Skip to main content

Mitosis Case Study

Verified baseline scan — CVE Lite CLI v1.22.0 · 2026-06-14

Mitosis logo

Summary

  • Project: Mitosis — cross-framework UI compiler from Builder.io (write once, compile to React, Vue, Angular, Svelte, Solid, Qwik, Alpine, and more)
  • Revision: a2434f9632438133ce08e17b0b646de378dfb5ca
  • Lockfile: root yarn.lock (Yarn Berry 4.1.1 + Nx monorepo, workspaces packages/*, e2e/*)
  • Baseline findings: 145 unique vulnerable packages (18 critical · 70 high · 47 medium · 10 low)
  • OSV advisory matches: 256 CVE/advisory entries deduplicated into 145 packages
  • Direct vs transitive vs unknown: 6 direct / 30 transitive / 109 unknown
  • Validated fix command groups generated: 5
  • First-pass coverage: 27 of 145 findings have confident copy-and-run commands
  • yarn npm audit --all (same lockfile, default workspace scope): 3 vulnerability entries on root direct deps (1 high · 2 moderate)
  • Remediation applied in this study: five root-level command groups applied cumulatively on a test checkout of Mitosis@a2434f9 (2026-06-20), rescanned through the committed lockfile fixture after each pass

This fixture pins the root package.json and yarn.lock only. Mitosis upstream also ships workspace packages under packages/*, e2e/*, and generated e2e output paths — all resolved into the single root lockfile. No nested lockfiles are included separately.


What this case study demonstrates

Mitosis adds cross-framework compiler / codegen monorepo coverage — distinct from Storybook (UI tooling sandboxes), Svelte (compiler-only pnpm graph), and single-framework snapshots. The upstream repo is a Yarn Berry + Nx monorepo spanning compiler packages, e2e sandboxes, and multi-framework test fixtures at 2,476 resolved packages.

The 109 unknown relationship rows are the defining Yarn Berry MVP pattern on a lockfile-only snapshot. Without full workspace importer paths or node_modules, CVE Lite cannot classify most e2e sandbox packages (@builder.io/qwik, next, handlebars, Angular/Svelte/Solid fixtures) as direct or transitive — even though they are clearly present in yarn.lock.

Critical sandbox/tooling cluster: @builder.io/qwik, @builder.io/qwik-city, [email protected], handlebars, ejs, form-data, [email protected] — mostly e2e / framework compile-test paths, not Mitosis npm consumer surface.

Six direct esbuild versions (0.12.29 through 0.23.0) — all direct findings are esbuild version fragmentation on the root manifest surface, not application runtime deps. CVE Lite generates yarn add [email protected] as validated target across all six direct rows.

Critical direct-adjacent: [email protected] — within-range lockfile refresh via yarn upgrade shell-quote.

Nx orchestration path: yarn add [email protected] for critical [email protected] via project → nx → axios chain.

High within-range refresh cluster: axios, braces, cross-spawn, flatted, glob, minimatch, picomatch, tmp — grouped lockfile refresh commands.


Comparison Note: CVE Lite CLI vs yarn npm audit

Both tools were run against the same yarn.lock on the same machine on 2026-06-14.

Metricyarn npm audit --all (4.1.1, default)CVE Lite CLI v1.22.0
Total reported findings3145
Critical018
High170
Moderate / Medium247
Low010
Direct vs transitive breakdown✓ (6 / 30 / 109 unknown)
Full lockfile package parse✗ (root workspace direct deps only)✓ (2,476 packages)
Deduplicated package view
Validated fix targetspartial
Copy-and-run command groups✓ (5 groups)
Skipped findings with reason✓ (118 entries)

Why the totals differ — and why that is not a coverage gap:

By default, yarn npm audit --all on this lockfile-only snapshot checks direct dependencies for the active workspace only. That means three advisories on root direct deps — two [email protected] advisories (high + moderate) and one [email protected] deprecation (moderate).

