chore(deps)(deps): bump the web-dependencies group across 1 directory with 19 updates

[dependabot]

Bumps the web-dependencies group with 16 updates in the /web directory:

Package	From	To
i18next-browser-languagedetector	8.2.0	8.2.1
livekit-client	2.16.0	2.18.8
maplibre-gl	5.14.0	5.24.0
web-vitals	5.1.0	5.2.0
zustand	5.0.9	5.0.12
@playwright/test	1.58.0	1.59.1
@testing-library/react	16.3.0	16.3.2
@types/maplibre-gl	1.13.2	1.14.0
@vitest/coverage-v8	4.0.18	4.1.5
autoprefixer	10.4.22	10.5.0
axe-core	4.11.1	4.11.4
eslint-plugin-react-hooks	7.0.1	7.1.1
eslint-plugin-react-refresh	0.4.24	0.5.2
msw	2.12.7	2.14.2
postcss	8.5.6	8.5.13
typescript-eslint	8.49.0	8.59.1

Updates i18next-browser-languagedetector from 8.2.0 to 8.2.1

Changelog

Sourced from i18next-browser-languagedetector's changelog.

8.2.1

• Add missing typescript definition for hash options 33154

Commits

• 7164126 8.2.1
• 6df69c7 release
• 1ffa1cf Add missing typescript definition for hash options (#315)
• 697d89b Bump js-yaml (#313)
• ce82da9 Bump lodash from 4.17.21 to 4.17.23 (#312)
• d05fe5a fix url in readme
• 9d1d7d2 Bump tmp from 0.2.1 to 0.2.5 (#309)
• 32f0429 Bump cipher-base from 1.0.4 to 1.0.6 (#307)
• 9c0db8f Bump sha.js from 2.4.11 to 2.4.12 (#308)
• 3ad9ac5 Bump pbkdf2 from 3.1.2 to 3.1.3 (#306)
• Additional commits viewable in compare view

Updates livekit-client from 2.16.0 to 2.18.8

Release notes

Sourced from livekit-client's releases.

v2.18.8

Patch Changes

• Add local data track flush method - #1925 (@​1egoman)

• Implement negotiation tracking based on offerId - #1927 (@​lukasIO)

• Ignore data track promise rejections after a subscription readable stream is discarded - #1917 (@​1egoman)

• chore: improve logging foundation for implicit context retrieval - #1907 (@​lukasIO)

v2.18.7

Patch Changes

• Pass optional LocalTrack reference to processors - #1916 (@​lukasIO)

• Ensure priority isn't set on all simulcast layers when using Firefox on iOS - #1920 (@​lukasIO)

v2.18.6

Patch Changes

• Fix data tracks extension encoding - #1913 (@​ladvoc)

v2.18.5

Patch Changes

• Defer onEnterPiP visibility update until after the next microtask and animation frame so Document Picture-in-Picture embedders can append DOM into the PiP window before isElementInPiP runs. - #1868 (@​gparant)

• Differentiate different 404 responses on validate path - #1901 (@​lukasIO)

• await screen share audio unpublish before returning setEnabled - #1899 (@​lukasIO)

• Avoid attaching a new Closing event listener for each waitForBufferStatusLow call - #1896 (@​1egoman)

• Re-compute encoding params after track replace - #1902 (@​lukasIO)

• Harden extension id computation and retry publishing on negotiation failure - #1895 (@​lukasIO)

• fix: ensure udpated tokens get set on the regionUrlProvider - #1900 (@​lukasIO)

v2.18.4

Patch Changes

• fix: handle race between LocalTrackSubscribed signal and publishTrack completion - #1872 (@​pabloFuente)

• Harden RemoteParticipant.dataTracks map to work when a data track subscription is processed before the room connect is complete - #1888 (@​1egoman)

• Update dependency webrtc-adapter to v9.0.5 - #1858 (@​renovate)

• Ensure transport manager is reset before attempting legacy fallback path - #1893 (@​lukasIO)

... (truncated)

Changelog

Sourced from livekit-client's changelog.

