Mitosis Case Study
Verified baseline scan — CVE Lite CLI v1.22.0 · 2026-06-14
Summary
- Project: Mitosis — cross-framework UI compiler from Builder.io (write once, compile to React, Vue, Angular, Svelte, Solid, Qwik, Alpine, and more)
- Revision:
a2434f9632438133ce08e17b0b646de378dfb5ca - Lockfile: root
yarn.lock(Yarn Berry 4.1.1 + Nx monorepo, workspacespackages/*,e2e/*) - Baseline findings: 145 unique vulnerable packages (18 critical · 70 high · 47 medium · 10 low)
- OSV advisory matches: 256 CVE/advisory entries deduplicated into 145 packages
- Direct vs transitive vs unknown: 6 direct / 30 transitive / 109 unknown
- Validated fix command groups generated: 5
- First-pass coverage: 27 of 145 findings have confident copy-and-run commands
- yarn npm audit --all (same lockfile, default workspace scope): 3 vulnerability entries on root direct deps (1 high · 2 moderate)
- Remediation applied in this study: five root-level command groups applied cumulatively on a test checkout of Mitosis@a2434f9 (2026-06-20), rescanned through the committed lockfile fixture after each pass
This fixture pins the root package.json and yarn.lock only. Mitosis upstream also ships workspace packages under packages/*, e2e/*, and generated e2e output paths — all resolved into the single root lockfile. No nested lockfiles are included separately.
What this case study demonstrates
Mitosis adds cross-framework compiler / codegen monorepo coverage — distinct from Storybook (UI tooling sandboxes), Svelte (compiler-only pnpm graph), and single-framework snapshots. The upstream repo is a Yarn Berry + Nx monorepo spanning compiler packages, e2e sandboxes, and multi-framework test fixtures at 2,476 resolved packages.
The 109 unknown relationship rows are the defining Yarn Berry MVP pattern on a lockfile-only snapshot. Without full workspace importer paths or node_modules, CVE Lite cannot classify most e2e sandbox packages (@builder.io/qwik, next, handlebars, Angular/Svelte/Solid fixtures) as direct or transitive — even though they are clearly present in yarn.lock.
Critical sandbox/tooling cluster: @builder.io/qwik, @builder.io/qwik-city, [email protected], handlebars, ejs, form-data, [email protected] — mostly e2e / framework compile-test paths, not Mitosis npm consumer surface.
Six direct esbuild versions (0.12.29 through 0.23.0) — all direct findings are esbuild version fragmentation on the root manifest surface, not application runtime deps. CVE Lite generates yarn add [email protected] as validated target across all six direct rows.
Critical direct-adjacent: [email protected] — within-range lockfile refresh via yarn upgrade shell-quote.
Nx orchestration path: yarn add [email protected] for critical [email protected] via project → nx → axios chain.
High within-range refresh cluster: axios, braces, cross-spawn, flatted, glob, minimatch, picomatch, tmp — grouped lockfile refresh commands.
Comparison Note: CVE Lite CLI vs yarn npm audit
Both tools were run against the same yarn.lock on the same machine on 2026-06-14.
| Metric | yarn npm audit --all (4.1.1, default) | CVE Lite CLI v1.22.0 |
|---|---|---|
| Total reported findings | 3 | 145 |
| Critical | 0 | 18 |
| High | 1 | 70 |
| Moderate / Medium | 2 | 47 |
| Low | 0 | 10 |
| Direct vs transitive breakdown | ✗ | ✓ (6 / 30 / 109 unknown) |
| Full lockfile package parse | ✗ (root workspace direct deps only) | ✓ (2,476 packages) |
| Deduplicated package view | ✗ | ✓ |
| Validated fix targets | partial | ✓ |
| Copy-and-run command groups | ✗ | ✓ (5 groups) |
| Skipped findings with reason | ✗ | ✓ (118 entries) |
Why the totals differ — and why that is not a coverage gap:
By default, yarn npm audit --all on this lockfile-only snapshot checks direct dependencies for the active workspace only. That means three advisories on root direct deps — two [email protected] advisories (high + moderate) and one [email protected] deprecation (moderate).
CVE Lite parses the entire yarn.lock — including e2e Qwik sandboxes, Next.js fixtures, Angular/Svelte/Solid compile-test graphs, and Nx orchestration chains — and reports 145 unique vulnerable package versions.
