bun audit v1.3.6 (d530ed99)
qs <6.14.1
workspace:@livecomp/client › vite-plugin-node-polyfills
high: qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
@babel/helpers <7.26.10
workspace:@livecomp/client › @tanstack/router-plugin
workspace:@livecomp/client › @vitejs/plugin-react
moderate: Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
@remix-run/server-runtime <=2.17.2
workspace:@livecomp/server › @sentry/remix
moderate: React Router has CSRF issue in Action/Server Action Request Processing - https://github.com/advisories/GHSA-h5cw-625j-3rxh
@trpc/server >=11.0.0 <11.8.0
workspace:@livecomp/server › @trpc/server
workspace:@livecomp/cli › @trpc/client
workspace:@livecomp/client › @trpc/react-query
workspace:@livecomp/server › trpc-bun-adapter
high: tRPC has possible prototype pollution in `experimental_nextAppDirCaller` - https://github.com/advisories/GHSA-43p4-m455-4f4j
brace-expansion >=1.0.0 <=1.1.11
workspace:@livecomp/client › eslint
workspace:@livecomp/server › @sentry/remix
workspace:@livecomp/client › typescript-eslint
workspace:@livecomp/client › tailwindcss
low: brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
low: brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
vite >=5.0.0 <5.4.15
workspace:@livecomp/client › vite
workspace:@livecomp/client › @tanstack/router-plugin
workspace:@livecomp/client › @vitejs/plugin-react
workspace:@livecomp/client › vite-plugin-node-polyfills
vitepress › @vitejs/plugin-vue › vite
moderate: Vite bypasses server.fs.deny when using ?raw?? - https://github.com/advisories/GHSA-x574-m823-4x7w
moderate: Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - https://github.com/advisories/GHSA-4r4m-qw57-chr8
moderate: Vite has an `server.fs.deny` bypass with an invalid `request-target` - https://github.com/advisories/GHSA-356w-63v5-8wf4
moderate: Vite's server.fs.deny bypassed with /. for files under project root - https://github.com/advisories/GHSA-859w-5945-r5v3
moderate: Vite allows server.fs.deny to be bypassed with .svg or relative paths - https://github.com/advisories/GHSA-xcj6-pq6g-qj4x
low: Vite middleware may serve files starting with the same name with the public directory - https://github.com/advisories/GHSA-g4jq-h2w9-997c
low: Vite's `server.fs` settings were not applied to HTML files - https://github.com/advisories/GHSA-jqfw-vq24-v9c3
moderate: vite allows server.fs.deny bypass via backslash on Windows - https://github.com/advisories/GHSA-93m4-6634-74q7
better-auth <1.4.2
workspace:@livecomp/cli › better-auth
workspace:@livecomp/client › better-auth
workspace:@livecomp/server › better-auth
workspace:@livecomp/shared › better-auth
low: Better Auth affected by external request basePath modification DoS - https://github.com/advisories/GHSA-569q-mpph-wgww
low: Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes - https://github.com/advisories/GHSA-36rg-gfq2-3h56
high: Better Auth: Unauthenticated API key creation through api-key plugin - https://github.com/advisories/GHSA-99h5-pjcv-gr6v
high: Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits - https://github.com/advisories/GHSA-x732-6j76-qmhm
mdast-util-to-hast >=13.0.0 <13.2.1
vitepress › shiki › @shikijs/core › hast-util-to-html › mdast-util-to-hast
moderate: mdast-util-to-hast has unsanitized class attribute - https://github.com/advisories/GHSA-4fh9-h7wg-q85m
tmp <=0.2.3
workspace:@livecomp/cli › inquirer
low: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
undici >=6.0.0 <6.21.2
workspace:@livecomp/server › @sentry/remix
low: undici Denial of Service attack via bad certificate data - https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
preact >=10.26.5 <10.26.10
vitepress › @docsearch/js › preact
high: Preact has JSON VNode Injection issue - https://github.com/advisories/GHSA-36hm-qxxp-pg3m
better-call <1.0.12
workspace:@livecomp/cli › better-auth
moderate: Better Call routing bug can lead to Cache Deception - https://github.com/advisories/GHSA-hq75-xg7r-rx6c
cookie <0.7.0
workspace:@livecomp/server › elysia
workspace:@livecomp/client › react-cookie
workspace:@livecomp/server › @sentry/remix
vitepress › @vueuse/integrations › universal-cookie › cookie
low: cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
@remix-run/router <=1.23.1
workspace:@livecomp/server › @sentry/remix
high: React Router vulnerable to XSS via Open Redirects - https://github.com/advisories/GHSA-2w69-qvjg-hvjx
esbuild <=0.24.2
workspace:@livecomp/server › drizzle-kit
workspace:@livecomp/client › vite
workspace:@livecomp/client › @tanstack/router-plugin
moderate: esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
elysia <1.4.18
workspace:@livecomp/server › elysia
workspace:@livecomp/server › @elysiajs/cors
high: Elysia affected by arbitrary code injection through cookie config - https://github.com/advisories/GHSA-8vch-m3f4-q8jf
glob >=10.2.0 <10.5.0
workspace:@livecomp/server › @sentry/remix
workspace:@livecomp/client › tailwindcss
high: glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
js-yaml >=4.0.0 <4.1.1
workspace:@livecomp/client › eslint
moderate: js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
@babel/runtime <7.26.10
workspace:@livecomp/client › @cloudscape-design/components
moderate: Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
@remix-run/node <=2.17.1
workspace:@livecomp/server › @sentry/remix
critical: React Router has Path Traversal in File Session Storage - https://github.com/advisories/GHSA-9583-h5hc-x8cw
react-router >=6.0.0 <6.30.2
workspace:@livecomp/server › @sentry/remix
moderate: React Router has unexpected external redirect via untrusted paths - https://github.com/advisories/GHSA-9jcx-v3wj-wh4m
elliptic <=6.6.1
workspace:@livecomp/client › vite-plugin-node-polyfills
low: Elliptic Uses a Cryptographic Primitive with a Risky Implementation - https://github.com/advisories/GHSA-848j-6mx2-7j84
@eslint/plugin-kit <0.3.4
workspace:@livecomp/client › eslint
low: @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser - https://github.com/advisories/GHSA-xffm-g5w8-qvg7
@remix-run/react <2.17.3
workspace:@livecomp/server › @sentry/remix
high: React Router SSR XSS in ScrollRestoration - https://github.com/advisories/GHSA-8v8x-cx79-35w7
high: React Router has XSS Vulnerability - https://github.com/advisories/GHSA-3cgp-3xvw-98x8
36 vulnerabilities (1 critical, 10 high, 14 moderate, 11 low)
To update all dependencies to the latest compatible versions:
bun update
To update all dependencies to the latest versions (including breaking changes):
bun update --latest
Current output of
bun audit:Perhaps dependabot might be useful?