2.18.8

Patch Changes

• Add local data track flush method - #1925 (@​1egoman)

• Implement negotiation tracking based on offerId - #1927 (@​lukasIO)

• Ignore data track promise rejections after a subscription readable stream is discarded - #1917 (@​1egoman)

• chore: improve logging foundation for implicit context retrieval - #1907 (@​lukasIO)

2.18.7

Patch Changes

• Pass optional LocalTrack reference to processors - #1916 (@​lukasIO)

• Ensure priority isn't set on all simulcast layers when using Firefox on iOS - #1920 (@​lukasIO)

2.18.6

Patch Changes

• Fix data tracks extension encoding - #1913 (@​ladvoc)

2.18.5

Patch Changes

• Defer onEnterPiP visibility update until after the next microtask and animation frame so Document Picture-in-Picture embedders can append DOM into the PiP window before isElementInPiP runs. - #1868 (@​gparant)

• Differentiate different 404 responses on validate path - #1901 (@​lukasIO)

• await screen share audio unpublish before returning setEnabled - #1899 (@​lukasIO)

• Avoid attaching a new Closing event listener for each waitForBufferStatusLow call - #1896 (@​1egoman)

• Re-compute encoding params after track replace - #1902 (@​lukasIO)

• Harden extension id computation and retry publishing on negotiation failure - #1895 (@​lukasIO)

• fix: ensure udpated tokens get set on the regionUrlProvider - #1900 (@​lukasIO)

2.18.4

Patch Changes

• fix: handle race between LocalTrackSubscribed signal and publishTrack completion - #1872 (@​pabloFuente)

... (truncated)

Commits

• a8bfc4c Version Packages (#1922)
• 3a98d99 Add local data track flush method (#1925)
• fb32606 Implement negotiation tracking based on offerId (#1927)
• 95025ff Improve logging foundation (#1907)
• be55ae2 Ignore data track promise rejections after a subscription readable stream is ...
• de064cc Version Packages (#1918)
• ce6ce79 Ensure priority isn't set on all simulcast layers when using Firefox on iOS (...
• 5e884b9 Pass optional LocalTrack reference to processors (#1916)
• 552e878 Version Packages (#1914)
• 6c48eb0 Add missing changeset for #1911 (#1913)
• Additional commits viewable in compare view

Updates maplibre-gl from 5.14.0 to 5.24.0

Release notes

Sourced from maplibre-gl's releases.

v5.24.0

✨ Features and improvements

• GPU performance optimization: Render halo and glyph in a single pass (-40% Time Reduction) (#7436) (by @​xavierjs)
• Optimize matrix inversions and reduce GPU stalls (#7367) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#7077) (by @​CommanderStorm)

🐞 Bug fixes

• Fix Popup not updating its position when switching between terrain/globe projections (#7468) (by @​CommanderStorm)
• Skip fog computation when fog opacity is zero (#7476) (by @​CommanderStorm)

v5.23.0

✨ Features and improvements

• Add touchZoomRotate.setZoomRate() and touchZoomRotate.setZoomThreshold() to customize touch zoom speed and pinch sensitivity (#7271)
• Improve ability to communicate with imported scripts in workers and use makeRequest in workres as well (#7451) (by @​HarelM)
• Allow opacity and opacityWhenCovered in Marker and MarkerOptions to accept number in addition to string, and add maplibregl-marker-covered CSS class to Marker element when covered by 3D terrain or a globe (#7433) (by @​YuChunTsao)
• perf: add a bench for terrain rendering and fix _demMatrixCache lookup being wasted cycles by actually using the cache (#7400) (by @​CommanderStorm)

🐞 Bug fixes

• Fix polygon text label placement drifting far from center for convex polygons at high zoom due to coordinate rounding in geojson-vt (#7380) (by @​CommanderStorm)
• Ensure that a successful ArrayBuffer response from a custom protocol that is null/undefined is set to an empty ArrayBuffer (#7427) (by @​neodescis)
• Fix error in _contextRestored when map was initialized without a style (#7432) (by @​mvanhorn)
• Fix issue with the cache used for zoomLevelsToOverscale feature (#7450) (by @​HarelM)
• Update stylelint and fix old issues with the CSS (mainly change rgb to use spaces) (#7365) (by @​HarelM)

v5.22.0

✨ Features and improvements

• Make line-cap, line-miter-limit, and line-round-limit data-driven properties, allowing per-feature values (#7351) (by @​CommanderStorm)
• GPU performance optimization: early culling of transparent symbols in vertex shaders (#7364) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#7077) (by @​CommanderStorm)
• UX: Clarify error message language so if layout and paint properties are confused in setPaintProperty or setLayoutProperty (#6954) (by @​Willjfield and @​CommanderStorm)

🐞 Bug fixes

• Fix startup crash caused by a stale async style load completing after the style was cleared or replaced (#7377)
• Make fitBounds and fitScreenCoordinates respect the zoomSnap map option by snapping the zoom level down to keep bounds fully visible (#7332 (by @​CommanderStorm)
• Make jumpTo, easeTo, and flyTo respect the zoomSnap map option by snapping the zoom level to the nearest valid increment (#7333 (by @​CommanderStorm)
• Fix setState crash when switching styles while globe projection is active (#7314) (by @​ashwinuae)
• Prevent crashes when calling map.remove() immediately after creation by canceling in-flight style URL loads (#7368) (by @​CommanderStorm)
• Fixed symbol collision flickering by adding tolerance to GridIndex AABB comparison (#7360) (by @​kkokkoejong)
• Fix fitBounds ignoring maxZoom option in vertical-perspective projection (#7372) (by @​CommanderStorm)
• Prevent stale async style loads from completing after style clear (#7378) (by @​Lievesley)
• Fix broken example for fill-pattern (#7326) (by @​k-yle)

... (truncated)

Changelog

Sourced from maplibre-gl's changelog.

5.24.0

✨ Features and improvements

• GPU performance optimization: Render halo and glyph in a single pass (-40% Time Reduction) (#7436) (by @​xavierjs)
• Optimize matrix inversions and reduce GPU stalls (#7367) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#7077) (by @​CommanderStorm)

🐞 Bug fixes

• Fix Popup not updating its position when switching between terrain/globe projections (#7468) (by @​CommanderStorm)
• Skip fog computation when fog opacity is zero (#7476) (by @​CommanderStorm)

5.23.0

✨ Features and improvements

• Add touchZoomRotate.setZoomRate() and touchZoomRotate.setZoomThreshold() to customize touch zoom speed and pinch sensitivity (#7271) (by @​itisyb)
• Improve ability to communicate with imported scripts in workers and use makeRequest in workres as well (#7451) (by @​HarelM)
• Allow opacity and opacityWhenCovered in Marker and MarkerOptions to accept number in addition to string, and add maplibregl-marker-covered CSS class to Marker element when covered by 3D terrain or a globe (#7433) (by @​YuChunTsao)
• perf: add a bench for terrain rendering and fix _demMatrixCache lookup being wasted cycles by actually using the cache (#7400) (by @​CommanderStorm)

🐞 Bug fixes

• Fix polygon text label placement drifting far from center for convex polygons at high zoom due to coordinate rounding in geojson-vt (#7380) (by @​CommanderStorm)
• Ensure that a successful ArrayBuffer response from a custom protocol that is null/undefined is set to an empty ArrayBuffer (#7427) (by @​neodescis)
• Fix error in _contextRestored when map was initialized without a style (#7432) (by @​mvanhorn)
• Fix issue with the cache used for zoomLevelsToOverscale feature (#7450) (by @​HarelM)
• Update stylelint and fix old issues with the CSS (mainly change rgb to use spaces) (#7365) (by @​HarelM)

5.22.0

✨ Features and improvements

• Make line-cap, line-miter-limit, and line-round-limit data-driven properties, allowing per-feature values (#7351) (by @​CommanderStorm)
• GPU performance optimization: early culling of transparent symbols in vertex shaders (#7364) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#7077) (by @​CommanderStorm)
• UX: Clarify error message language so if layout and paint properties are confused in setPaintProperty or setLayoutProperty (#6954) (by @​Willjfield and @​CommanderStorm)

🐞 Bug fixes

• Fix startup crash caused by a stale async style load completing after the style was cleared or replaced (#7377)
• Make fitBounds and fitScreenCoordinates respect the zoomSnap map option by snapping the zoom level down to keep bounds fully visible (#7332 (by @​CommanderStorm)
• Make jumpTo, easeTo, and flyTo respect the zoomSnap map option by snapping the zoom level to the nearest valid increment (#7333 (by @​CommanderStorm)
• Fix setState crash when switching styles while globe projection is active (#7314) (by @​ashwinuae)
• Prevent crashes when calling map.remove() immediately after creation by canceling in-flight style URL loads (#7368) (by @​CommanderStorm)
• Fixed symbol collision flickering by adding tolerance to GridIndex AABB comparison (#7360) (by @​kkokkoejong)
• Fix fitBounds ignoring maxZoom option in vertical-perspective projection (#7372) (by @​CommanderStorm)
• Prevent stale async style loads from completing after style clear (#7378) (by @​Lievesley)
• Fix broken example for fill-pattern (#7326) (by @​k-yle)

... (truncated)

Commits

• fd31bd8 Bump js version to 5.24.0 (#7509)
• 859e6fa chore(deps-dev): bump rollup from 4.60.1 to 4.60.2 (#7508)
• 1401f2d chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#7507)
• 57f77d3 chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 (#7506)
• 1d3c3f4 Update PR template to include AI policy confirmation (#7505)
• b30f011 docs: Improve documentation for MapOptions hash parameter (#7503)
• d1614ef chore(deps-dev): bump devtools-protocol from 0.0.1616338 to 0.0.1617013 (#7504)
• d44f14b Fix author attribution for touchZoomRotate features (#7502)
• 018c3a0 Symbol SDF Performance Optimization: Render Halo and Glyph in a Single Pass (...
• 38f6798 chore(deps-dev): bump diff from 8.0.4 to 9.0.0 (#7497)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for maplibre-gl since your current version.

Updates web-vitals from 5.1.0 to 5.2.0

Changelog

Sourced from web-vitals's changelog.

v5.2.0 (2026-03-25)

• Replace filter()[0] with find() for better performance (#658)
• Use queueMicrotask for microtask scheduling (#660)
• Simplify the event and LoAF entry clean up logic (#662)
• Remove obsolete FID polyfill types (#675)
• Use LargestContentfulPaint.id as fallback when element is removed from DOM (#676)
• Fix bug for onLCP when attached late (#697)
• FHandle initially hidden pages and onLCP registered on visibility change (#698)
• Ensure we clear idle callbacks in whenIdleOrHidden (#707)
• Limit pending events to conserve memory (#710)
• Add includeProcessedEventEntries option (#714)
• Reduce bundle size by refactoring (#713)

Commits

• c071fd0 Release v5.2.0
• 15cd449 Prep changelog for v.5.2.0 (#693)
• 384dd9c Reduce bundle size by refactoring (#713)
• 1742e6b Add includeProcessedEventEntries option (#714)
• 4733a93 Bump flatted from 3.3.3 to 3.4.2 (#718)
• efc4845 Bump fast-xml-parser from 5.5.6 to 5.5.7 (#717)
• 8e4e689 Bump undici from 6.23.0 to 6.24.1 (#716)
• 9750cc9 Bump fast-xml-parser from 5.4.2 to 5.5.6 (#715)
• 8fb24d7 Limit pending events to conserve memory (#710)
• 1a8233e Address flaky test (#711)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates zustand from 5.0.9 to 5.0.12

Release notes

Sourced from zustand's releases.

v5.0.12

Two small fixes.

What's Changed

• fix(persist): use latest state in post-rehydration callback by @​Shohjahon-n in pmndrs/zustand#3391
• fix(devtools): correct redux devtools config type extension by @​grigoriy-reshetniak in pmndrs/zustand#3414

New Contributors

• @​pavan-sh made their first contribution in pmndrs/zustand#3378
• @​Copilot made their first contribution in pmndrs/zustand#3395
• @​Aravindsreeni made their first contribution in pmndrs/zustand#3400
• @​wallzero made their first contribution in pmndrs/zustand#3401
• @​chaesunbak made their first contribution in pmndrs/zustand#3405
• @​Shohjahon-n made their first contribution in pmndrs/zustand#3391

Full Changelog: pmndrs/zustand@v5.0.11...v5.0.12

v5.0.11

This release includes small improvements in middleware thanks to contributors.

What's Changed

• chore: improve typing in devtools middleware by @​grigoriy-reshetniak in pmndrs/zustand#3362
• fix(persist): avoid relying on global localStorage by @​honuuk in pmndrs/zustand#3367
• fix(immer): Proper typing for immer middleware in combination with slices by @​wheerd in pmndrs/zustand#3371

New Contributors

• @​SeongYongLee made their first contribution in pmndrs/zustand#3355
• @​grigoriy-reshetniak made their first contribution in pmndrs/zustand#3351
• @​DormancyWang made their first contribution in pmndrs/zustand#3363
• @​Ea-st-ring made their first contribution in pmndrs/zustand#3369
• @​winner07 made their first contribution in pmndrs/zustand#3373
• @​honuuk made their first contribution in pmndrs/zustand#3367
• @​wheerd made their first contribution in pmndrs/zustand#3371

Full Changelog: pmndrs/zustand@v5.0.10...v5.0.11

v5.0.10

This version includes a fix to the persist middleware for an edge case.

What's Changed

• fix(persist): prevent race condition during concurrent rehydrate calls by @​Niyaz-Mazhitov in pmndrs/zustand#3336

New Contributors

• @​max-programming made their first contribution in pmndrs/zustand#3310
• @​oleksandr-danylchenko made their first contribution in pmndrs/zustand#3319
• @​MateuszSobiech made their first contribution in pmndrs/zustand#3334
• @​EduardoRangelG made their first contribution in pmndrs/zustand#3326
• @​1mehdifaraji made their first contribution in pmndrs/zustand#3339
• @​kamja44 made their first contribution in pmndrs/zustand#3349
• @​Niyaz-Mazhitov made their first contribution in pmndrs/zustand#3336

... (truncated)

Commits

• 206012d 5.0.12
• d714065 chore(deps): update dev dependencies (#3427)
• 89ebcd7 fix(devtools): correct redux devtools config type extension (#3414)
• 6213fc1 fix(persist): use latest state in post-rehydration callback (#3391)
• a3869ca docs: fix broken links in beginner TypeScript guide (#3423)
• c49df38 Hotfix section linking (#3410)
• 5561e9b Fix indentation for actions in index.md (#3406)
• 4966a15 fix(readme) : comparison documentaion link (#3405)
• da381c3 Fix README internal links for GitHub rendering (#3403)
• 0d250b3 fix persist documentation link (#3401)
• Additional commits viewable in compare view

Updates @playwright/test from 1.58.0 to 1.59.1

Release notes

Sourced from @​playwright/test's releases.

v1.59.1

Bug Fixes

• [Windows] Reverted hiding console window when spawning browser processes, which caused regressions including broken codegen, --ui and show commands (#39990)

v1.59.0

🎬 Screencast

New page.screencast API provides a unified interface for capturing page content with:

• Screencast recordings
• Action annotations
• Visual overlays
• Real-time frame capture
• Agentic video receipts

Screencast recording — record video with precise start/stop control, as an alternative to the recordVideo option:

await page.screencast.start({ path: 'video.webm' });
// ... perform actions ...
await page.screencast.stop();

Action annotations — enable built-in visual annotations that highlight interacted elements and display action titles during recording:

await page.screencast.showActions({ position: 'top-right' });

screencast.showActions() accepts position ('top-left', 'top', 'top-right', 'bottom-left', 'bottom', 'bottom-right'), duration (ms per annotation), and fontSize (px). Returns a disposable to stop showing actions.

Action annotations can also be enabled in test fixtures via the video option:

// playwright.config.ts
export default defineConfig({
  use: {
    video: {
      mode: 'on',
      show: {
        actions: { position: 'top-left' },
        test: { position: 'top-right' },
      },
</tr></table> 

... (truncated)

Commits

• d466ac5 chore: mark v1.59.1 (#40005)
• 530e7e5 cherry-pick(#4004): fix(cli): kill-all should kill dashboard
• 9aa216c cherry-pick(#39994): Revert "fix(windows): hide console window when spawning ...
• 01b2b15 cherry-pick(#39980): chore: more release notes fixes
• a5cb6c9 cherry-pick(#39972): chore: expose browser.bind and browser.unbind APIs
• 99a17b5 cherry-pick(#39975): chore: support opening .trace files via .link indirection
• 43607c3 cherry-pick(#39974): chore(webkit): update Safari user-agent version to 26.4
• 62cabe1 cherry-pick(#39969): chore(npm): include all *.md from lib (#39970)
• 0c65a75 cherry-pick(#39968): chore: screencast.showActions api
• f04155b cherry-pick(#39958): chore: release notes for langs v1.59
• Additional commits viewable in compare view

Updates @testing-library/react from 16.3.0 to 16.3.2

Release notes

Sourced from @​testing-library/react's releases.

v16.3.2

16.3.2 (2026-01-19)

Bug Fixes

• Update 'onCaughtError' type inference in 'RenderOptions' to work with React v19 (#1438) (f32bd1b)

v16.3.1

16.3.1 (2025-12-15)

Bug Fixes

• Switch to trusted publishing (#1437) (a2d37ff)

Commits

• f32bd1b fix: Update 'onCaughtError' type inference in 'RenderOptions' to work with Re...
• a2d37ff fix: Switch to trusted publishing (#1437)
• cd6a175 chore: fix action permissions (#1436)
• 22b8c28 chore: fix release (#1435)
• d996673 chore: new release workflow (#1434)
• 205ce17 chore: fix typo in jest.config.js (#1427)
• aba5740 [test] Fix tests for react@experimental (#1424)
• 590bc18 [test] Fix npm run typecheck (#1423)
• 1c931a6 chore(deps): use npm-run-all2 (#1411)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​testing-library/react since your current version.

Updates @types/maplibre-gl from 1.13.2 to 1.14.0

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.0.18 to 4.1.5

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: frontend, npm, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	1
Moderate	0
Low	1
Total	2

Click to see details

# npm audit report

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

2 vulnerabilities (1 low, 1 high)

To address all issues, run:
  npm audit fix

[github-actions]

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	5
Moderate	3
Low	0
Total	8

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <1.1.13
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/brace-expansion

i18next-http-backend  <3.0.5
Severity: moderate
 i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - https://github.com/advisories/GHSA-q89c-q3h5-w34g
fix available via `npm audit fix`
node_modules/i18next-http-backend

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash-es

minimatch  <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/minimatch

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/rollup-plugin-visualizer/node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
node_modules/vitest/node_modules/picomatch

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

vite  7.0.0 - 7.3.1
Severity: high
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - https://github.com/advisories/GHSA-4w7w-66w2-5vf9
Vite: `server.fs.deny` bypassed with queries - https://github.com/advisories/GHSA-v2wj-q39q-566r
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - https://github.com/advisories/GHSA-p9ff-h696-f583
fix available via `npm audit fix`
node_modules/vite

8 vulnerabilities (3 moderate, 5 high)

To address all issues, run:
  npm audit fix

[github-actions]

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	1
High	6
Medium	5
Low	1
Total	13

Click to see details

Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.13) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │       13        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 13 (LOW: 1, MEDIUM: 5, HIGH: 6, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace- │ CVE-2026-39882 │ MEDIUM   │ fixed  │ v1.24.0           │ 1.43.0         │ OpenTelemetry-Go is the Go implementation of OpenTelemetry. │
│ http                                                         │                │          │        │                   │                │ Prior to 1 ...                                              │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39882                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk                                 │ CVE-2026-24051 │ HIGH     │        │ v1.38.0           │ 1.40.0         │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution │
│                                                              │                │          │        │                   │                │ via PATH Hijacking                                          │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-24051                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39883 │          │        │                   │ 1.43.0         │ opentelemetry-go: BSD kenv command not using absolute path  │
│                                                              │                │          │        │                   │                │ enables PATH hijacking                                      │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-39883                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3         │ google.golang.org/grpc/grpc-go:                             │
│                                                              │                │          │        │                   │                │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass │
│                                                              │                │          │        │                   │                │ due to improper HTTP/2 path validation                      │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-33186                  │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1 │ net/url: Incorrect parsing of IPv6 host literals in net/url │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-25679                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32280 │          │        │                   │ 1.25.9, 1.26.2 │ crypto/x509: crypto/tls: golang: Go: Denial of Service      │
│                                                              │                │          │        │                   │                │ vulnerability in certificate chain building...              │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32280                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32281 │          │        │                   │                │ crypto/x509: golang: Go crypto/x509: Denial of Service via  │
│                                                              │                │          │        │                   │                │ inefficient certificate chain validation...                 │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32281                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32283 │          │        │                   │                │ If one side of the TLS connection sends multiple key update │
│                                                              │                │          │        │                   │                │ messages...                                                 │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32283                  │
│                                                              ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27142 │ MEDIUM   │        │                   │ 1.25.8, 1.26.1 │ html/template: URLs in meta content attribute actions are   │
│                                                              │                │          │        │                   │                │ not escaped in html/template...                             │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27142                  │
│                                                              ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32282 │          │        │                   │ 1.25.9, 1.26.2 │ golang: internal/syscall/unix: Root.Chmod can follow        │
│                                                              │                │          │        │                   │                │ symlinks out of the root                                    │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32282                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32288 │          │        │                   │                │ archive/tar: golang: Go's archive/tar package: Denial of    │
│                                                              │                │          │        │                   │                │ Service via maliciously-crafted archive                     │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32288                  │
│                                                              ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32289 │          │        │                   │                │ html/template: golang: html/template: Cross-Site Scripting  │
│                                                              │                │          │        │                   │                │ (XSS) via improper context and brace depth...               │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-32289                  │
│                                                              ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27139 │ LOW      │        │                   │ 1.25.8, 1.26.1 │ os: FileInfo can escape from a Root in golang os module     │
│                                                              │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2026-27139                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

[github-actions]

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity	Count
Critical	0
High	2
Medium	5
Low	3
Total	10

Click to see details

Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.19.9) │ alpine │       10        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.19.9)
======================================
Total: 10 (LOW: 3, MEDIUM: 5, HIGH: 2, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬──────────────────────┬──────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │  Installed Version   │    Fixed Version     │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2024-58251 │ MEDIUM   │ fixed  │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2024-58251 │ MEDIUM   │        │                      │                      │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ musl          │ CVE-2026-40200 │ HIGH     │        │ 1.2.4_git20230717-r5 │ 1.2.4_git20230717-r6 │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ musl-utils    │ CVE-2026-40200 │ HIGH     │        │                      │                      │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┤          │        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2024-58251 │          │        │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
└───────────────┴────────────────┴──────────┴────────┴──────────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