chore(deps-dev)(deps-dev): bump vite from 7.2.7 to 7.3.3 in /web by dependabot[bot] · Pull Request #58 · PatrickFanella/subcults

dependabot · 2026-05-18T19:10:43Z

Bumps vite from 7.2.7 to 7.3.3.

Release notes

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.3 (2026-05-07)

Bug Fixes

avoid destructure lowering for newer safari (#22346) (5ab51c0)

7.3.2 (2026-04-06)

Bug Fixes

avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)

backport #22159, apply server.fs check to env transport (#22162) (19db0f2)

check server.fs after stripping query as well (#22160) (f8103cc)

7.3.1 (2026-01-07)

Features

add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

Commits

ca31424 release: v7.3.3
5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
cc383e0 release: v7.3.2
09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
f8103cc fix: check server.fs after stripping query as well (#22160)
19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
95e8923 release: v7.3.1
9d39d37 feat: add ignoreOutdatedRequests option to optimizeDeps (#21364)
acf7e05 release: v7.3.0
cff26ec feat(deps): update esbuild from ^0.25.0 to ^0.27.0 (#21183)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.2.7 to 7.3.3. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.3/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.3/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.3 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-18T19:10:44Z

Labels

The following labels could not be found: frontend, npm, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

github-actions · 2026-05-18T19:11:11Z

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	5
Moderate	5
Low	0
Total	10

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
node_modules/brace-expansion

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

i18next-http-backend  <3.0.5
Severity: moderate
 i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - https://github.com/advisories/GHSA-q89c-q3h5-w34g
fix available via `npm audit fix`
node_modules/i18next-http-backend

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash-es

minimatch  <=3.1.3 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/minimatch

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/rollup-plugin-visualizer/node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
node_modules/vitest/node_modules/picomatch

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss

protocol-buffers-schema  <3.6.1
Severity: moderate
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution - https://github.com/advisories/GHSA-j452-xhg8-qg39
fix available via `npm audit fix`
node_modules/protocol-buffers-schema

rollup  4.0.0 - 4.58.0
Severity: high
Rollup 4 has Arbitrary File Write via Path Traversal - https://github.com/advisories/GHSA-mw96-cpmx-2vgc
fix available via `npm audit fix`
node_modules/rollup

10 vulnerabilities (5 moderate, 5 high)

To address all issues, run:
  npm audit fix

github-actions · 2026-05-18T19:11:16Z

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	1
Moderate	0
Low	1
Total	2

Click to see details

# npm audit report

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

2 vulnerabilities (1 low, 1 high)

To address all issues, run:
  npm audit fix

github-actions · 2026-05-18T19:12:12Z

Docker Image Scan Results - Dockerfile.frontend

Image: subcults-frontend:scan

Severity	Count
Critical	0
High	2
Medium	5
Low	3
Total	10

Click to see details


Report Summary

┌────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                 Target                 │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ subcults-frontend:scan (alpine 3.19.9) │ alpine │       10        │    -    │
└────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


subcults-frontend:scan (alpine 3.19.9)
======================================
Total: 10 (LOW: 3, MEDIUM: 5, HIGH: 2, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬──────────────────────┬──────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │  Installed Version   │    Fixed Version     │                            Title                             │
├───────────────┼────────────────┼──────────┼────────┼──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2024-58251 │ MEDIUM   │ fixed  │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ busybox-binsh │ CVE-2024-58251 │ MEDIUM   │        │                      │                      │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
├───────────────┼────────────────┼──────────┤        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ musl          │ CVE-2026-40200 │ HIGH     │        │ 1.2.4_git20230717-r5 │ 1.2.4_git20230717-r6 │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│ musl-utils    │ CVE-2026-40200 │ HIGH     │        │                      │                      │ musl: musl libc: Arbitrary code execution and denial of      │
│               │                │          │        │                      │                      │ service via stack-based...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-40200                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2026-6042  │ MEDIUM   │        │                      │                      │ musl libc: GB18030 4-byte Decoder: musl libc: Denial of      │
│               │                │          │        │                      │                      │ Service via inefficient...                                   │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2026-6042                    │
├───────────────┼────────────────┤          │        ├──────────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2024-58251 │          │        │ 1.36.1-r20           │ 1.36.1-r21           │ In netstat in BusyBox through 1.37.0, local users can launch │
│               │                │          │        │                      │                      │ of networ...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2024-58251                   │
│               ├────────────────┼──────────┤        │                      │                      ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2025-46394 │ LOW      │        │                      │                      │ In tar in BusyBox through 1.37.0, a TAR archive can have     │
│               │                │          │        │                      │                      │ filenames...                                                 │
│               │                │          │        │                      │                      │ https://avd.aquasec.com/nvd/cve-2025-46394                   │
└───────────────┴────────────────┴──────────┴────────┴──────────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘

github-actions · 2026-05-18T19:12:30Z

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	1
High	12
Medium	8
Low	1
Total	22

Click to see details


Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.14) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │       22        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 22 (LOW: 1, MEDIUM: 8, HIGH: 12, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel                                     │ CVE-2026-29181 │ HIGH     │ fixed  │ v1.38.0           │ 1.41.0          │ OpenTelemetry-Go: multi-value `baggage` header extraction    │
│                                                              │                │          │        │                   │                 │ causes excessive allocations (remote dos amplification)      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-29181                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace- │ CVE-2026-39882 │ MEDIUM   │        │ v1.24.0           │ 1.43.0          │ OpenTelemetry-Go is the Go implementation of OpenTelemetry.  │
│ http                                                         │                │          │        │                   │                 │ Prior to 1 ...                                               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39882                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk                                 │ CVE-2026-24051 │ HIGH     │        │ v1.38.0           │ 1.40.0          │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution  │
│                                                              │                │          │        │                   │                 │ via PATH Hijacking                                           │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-24051                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39883 │          │        │                   │ 1.43.0          │ opentelemetry-go: BSD kenv command not using absolute path   │
│                                                              │                │          │        │                   │                 │ enables PATH hijacking                                       │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39883                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3          │ google.golang.org/grpc/grpc-go:                              │
│                                                              │                │          │        │                   │                 │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass  │
│                                                              │                │          │        │                   │                 │ due to improper HTTP/2 path validation                       │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33186                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1  │ net/url: Incorrect parsing of IPv6 host literals in net/url  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-25679                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32280 │          │        │                   │ 1.25.9, 1.26.2  │ crypto/x509: crypto/tls: golang: Go: Denial of Service       │
│                                                              │                │          │        │                   │                 │ vulnerability in certificate chain building...               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32280                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32281 │          │        │                   │                 │ crypto/x509: golang: Go crypto/x509: Denial of Service via   │
│                                                              │                │          │        │                   │                 │ inefficient certificate chain validation...                  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32281                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32283 │          │        │                   │                 │ crypto/tls: golang: Go crypto/tls: Denial of Service via     │
│                                                              │                │          │        │                   │                 │ multiple TLS 1.3 key...                                      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32283                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-33811 │          │        │                   │ 1.25.10, 1.26.3 │ When using LookupCNAME with the cgo DNS resolver, a very     │
│                                                              │                │          │        │                   │                 │ long CNAME...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33811                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-33814 │          │        │                   │                 │ When processing HTTP/2 SETTINGS frames, transport will enter │
│                                                              │                │          │        │                   │                 │ an infini ...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33814                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39820 │          │        │                   │                 │ Well-crafted inputs reaching ParseAddress, ParseAddressList, │
│                                                              │                │          │        │                   │                 │ and Parse ...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39820                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39836 │          │        │                   │                 │ Panic in Dial and LookupPort when handling NUL byte on       │
│                                                              │                │          │        │                   │                 │ Windows in...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39836                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-42499 │          │        │                   │                 │ Pathological inputs could cause DoS through consumePhrase    │
│                                                              │                │          │        │                   │                 │ when parsing ...                                             │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-42499                   │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27142 │ MEDIUM   │        │                   │ 1.25.8, 1.26.1  │ html/template: URLs in meta content attribute actions are    │
│                                                              │                │          │        │                   │                 │ not escaped in html/template...                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-27142                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32282 │          │        │                   │ 1.25.9, 1.26.2  │ golang: internal/syscall/unix: Root.Chmod can follow         │
│                                                              │                │          │        │                   │                 │ symlinks out of the root                                     │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32282                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32288 │          │        │                   │                 │ archive/tar: golang: Go's archive/tar package: Denial of     │
│                                                              │                │          │        │                   │                 │ Service via maliciously-crafted archive                      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32288                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32289 │          │        │                   │                 │ html/template: golang: html/template: Cross-Site Scripting   │
│                                                              │                │          │        │                   │                 │ (XSS) via improper context and brace depth...                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32289                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39823 │          │        │                   │ 1.25.10, 1.26.3 │ CVE-2026-27142 fixed a vulnerability in which URLs were not  │
│                                                              │                │          │        │                   │                 │ correctly ......                                             │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39823                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39825 │          │        │                   │                 │ ReverseProxy can forward queries containing parameters not   │
│                                                              │                │          │        │                   │                 │ visible to ...                                               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39825                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39826 │          │        │                   │                 │ If a trusted template author were to write a <script> tag    │
│                                                              │                │          │        │                   │                 │ containing...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39826                   │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27139 │ LOW      │        │                   │ 1.25.8, 1.26.1  │ os: FileInfo can escape from a Root in golang os module      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-27139                   │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

dependabot Bot added the dependencies Pull requests that update a dependency file label May 18, 2026

dependabot Bot mentioned this pull request May 18, 2026

chore(deps-dev)(deps-dev): bump vite from 7.2.7 to 7.3.2 in /web #44

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps-dev)(deps-dev): bump vite from 7.2.7 to 7.3.3 in /web#58

chore(deps-dev)(deps-dev): bump vite from 7.2.7 to 7.3.3 in /web#58
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/web/vite-7.3.3

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 18, 2026

v7.3.3

v7.3.2

v7.3.1

v7.3.0

7.3.3 (2026-05-07)

Bug Fixes

7.3.2 (2026-04-06)

Bug Fixes

7.3.1 (2026-01-07)

Features

7.3.0 (2025-12-15)

Features

Uh oh!

dependabot Bot commented on behalf of github May 18, 2026

Labels

Uh oh!

github-actions Bot commented May 18, 2026

NPM Vulnerability Scan Results - web

Uh oh!

github-actions Bot commented May 18, 2026

NPM Vulnerability Scan Results - e2e

Uh oh!

github-actions Bot commented May 18, 2026

Docker Image Scan Results - Dockerfile.frontend

Uh oh!

github-actions Bot commented May 18, 2026

Docker Image Scan Results - Dockerfile.indexer

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants