Fix 3 security issues in react-hook-form, d3-color, brace-expansion by aikido-autofix[bot] · Pull Request #1533 · TimeChimp/tacugama

aikido-autofix · 2025-10-09T22:31:19Z

This PR will resolve the following CVEs:

CVE ID	Severity	Description
AIKIDO-2024-10523	MEDIUM	Affected versions of this package are vulnerable to prototype pollution due to insufficient safeguards. Attackers can exploit the `prototype` and `constructor` properties to manipulate object prototypes, potentially leading to unintended behavior, security breaches, or further exploitation.
GHSA-36jr-mh4h-2g58	LOW	The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
CVE-2025-5889	LOW	A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Th...

coderabbitai · 2025-10-09T22:31:30Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

update dependencies

fe4db4b

github-actions bot added the bug Something isn't working label Oct 9, 2025

aikido-autofix bot closed this Dec 17, 2025