Running yarn npm audit -AR on this fixture without a full monorepo install does not produce a comparable full-graph audit. CVE Lite's value on a committed lockfile snapshot is that it works without installing 2,400+ packages.
Fix guidance differs materially:
yarn npm audit lists esbuild advisories on the one root-resolved version but does not consolidate six pinned esbuild majors or produce parent upgrades for Qwik/Next sandbox chains. CVE Lite generates five command groups covering 27 findings — including yarn add [email protected], yarn add [email protected], and grouped yarn upgrade refreshes.
Before vs After
Remediation results from applying the scanner's root-level command groups one at a time on a test checkout of Mitosis@a2434f9 (Yarn 4.1.1), rescanned through the committed examples/mitosis lockfile fixture after each pass (CVE Lite v1.22.0 · 2026-06-20). On Yarn 4, within-range refreshes were applied with yarn up -R (equivalent to the scanner's yarn upgrade output). OSV advisory updates since the 2026-06-14 baseline add eight packages to the starting count (153 vs 145 in the table below).
| Stage | Findings | Critical | High | Medium | Low | Direct | Transitive | Unknown | Command groups |
|---|---|---|---|---|---|---|---|---|---|
| Baseline (verified) | 153 | 18 | 68 | 53 | 14 | 6 | 30 | 117 | 6 |
After critical parent upgrade ([email protected]) | 153 | 18 | 68 | 53 | 14 | 6 | 29 | 118 | 6 |
After critical within-range refresh (shell-quote) | 151 | 16 | 68 | 53 | 14 | 6 | 28 | 117 | 5 |
After high parent upgrade (@changesets/[email protected]) | 149 | 16 | 67 | 52 | 14 | 6 | 24 | 119 | 5 |
| After high within-range refreshes | 135 | 15 | 55 | 51 | 14 | 6 | 12 | 117 | 2 |
After medium direct fix ([email protected]) | 135 | 15 | 55 | 51 | 14 | 6 | 12 | 117 | 2 |
| After medium within-range refreshes | 124 | 15 | 55 | 40 | 14 | 6 | 7 | 111 | 3 |
The finding count dropped from 153 to 124 across five actionable command groups (six scanner sections — the [email protected] parent upgrade alone did not reduce the deduplicated finding count on this snapshot, but subsequent passes did). High-severity findings dropped from 68 to 55; medium from 53 to 40. The command surface shrank from 6 groups to 3, and the remaining groups point at sandbox/tooling parent chains rather than root lockfile refreshes. 111 unknown-relationship findings remain — overwhelmingly e2e sandbox packages where Yarn Berry path reconstruction is limited in this MVP.
Fix Journey
On a monorepo this size, the instinct is to chase the 18 critical findings first. CVE Lite surfaces Qwik, Next.js, handlebars, and vitest critical rows but generates no auto-install commands for most — each is unknown relationship with incomplete parent-chain data in the Yarn Berry lockfile MVP. The five root-level command groups below were applied cumulatively on a test checkout; each block lists the scanner output and the measured rescan delta.
Pass 1 — critical parent upgrade ([email protected]):
yarn add [email protected]
Targets the project → nx → axios → form-data chain. Applied cleanly on Yarn 4.1.1. Finding count unchanged at 153 — other form-data paths and critical sandbox rows remain open.
Pass 2 — critical within-range refresh (shell-quote):
yarn up -R shell-quote
Clears both critical shell-quote rows (1.7.3 transitive and 1.8.1 unknown). Findings 153 → 151; critical 18 → 16.
Pass 3 — high parent upgrade (@changesets/[email protected]):
yarn add @changesets/[email protected]
Partial coverage on the [email protected] path via @changesets/cli → spawndamnit. Findings 151 → 149; high 68 → 67.
Pass 4 — high within-range refreshes:
yarn up -R axios && yarn up -R braces && yarn up -R cross-spawn && yarn up -R flatted && yarn up -R glob && yarn up -R minimatch && yarn up -R picomatch && yarn up -R tmp
Largest single drop: findings 149 → 135; high 67 → 55; command groups 5 → 2.
Pass 5 — medium direct fix ([email protected]):
yarn add [email protected]
Consolidates the six pinned root esbuild majors to one validated target. No additional finding reduction on this snapshot (135 unchanged) — remaining esbuild rows are older lockfile-resolved versions outside the root manifest surface.
Pass 6 — medium within-range refreshes:
yarn up -R @babel/runtime && yarn up -R ajv && yarn up -R brace-expansion && yarn up -R follow-redirects && yarn up -R js-yaml && yarn up -R micromatch && yarn up -R word-wrap
Findings 135 → 124; medium 51 → 40; transitive 12 → 7.
After six passes, 124 findings remain — including 15 critical sandbox/tooling packages (Qwik, Next.js, handlebars, vitest, and others) that require e2e fixture bumps or upstream releases, not root yarn add guesses.
Why this matters
Mitosis maintainers work inside a monorepo whose lockfile encodes the entire cross-framework compile-test matrix. A developer running default yarn npm audit --all at the repo root sees three advisories on esbuild and eslint. A lockfile scan reveals 145 vulnerable packages including critical paths in Qwik e2e sandboxes, Next.js fixtures, and crypto/template tooling chains.
That gap is operationally significant for any team using Mitosis as a reference for dependency health. The risk is not only in @builder.io/mitosis packages consumers install — it is in the e2e and multi-framework sandbox layer Mitosis uses to verify React, Vue, Qwik, Svelte, Solid, and other output targets.
CVE Lite answers the useful pre-release question in one pass: copy-and-run commands for what Mitosis controls directly (esbuild, nx, lockfile refreshes), 18 critical findings routed to sandbox/tooling chains, and 118 skipped entries explaining why the rest are not auto-fixable.
Scan command
Run from the Mitosis repository root or from the examples/mitosis directory in this repository:
cve-lite . --verbose --all
The example lockfile reflects Mitosis at revision a2434f9632438133ce08e17b0b646de378dfb5ca. OSV advisory data changes over time — re-scanning may show different counts on the same revision.
Every number in this case study comes from a live scan of the committed fixture at examples/mitosis/ in the CVE Lite CLI repository.
| Field | Value |
|---|---|
| Scan date | 2026-06-14 |
| CLI version | v1.22.0 |
| CVE Lite command | node dist/index.js examples/mitosis --verbose --all --json |
| yarn audit command | yarn npm audit --all (Yarn 4.1.1, default direct-deps scope) |
| Advisory source | OSV (https://api.osv.dev) — online mode |
| Lockfile source | examples/mitosis/yarn.lock from BuilderIO/mitosis@a2434f9 |
| Packages parsed (CVE Lite) | 2,476 |
| Unique vulnerable packages (CVE Lite) | 145 |
| Vulnerability entries (yarn npm audit --all) | 3 |
| Fix command groups (CVE Lite) | 5 |
| First-pass covered findings (CVE Lite) | 27 |
| Skipped findings with reason (CVE Lite) | 118 |
Reproduce CVE Lite locally from the repository root:
npm install
npm run build
node dist/index.js examples/mitosis --verbose --all
Reproduce yarn npm audit from the example directory:
cd examples/mitosis
yarn npm audit --all
Both tools were run against the same root yarn.lock on the same machine on 2026-06-14.
Remaining risk after baseline scan
After the measured remediation passes above, 124 findings remain open (down from 153 at the 2026-06-20 rescan baseline). The 2026-06-14 baseline table below still lists 145 packages — eight fewer than the June 20 OSV snapshot.
- 18 critical: Qwik/Qwik City e2e sandboxes,
[email protected],handlebars,ejs,form-data,[email protected], crypto tooling (cipher-base,elliptic,pbkdf2,sha.js),shell-quote - 70 high: six direct
esbuildrows plus Angular, Solid, Svelte, undici, rollup, and sandbox toolchain packages - 47 medium: multiple
postcss,@babel/runtime,ajv,brace-expansionrows across compile-test fixtures - 10 low: legacy
cookie,[email protected],webpacksandbox paths
111 unknown-relationship findings remain without a confident copy-and-run command after all passes (see scan skip reasons).
Baseline findings
Full vulnerable package list from the verified scan on 2026-06-14 (revision a2434f9):
| Package | Version | Severity | Relationship | Fix hint | Advisory IDs |
|---|---|---|---|---|---|
| @babel/traverse | 7.18.5 | critical | unknown | 7.23.2 ⊘ | CVE-2023-45133, GHSA-67hx-6x53-jw92 |
| @builder.io/qwik | 1.5.3 | critical | unknown | 1.19.1 ⊘ | CVE-2024-41677, CVE-2026-27971, GHSA-2rwj-7xq8-4gx4, GHSA-p9x5-jp3h-96mm |
| @builder.io/qwik | 1.5.5 | critical | unknown | 1.19.1 ⊘ | CVE-2024-41677, CVE-2026-27971, GHSA-2rwj-7xq8-4gx4, GHSA-p9x5-jp3h-96mm |
| @builder.io/qwik-city | 1.5.3 | critical | unknown | 1.19.2 ⊘ | CVE-2026-25149, CVE-2026-25148, CVE-2025-53620, CVE-2026-25151 |
| @builder.io/qwik-city | 1.5.5 | critical | unknown | 1.19.2 ⊘ | CVE-2026-25149, CVE-2026-25148, CVE-2025-53620, CVE-2026-25151 |
| cipher-base | 1.0.4 | critical | unknown | 1.0.5 ⊘ | CVE-2025-9287, GHSA-cpq7-6gpm-g9rc |
| ejs | 3.1.6 | critical | unknown | 3.1.10 ⊘ | CVE-2024-33883, CVE-2022-29078, GHSA-ghr5-ch3p-vcr6, GHSA-phwq-j96m-2c2q |
| elliptic | 6.5.5 | critical | unknown | 6.5.6 ⊘ | CVE-2024-48949, CVE-2024-42461, CVE-2025-14505, CVE-2024-42460 |
| form-data | 3.0.1 | critical | unknown | 3.0.4 ⊘ | CVE-2025-7783, GHSA-fjxv-7rqg-78g4 |
| form-data | 4.0.0 | critical | transitive · dev | 4.0.4 | CVE-2025-7783, GHSA-fjxv-7rqg-78g4 |
| handlebars | 4.7.7 | critical | unknown | 4.7.9 ⊘ | CVE-2026-33916, CVE-2026-33937, CVE-2026-33938, CVE-2026-33939 |
| loader-utils | 2.0.2 | critical | unknown | 2.0.4 ⊘ | CVE-2022-37603, CVE-2022-37601, CVE-2022-37599, GHSA-3rfm-jhwj-7488 |
| next | 13.5.5 | critical | unknown | 12.3.5 ⊘ | CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980 |
Note on
[email protected]: The fix hint12.3.5 ⊘reflects the OSV advisory's recorded safe version on a different major track — not a recommended downgrade. Next.js maintains separate security fix tracks per major; maintainers should consult the advisory directly before acting on cross-major version hints. | pbkdf2 | 3.1.2 | critical | unknown | 3.1.3 ⊘ | CVE-2025-6545, CVE-2025-6547, GHSA-h7cp-r72f-jxh6, GHSA-v62p-rq8g-8h59 | | sha.js | 2.4.11 | critical | unknown | 2.4.12 ⊘ | CVE-2025-9288, GHSA-95m3-7q98-8xr5 | | shell-quote | 1.7.3 | critical | transitive · dev | 1.8.4 | CVE-2026-9277, GHSA-w7jw-789q-3m8p | | shell-quote | 1.8.1 | critical | unknown | 1.8.4 | CVE-2026-9277, GHSA-w7jw-789q-3m8p | | vitest | 0.34.6 | critical | unknown | 4.1.0 ⊘ | CVE-2026-47429, GHSA-5xrq-8626-4rwp | | @angular/common | 18.2.14 | high | unknown | 19.2.16 ⊘ | CVE-2025-66035, GHSA-58c5-g7wp-6w37 | | @angular/compiler | 11.2.14 | high | unknown | 19.0.0 ⊘ | CVE-2026-22610, CVE-2025-66412, GHSA-jrmj-c5cx-3cw6, GHSA-v4hv-rgfq-gp49 | | @angular/compiler | 18.2.14 | high | unknown | 19.0.0 ⊘ | CVE-2026-32635, CVE-2026-22610, CVE-2025-66412, GHSA-g93w-mfhg-p222 | | @angular/core | 18.2.14 | high | unknown | 19.0.0 ⊘ | CVE-2026-32635, CVE-2026-22610, CVE-2026-27970, GHSA-g93w-mfhg-p222 | | @babel/plugin-transform-modules-systemjs | 7.18.5 | high | unknown | 7.29.4 ⊘ | CVE-2026-44728, GHSA-fv7c-fp4j-7gwp | | @babel/plugin-transform-modules-systemjs | 7.25.9 | high | unknown | 7.29.4 ⊘ | CVE-2026-44728, GHSA-fv7c-fp4j-7gwp | | axios | 0.21.4 | high | transitive · dev | 0.32.0 ⊘ | CVE-2026-44495, CVE-2025-62718, CVE-2026-25639, CVE-2026-42034 | | axios | 1.7.2 | high | transitive · dev | 1.16.0 | CVE-2026-44494, CVE-2026-44495, CVE-2025-62718, CVE-2026-42044 | | body-parser | 1.20.1 | high | unknown | 1.20.3 ⊘ | CVE-2024-45590, GHSA-qwcr-r2fm-qrc7 | | braces | 3.0.2 | high | transitive · dev | 3.0.3 | CVE-2024-4068, GHSA-grv7-fg5c-xmjg | | cross-spawn | 5.1.0 | high | transitive · dev | 6.0.6 | CVE-2024-21538, GHSA-3xgq-45jj-v275 | | cross-spawn | 6.0.5 | high | transitive · dev | 6.0.6 ⊘ | CVE-2024-21538, GHSA-3xgq-45jj-v275 | | cross-spawn | 7.0.3 | high | transitive · dev | 7.0.5 | CVE-2024-21538, GHSA-3xgq-45jj-v275 | | electron | 21.4.2 | high | unknown | 39.8.5 ⊘ | CVE-2026-34776, CVE-2026-34767, CVE-2026-34774, CVE-2026-34779 | | esbuild | 0.17.19 | high | direct | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | esbuild | 0.18.20 | high | direct | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | esbuild | 0.19.10 | high | direct · dev | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | esbuild | 0.23.0 | high | direct | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | fast-uri | 3.0.6 | high | unknown | 3.1.2 ⊘ | CVE-2026-6321, CVE-2026-6322, GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc | | flatted | 3.2.5 | high | transitive · dev | 3.4.2 | CVE-2026-32141, CVE-2026-33228, GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh | | glob | 10.3.10 | high | transitive · dev | 10.5.0 | CVE-2025-64756, GHSA-5j98-mcp5-4vw2 | | glob | 10.3.12 | high | unknown | 10.5.0 | CVE-2025-64756, GHSA-5j98-mcp5-4vw2 | | http-cache-semantics | 4.1.0 | high | unknown | 4.1.1 ⊘ | CVE-2022-25881, GHSA-rc47-6667-2j5j | | ip | 1.1.8 | high | unknown | 1.1.9 ⊘ | CVE-2024-29415, CVE-2023-42282, GHSA-2p57-rm9w-gvfp, GHSA-78xj-cgh5-2h22 | | js-cookie | 2.2.1 | high | unknown | 3.0.7 ⊘ | CVE-2026-46625, GHSA-qjx8-664m-686j | | json5 | 1.0.1 | high | unknown | 1.0.2 ⊘ | CVE-2022-46175, GHSA-9c47-m6qq-7p4h | | json5 | 2.2.1 | high | unknown | 2.2.2 ⊘ | CVE-2022-46175, GHSA-9c47-m6qq-7p4h | | lodash | 4.17.21 | high | unknown | 4.18.0 ⊘ | CVE-2026-2950, CVE-2026-4800, CVE-2025-13465, GHSA-f23m-r3pf-42rh | | lodash-es | 4.17.21 | high | unknown | 4.18.0 ⊘ | CVE-2026-2950, CVE-2026-4800, CVE-2025-13465, GHSA-f23m-r3pf-42rh | | merge | 1.2.1 | high | unknown | 2.1.1 ⊘ | CVE-2020-28499, GHSA-7wpw-2hjm-89gp | | minimatch | 3.1.2 | high | transitive · dev | 3.1.4 | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 5.1.0 | high | unknown | 5.1.8 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 7.4.6 | high | unknown | 7.4.8 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 9.0.3 | high | transitive · dev | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 9.0.4 | high | unknown | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | node-forge | 1.3.1 | high | unknown | 1.4.0 ⊘ | CVE-2026-33896, CVE-2025-66031, CVE-2025-12816, CVE-2026-33891 | | path-to-regexp | 0.1.7 | high | unknown | 0.1.13 ⊘ | CVE-2026-4867, CVE-2024-45296, CVE-2024-52798, GHSA-37ch-88jc-xwx2 | | path-to-regexp | 6.2.2 | high | unknown | 6.3.0 ⊘ | CVE-2024-45296, GHSA-9wv6-86v2-598j | | picomatch | 2.3.1 | high | transitive · dev | 2.3.2 | CVE-2026-33672, CVE-2026-33671, GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj | | picomatch | 4.0.2 | high | unknown | 4.0.4 ⊘ | CVE-2026-33672, CVE-2026-33671, GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj | | playwright | 1.48.0 | high | unknown | 1.55.1 ⊘ | CVE-2025-59288, GHSA-7mvr-c777-76hp | | rollup | 1.32.1 | high | unknown | 2.80.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc | | rollup | 2.75.7 | high | unknown | 2.80.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc | | rollup | 3.29.4 | high | unknown | 3.30.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc | | rollup | 4.22.4 | high | unknown | 4.59.0 ⊘ | CVE-2026-27606, GHSA-mw96-cpmx-2vgc | | semver | 5.7.1 | high | transitive · dev | 5.7.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 6.3.0 | high | unknown | 6.3.1 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 7.0.0 | high | unknown | 7.5.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 7.3.5 | high | unknown | 7.5.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 7.3.7 | high | transitive · dev | 7.5.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | serialize-javascript | 6.0.2 | high | unknown | 7.0.5 ⊘ | CVE-2026-34043, GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v | | seroval | 0.12.4 | high | unknown | 1.4.1 ⊘ | CVE-2026-24006, CVE-2026-23737, CVE-2026-23957, CVE-2026-23736 | | socket.io-parser | 4.2.2 | high | unknown | 4.2.6 ⊘ | CVE-2026-33151, CVE-2023-32695, GHSA-677m-j7p3-52f9, GHSA-cqmj-92xf-r6r9 | | solid-js | 1.4.4 | high | unknown | 1.9.4 ⊘ | CVE-2025-27109, GHSA-3qxh-p7jc-5xh6 | | solid-js | 1.4.5 | high | unknown | 1.9.4 ⊘ | CVE-2025-27109, GHSA-3qxh-p7jc-5xh6 | | solid-js | 1.8.5 | high | unknown | 1.9.4 ⊘ | CVE-2025-27109, GHSA-3qxh-p7jc-5xh6 | | svelte | 3.53.1 | high | unknown | 5.55.7 ⊘ | CVE-2024-45047, CVE-2026-27125, CVE-2026-27121, CVE-2026-27122 | | svgo | 3.2.0 | high | unknown | 3.3.3 ⊘ | CVE-2026-29074, GHSA-xpqw-6gx7-v673 | | tar | 6.1.11 | high | transitive · dev | 7.5.11 ⊘ | CVE-2026-24842, CVE-2026-26960, CVE-2026-23745, CVE-2026-31802 | | tar | 6.2.1 | high | transitive · dev | 7.5.11 ⊘ | CVE-2026-24842, CVE-2026-26960, CVE-2026-23745, CVE-2026-31802 | | tmp | 0.0.33 | high | transitive · dev | 0.2.6 ⊘ | CVE-2025-54798, CVE-2026-44705, GHSA-52f5-9888-hmc6, GHSA-ph9p-34f9-6g65 | | tmp | 0.2.1 | high | transitive · dev | 0.2.6 | CVE-2025-54798, CVE-2026-44705, GHSA-52f5-9888-hmc6, GHSA-ph9p-34f9-6g65 | | undici | 5.20.0 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2024-24758, CVE-2026-1527, CVE-2024-30261 | | undici | 5.28.4 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2026-1527, CVE-2025-22150, CVE-2025-47279 | | undici | 6.15.0 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2024-38372, CVE-2026-1527, CVE-2025-22150 | | undici | 6.18.2 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2024-38372, CVE-2026-1527, CVE-2025-22150 | | vite | 4.5.0 | high | unknown | 6.4.2 ⊘ | CVE-2025-32395, CVE-2025-31125, CVE-2026-39365, CVE-2024-45812 | | wrangler | 3.53.0 | high | unknown | 3.114.17 ⊘ | CVE-2026-0933, GHSA-36p8-mvp6-cv38 | | ws | 8.11.0 | high | unknown | 8.20.1 ⊘ | CVE-2024-37890, CVE-2026-45736, GHSA-3h5v-q93c-6h6q, GHSA-58qx-3vcg-4xpx | | ws | 8.12.1 | high | unknown | 8.20.1 ⊘ | CVE-2024-37890, CVE-2026-45736, GHSA-3h5v-q93c-6h6q, GHSA-58qx-3vcg-4xpx | | @babel/helpers | 7.18.2 | medium | unknown | 7.26.10 ⊘ | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.18.3 | medium | transitive · dev | 7.26.10 | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.18.9 | medium | unknown | 7.26.10 ⊘ | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.23.2 | medium | unknown | 7.26.10 ⊘ | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.23.9 | medium | transitive · dev | 7.26.10 | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | ajv | 6.12.6 | medium | transitive · dev | 6.14.0 ⊘ | CVE-2025-69873, GHSA-2g4f-4pwh-qvx6 | | ajv | 8.11.0 | medium | transitive · dev | 8.18.0 | CVE-2025-69873, GHSA-2g4f-4pwh-qvx6 | | ajv | 8.17.1 | medium | unknown | 8.18.0 ⊘ | CVE-2025-69873, GHSA-2g4f-4pwh-qvx6 | | bn.js | 4.12.0 | medium | unknown | 4.12.3 ⊘ | CVE-2026-2739, GHSA-378v-28hj-76wf | | bn.js | 5.2.1 | medium | unknown | 5.2.3 ⊘ | CVE-2026-2739, GHSA-378v-28hj-76wf | | brace-expansion | 1.1.11 | medium | transitive · dev | 1.1.13 | CVE-2026-33750, CVE-2025-5889, GHSA-f886-m6hf-6m8v, GHSA-v6h2-p8h4-qcjw | | brace-expansion | 2.0.1 | medium | transitive · dev | 2.0.3 | CVE-2026-33750, CVE-2025-5889, GHSA-f886-m6hf-6m8v, GHSA-v6h2-p8h4-qcjw | | engine.io | 6.4.1 | medium | unknown | 6.4.2 ⊘ | CVE-2023-31125, GHSA-q9mw-68c2-j6m5 | | esbuild | 0.12.29 | medium | direct | 0.25.0 ⊘ | GHSA-67mh-4wv8-2f99 | | esbuild | 0.14.54 | medium | direct | 0.25.0 ⊘ | GHSA-67mh-4wv8-2f99 | | express | 4.18.2 | medium | unknown | 4.20.0 ⊘ | CVE-2024-43796, CVE-2024-29041, GHSA-qw6h-vgh9-j6wx, GHSA-rv95-896h-c2vc | | follow-redirects | 1.15.1 | medium | transitive · dev | 1.16.0 | CVE-2024-28849, CVE-2023-26159, GHSA-cxjh-pqwp-8mfp, GHSA-jchw-25xp-jwwc | | follow-redirects | 1.15.6 | medium | transitive · dev | 1.16.0 | GHSA-r4q5-vmmm-2653 | | got | 9.6.0 | medium | unknown | 11.8.5 ⊘ | CVE-2022-33987, GHSA-pfrx-2q88-qq97 | | ip-address | 9.0.5 | medium | unknown | 10.1.1 ⊘ | CVE-2026-42338, GHSA-v2v4-37r5-5v8g | | js-yaml | 3.14.1 | medium | transitive · dev | 3.14.2 | CVE-2025-64718, GHSA-mh29-5h37-fv8m | | js-yaml | 4.1.0 | medium | unknown | 4.1.1 ⊘ | CVE-2025-64718, GHSA-mh29-5h37-fv8m | | lodash.trim | 4.5.1 | medium | unknown | 4.18.0 ⊘ | CVE-2020-28500, GHSA-29mw-wpgm-hmr9 | | lodash.trimend | 4.5.1 | medium | unknown | 4.18.0 ⊘ | CVE-2020-28500, GHSA-29mw-wpgm-hmr9 | | mdast-util-to-hast | 13.1.0 | medium | unknown | 13.2.1 ⊘ | CVE-2025-66400, GHSA-4fh9-h7wg-q85m | | micromatch | 4.0.5 | medium | transitive · dev | 4.0.8 | CVE-2024-4067, GHSA-952p-6rrq-rcjv | | nanoid | 3.3.4 | medium | unknown | 3.3.8 ⊘ | CVE-2024-55565, GHSA-mwcw-c2x4-8c55 | | nanoid | 3.3.6 | medium | unknown | 3.3.8 ⊘ | CVE-2024-55565, GHSA-mwcw-c2x4-8c55 | | nanoid | 3.3.7 | medium | unknown | 3.3.8 ⊘ | CVE-2024-55565, GHSA-mwcw-c2x4-8c55 | | postcss | 8.4.14 | medium | unknown | 8.5.10 ⊘ | CVE-2023-44270, CVE-2026-41305, GHSA-7fh5-64p2-3v2j, GHSA-qx2v-qp2m-jg93 | | postcss | 8.4.31 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | postcss | 8.4.38 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | postcss | 8.4.41 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | postcss | 8.5.3 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | prismjs | 1.29.0 | medium | unknown | 1.30.0 ⊘ | CVE-2024-53382, GHSA-x7hr-w5r2-h6wg | | qs | 6.10.5 | medium | unknown | 6.14.2 ⊘ | CVE-2025-15284, CVE-2026-2391, GHSA-6rw7-vpxm-498p, GHSA-w7fw-mjwx-w883 | | qs | 6.11.0 | medium | unknown | 6.14.2 ⊘ | CVE-2025-15284, CVE-2026-2391, GHSA-6rw7-vpxm-498p, GHSA-w7fw-mjwx-w883 | | qs | 6.12.1 | medium | unknown | 6.15.2 ⊘ | CVE-2025-15284, CVE-2026-8723, CVE-2026-2391, GHSA-6rw7-vpxm-498p | | socket.io | 4.6.1 | medium | unknown | 4.6.2 ⊘ | CVE-2024-38355, GHSA-25hc-qcg6-38wj | | svelte | 3.59.2 | medium | unknown | 5.55.7 ⊘ | CVE-2024-45047, CVE-2026-27125, CVE-2026-27121, CVE-2026-27122 | | svelte | 4.2.1 | medium | unknown | 5.55.7 ⊘ | CVE-2024-45047, CVE-2026-27125, CVE-2026-27121, CVE-2026-27122 | | uuid | 8.3.2 | medium | unknown | 11.1.1 ⊘ | CVE-2026-41907, GHSA-w5hq-g745-h8pq | | vue-template-compiler | 2.7.15 | medium | unknown | ⚠ no fix | CVE-2024-6783, GHSA-g3ch-rx76-35fx | | webpack-dev-server | 5.2.2 | medium | unknown | 5.2.4 ⊘ | CVE-2026-6402, GHSA-79cf-xcqc-c78w | | word-wrap | 1.2.3 | medium | transitive · dev | 1.2.4 | CVE-2023-26115, GHSA-j8xg-fqg3-53r7 | | yaml | 1.10.2 | medium | unknown | 1.10.3 ⊘ | CVE-2026-33532, GHSA-48c2-rrv3-qjmp | | yaml | 2.4.2 | medium | unknown | 2.8.3 ⊘ | CVE-2026-33532, GHSA-48c2-rrv3-qjmp | | @tootallnate/once | 1.1.2 | low | unknown | 2.0.1 ⊘ | CVE-2026-3449, GHSA-vpq2-c234-7xj6 | | @tootallnate/once | 2.0.0 | low | unknown | 2.0.1 ⊘ | CVE-2026-3449, GHSA-vpq2-c234-7xj6 | | cookie | 0.4.2 | low | unknown | 0.7.0 ⊘ | CVE-2024-47764, GHSA-pxg6-pf52-xh8x | | cookie | 0.5.0 | low | unknown | 0.7.0 ⊘ | CVE-2024-47764, GHSA-pxg6-pf52-xh8x | | diff | 4.0.2 | low | unknown | 4.0.4 ⊘ | CVE-2026-24001, GHSA-73rr-hh4g-fpgx | | on-headers | 1.0.2 | low | unknown | 1.1.0 ⊘ | CVE-2025-7339, GHSA-76c9-3jph-rj3q | | send | 0.18.0 | low | unknown | 0.19.0 ⊘ | CVE-2024-43799, GHSA-m6fv-jmcg-4jfg | | serve-static | 1.15.0 | low | unknown | 1.16.0 ⊘ | CVE-2024-43800, GHSA-cm22-4g7w-348p | | vue | 2.6.14 | low | unknown | 3.0.1 ⊘ | CVE-2024-9506, GHSA-5j4c-8p2g-v4jx | | webpack | 5.94.0 | low | unknown | 5.104.1 ⊘ | CVE-2025-68157, CVE-2025-68458, GHSA-38r7-794h-5758, GHSA-8fgc-7cc6-rx7x |
Want your project reviewed?
If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the CVE Lite CLI repository.
Please include:
- the repository link
- why the project would make a useful case study
- whether the dependency graph is publicly reproducible
Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows.