• ./node_modules/@contentstack/marketplace-sdk/types/contentstackClient.d.ts
• ./node_modules/@contentstack/cli-utilities/lib/http-client/http-response.d.ts
• ./node_modules/@contentstack/cli-utilities/lib/http-client/client.d.ts
• ./node_modules/axios/index.d.ts
• ./src/core/contentstack/client.ts
• ./node_modules/@contentstack/management/dist/es5/core/contentstackHTTPClient.js
• ./node_modules/@contentstack/management/dist/es5/core/concurrency-queue.js
• ./node_modules/@contentstack/management/dist/es5/core/oauthHandler.js
• ./node_modules/@contentstack/management/dist/es5/contentstackClient.js
• ...and 31 more

No changelog available from registry. Manual review recommended.

lodash (4.18.1 → 4.18.1)

Registry: https://www.npmjs.com/package/lodash?activeTab=versions

Release Notes:

## Bugs

Fixes a `ReferenceError` issue in `lodash` `lodash-es` `lodash-amd` and `lodash.template` when using the `template` and `fromPairs` functions from the modular builds. See https://github.com/lodash/lodash/issues/6167#issuecomment-4165269769

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

- `lodash`: https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm
- `lodash-es`: https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es
- `lodash-amd`: https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd
- `lodash.template`https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages

Files using this package (278):

• ./node_modules/@types/babel__traverse/index.d.ts
• ./node_modules/globals/node_modules/type-fest/source/tsconfig-json.d.ts
• ./node_modules/type-fest/source/tsconfig-json.d.ts
• ./node_modules/type-fest/ts41/get.d.ts
• ./node_modules/ts-jest/node_modules/type-fest/source/get.d.ts
• ./node_modules/ts-jest/node_modules/type-fest/source/last-array-element.d.ts
• ./node_modules/ts-jest/node_modules/type-fest/source/tsconfig-json.d.ts
• ./node_modules/eslint-config-oclif/node_modules/eslint-config-oclif/node_modules/eslint-plugin-unicorn/rules/prefer-at.js
• ./node_modules/eslint-config-oclif/node_modules/eslint-config-oclif/node_modules/eslint-plugin-unicorn/rules/no-array-method-this-argument.js
• ./node_modules/eslint-config-oclif/node_modules/eslint-config-oclif/node_modules/eslint-plugin-unicorn/rules/prefer-object-from-entries.js
• ...and 268 more

LLM Impact Analysis:

Likely safe (high confidence). Upgrading from 4.18.1 to 4.18.1 is the same version, so no breaking changes are possible.

picomatch (2.3.2 → 2.3.2)

Registry: https://www.npmjs.com/package/picomatch?activeTab=versions

Release Notes:

This is a security release fixing several security relevant issues.

## What's Changed
* fix: exception when glob pattern contains constructor by @Jason3S in https://github.com/micromatch/picomatch/pull/144
* Fix for [CVE-2026-33671](https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj)
* Fix for [CVE-2026-33672](https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p)


**Full Changelog**: https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2

Files using this package (11):

• ./node_modules/jest-util/build/index.d.ts
• ./node_modules/eslint-config-oclif/node_modules/eslint-config-xo/node_modules/@stylistic/eslint-plugin/dist/rules/jsx-pascal-case.js
• ./node_modules/picomatch/index.js
• ./node_modules/picomatch/lib/picomatch.js
• ./node_modules/picomatch/lib/scan.js
• ./node_modules/anymatch/index.js
• ./node_modules/@stylistic/eslint-plugin/dist/index.js
• ./node_modules/@stylistic/eslint-plugin/dist/rules/jsx-pascal-case.js
• ./node_modules/jest-util/build/globsToMatcher.js
• ./node_modules/micromatch/index.js
• ...and 1 more

LLM Impact Analysis:

Likely safe (high confidence). This is a security-only patch release with bug fixes and no removed or renamed APIs, so existing code using picomatch should continue to work without modification.

brace-expansion (1.1.13 → 1.1.13)

Registry: https://www.npmjs.com/package/brace-expansion?activeTab=versions

Files using this package (16):

• ./node_modules/eslint-config-oclif/node_modules/minimatch/minimatch.js
• ./node_modules/test-exclude/node_modules/minimatch/minimatch.js
• ./node_modules/eslint-config-oclif-typescript/node_modules/eslint-plugin-n/node_modules/minimatch/minimatch.js
• ./node_modules/eslint-config-oclif-typescript/node_modules/minimatch/dist/mjs/index.js
• ./node_modules/eslint-config-oclif-typescript/node_modules/minimatch/dist/cjs/index.js
• ./node_modules/eslint-plugin-import/node_modules/minimatch/minimatch.js
• ./node_modules/@eslint/config-array/node_modules/minimatch/minimatch.js
• ./node_modules/@eslint/eslintrc/node_modules/minimatch/minimatch.js
• ./node_modules/@humanwhocodes/config-array/node_modules/minimatch/minimatch.js
• ./node_modules/eslint-plugin-perfectionist/node_modules/minimatch/dist/esm/index.js
• ...and 6 more

No changelog available from registry. Manual review recommended.

Metadata

LLM Provider	anthropic
Strategy	aggressive
Total issues	7
Fixable	7
Ecosystem	npm
Generated	2026-04-14 20:45 UTC

---

Automated by SnykrAI — draft PR, needs human review before merging.

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	7	5	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	1	90 / 365 days	⚠️ Warning
🔵 Low	0	0	180 / 365 days	✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 0
• Medium without fixes: 5
• Low without fixes: 0

⚠️ BUILD PASSED WITH WARNINGS - SLA breaches detected for issues without available fixes

Consider reviewing these vulnerabilities when fixes become available.