CVE Lite parses the entire yarn.lock — including e2e Qwik sandboxes, Next.js fixtures, Angular/Svelte/Solid compile-test graphs, and Nx orchestration chains — and reports 145 unique vulnerable package versions.

Running yarn npm audit -AR on this fixture without a full monorepo install does not produce a comparable full-graph audit. CVE Lite's value on a committed lockfile snapshot is that it works without installing 2,400+ packages.

Fix guidance differs materially:

yarn npm audit lists esbuild advisories on the one root-resolved version but does not consolidate six pinned esbuild majors or produce parent upgrades for Qwik/Next sandbox chains. CVE Lite generates five command groups covering 27 findings — including yarn add [email protected], yarn add [email protected], and grouped yarn upgrade refreshes.


Before vs After

Remediation results from applying the scanner's root-level command groups one at a time on a test checkout of Mitosis@a2434f9 (Yarn 4.1.1), rescanned through the committed examples/mitosis lockfile fixture after each pass (CVE Lite v1.22.0 · 2026-06-20). On Yarn 4, within-range refreshes were applied with yarn up -R (equivalent to the scanner's yarn upgrade output). OSV advisory updates since the 2026-06-14 baseline add eight packages to the starting count (153 vs 145 in the table below).

StageFindingsCriticalHighMediumLowDirectTransitiveUnknownCommand groups
Baseline (verified)153186853146301176
After critical parent upgrade ([email protected])153186853146291186
After critical within-range refresh (shell-quote)151166853146281175
After high parent upgrade (@changesets/[email protected])149166752146241195
After high within-range refreshes135155551146121172
After medium direct fix ([email protected])135155551146121172
After medium within-range refreshes12415554014671113

The finding count dropped from 153 to 124 across five actionable command groups (six scanner sections — the [email protected] parent upgrade alone did not reduce the deduplicated finding count on this snapshot, but subsequent passes did). High-severity findings dropped from 68 to 55; medium from 53 to 40. The command surface shrank from 6 groups to 3, and the remaining groups point at sandbox/tooling parent chains rather than root lockfile refreshes. 111 unknown-relationship findings remain — overwhelmingly e2e sandbox packages where Yarn Berry path reconstruction is limited in this MVP.


Fix Journey

On a monorepo this size, the instinct is to chase the 18 critical findings first. CVE Lite surfaces Qwik, Next.js, handlebars, and vitest critical rows but generates no auto-install commands for most — each is unknown relationship with incomplete parent-chain data in the Yarn Berry lockfile MVP. The five root-level command groups below were applied cumulatively on a test checkout; each block lists the scanner output and the measured rescan delta.

Pass 1 — critical parent upgrade ([email protected]):

Targets the project → nx → axios → form-data chain. Applied cleanly on Yarn 4.1.1. Finding count unchanged at 153 — other form-data paths and critical sandbox rows remain open.

Pass 2 — critical within-range refresh (shell-quote):

yarn up -R shell-quote

Clears both critical shell-quote rows (1.7.3 transitive and 1.8.1 unknown). Findings 153 → 151; critical 18 → 16.

Pass 3 — high parent upgrade (@changesets/[email protected]):

yarn add @changesets/[email protected]

Partial coverage on the [email protected] path via @changesets/cli → spawndamnit. Findings 151 → 149; high 68 → 67.

Pass 4 — high within-range refreshes:

yarn up -R axios && yarn up -R braces && yarn up -R cross-spawn && yarn up -R flatted && yarn up -R glob && yarn up -R minimatch && yarn up -R picomatch && yarn up -R tmp

Largest single drop: findings 149 → 135; high 67 → 55; command groups 5 → 2.

Pass 5 — medium direct fix ([email protected]):

Consolidates the six pinned root esbuild majors to one validated target. No additional finding reduction on this snapshot (135 unchanged) — remaining esbuild rows are older lockfile-resolved versions outside the root manifest surface.

Pass 6 — medium within-range refreshes:

yarn up -R @babel/runtime && yarn up -R ajv && yarn up -R brace-expansion && yarn up -R follow-redirects && yarn up -R js-yaml && yarn up -R micromatch && yarn up -R word-wrap

Findings 135 → 124; medium 51 → 40; transitive 12 → 7.

After six passes, 124 findings remain — including 15 critical sandbox/tooling packages (Qwik, Next.js, handlebars, vitest, and others) that require e2e fixture bumps or upstream releases, not root yarn add guesses.


Why this matters

Mitosis maintainers work inside a monorepo whose lockfile encodes the entire cross-framework compile-test matrix. A developer running default yarn npm audit --all at the repo root sees three advisories on esbuild and eslint. A lockfile scan reveals 145 vulnerable packages including critical paths in Qwik e2e sandboxes, Next.js fixtures, and crypto/template tooling chains.

That gap is operationally significant for any team using Mitosis as a reference for dependency health. The risk is not only in @builder.io/mitosis packages consumers install — it is in the e2e and multi-framework sandbox layer Mitosis uses to verify React, Vue, Qwik, Svelte, Solid, and other output targets.

CVE Lite answers the useful pre-release question in one pass: copy-and-run commands for what Mitosis controls directly (esbuild, nx, lockfile refreshes), 18 critical findings routed to sandbox/tooling chains, and 118 skipped entries explaining why the rest are not auto-fixable.


Scan command

Run from the Mitosis repository root or from the examples/mitosis directory in this repository:

cve-lite . --verbose --all

The example lockfile reflects Mitosis at revision a2434f9632438133ce08e17b0b646de378dfb5ca. OSV advisory data changes over time — re-scanning may show different counts on the same revision.

Every number in this case study comes from a live scan of the committed fixture at examples/mitosis/ in the CVE Lite CLI repository.

FieldValue
Scan date2026-06-14
CLI versionv1.22.0
CVE Lite commandnode dist/index.js examples/mitosis --verbose --all --json
yarn audit commandyarn npm audit --all (Yarn 4.1.1, default direct-deps scope)
Advisory sourceOSV (https://api.osv.dev) — online mode
Lockfile sourceexamples/mitosis/yarn.lock from BuilderIO/mitosis@a2434f9
Packages parsed (CVE Lite)2,476
Unique vulnerable packages (CVE Lite)145
Vulnerability entries (yarn npm audit --all)3
Fix command groups (CVE Lite)5
First-pass covered findings (CVE Lite)27
Skipped findings with reason (CVE Lite)118

Reproduce CVE Lite locally from the repository root:

npm install
npm run build
node dist/index.js examples/mitosis --verbose --all

Reproduce yarn npm audit from the example directory:

cd examples/mitosis
yarn npm audit --all

Both tools were run against the same root yarn.lock on the same machine on 2026-06-14.


Remaining risk after baseline scan

After the measured remediation passes above, 124 findings remain open (down from 153 at the 2026-06-20 rescan baseline). The 2026-06-14 baseline table below still lists 145 packages — eight fewer than the June 20 OSV snapshot.

  • 18 critical: Qwik/Qwik City e2e sandboxes, [email protected], handlebars, ejs, form-data, [email protected], crypto tooling (cipher-base, elliptic, pbkdf2, sha.js), shell-quote
  • 70 high: six direct esbuild rows plus Angular, Solid, Svelte, undici, rollup, and sandbox toolchain packages
  • 47 medium: multiple postcss, @babel/runtime, ajv, brace-expansion rows across compile-test fixtures
  • 10 low: legacy cookie, [email protected], webpack sandbox paths

111 unknown-relationship findings remain without a confident copy-and-run command after all passes (see scan skip reasons).


Baseline findings

Full vulnerable package list from the verified scan on 2026-06-14 (revision a2434f9):

PackageVersionSeverityRelationshipFix hintAdvisory IDs
@babel/traverse7.18.5criticalunknown7.23.2 ⊘CVE-2023-45133, GHSA-67hx-6x53-jw92
@builder.io/qwik1.5.3criticalunknown1.19.1 ⊘CVE-2024-41677, CVE-2026-27971, GHSA-2rwj-7xq8-4gx4, GHSA-p9x5-jp3h-96mm
@builder.io/qwik1.5.5criticalunknown1.19.1 ⊘CVE-2024-41677, CVE-2026-27971, GHSA-2rwj-7xq8-4gx4, GHSA-p9x5-jp3h-96mm
@builder.io/qwik-city1.5.3criticalunknown1.19.2 ⊘CVE-2026-25149, CVE-2026-25148, CVE-2025-53620, CVE-2026-25151
@builder.io/qwik-city1.5.5criticalunknown1.19.2 ⊘CVE-2026-25149, CVE-2026-25148, CVE-2025-53620, CVE-2026-25151
cipher-base1.0.4criticalunknown1.0.5 ⊘CVE-2025-9287, GHSA-cpq7-6gpm-g9rc
ejs3.1.6criticalunknown3.1.10 ⊘CVE-2024-33883, CVE-2022-29078, GHSA-ghr5-ch3p-vcr6, GHSA-phwq-j96m-2c2q
elliptic6.5.5criticalunknown6.5.6 ⊘CVE-2024-48949, CVE-2024-42461, CVE-2025-14505, CVE-2024-42460
form-data3.0.1criticalunknown3.0.4 ⊘CVE-2025-7783, GHSA-fjxv-7rqg-78g4
form-data4.0.0criticaltransitive · dev4.0.4CVE-2025-7783, GHSA-fjxv-7rqg-78g4
handlebars4.7.7criticalunknown4.7.9 ⊘CVE-2026-33916, CVE-2026-33937, CVE-2026-33938, CVE-2026-33939
loader-utils2.0.2criticalunknown2.0.4 ⊘CVE-2022-37603, CVE-2022-37601, CVE-2022-37599, GHSA-3rfm-jhwj-7488
next13.5.5criticalunknown12.3.5 ⊘CVE-2026-44573, CVE-2026-44572, CVE-2025-48068, CVE-2026-27980

Note on [email protected]: The fix hint 12.3.5 ⊘ reflects the OSV advisory's recorded safe version on a different major track — not a recommended downgrade. Next.js maintains separate security fix tracks per major; maintainers should consult the advisory directly before acting on cross-major version hints. | pbkdf2 | 3.1.2 | critical | unknown | 3.1.3 ⊘ | CVE-2025-6545, CVE-2025-6547, GHSA-h7cp-r72f-jxh6, GHSA-v62p-rq8g-8h59 | | sha.js | 2.4.11 | critical | unknown | 2.4.12 ⊘ | CVE-2025-9288, GHSA-95m3-7q98-8xr5 | | shell-quote | 1.7.3 | critical | transitive · dev | 1.8.4 | CVE-2026-9277, GHSA-w7jw-789q-3m8p | | shell-quote | 1.8.1 | critical | unknown | 1.8.4 | CVE-2026-9277, GHSA-w7jw-789q-3m8p | | vitest | 0.34.6 | critical | unknown | 4.1.0 ⊘ | CVE-2026-47429, GHSA-5xrq-8626-4rwp | | @angular/common | 18.2.14 | high | unknown | 19.2.16 ⊘ | CVE-2025-66035, GHSA-58c5-g7wp-6w37 | | @angular/compiler | 11.2.14 | high | unknown | 19.0.0 ⊘ | CVE-2026-22610, CVE-2025-66412, GHSA-jrmj-c5cx-3cw6, GHSA-v4hv-rgfq-gp49 | | @angular/compiler | 18.2.14 | high | unknown | 19.0.0 ⊘ | CVE-2026-32635, CVE-2026-22610, CVE-2025-66412, GHSA-g93w-mfhg-p222 | | @angular/core | 18.2.14 | high | unknown | 19.0.0 ⊘ | CVE-2026-32635, CVE-2026-22610, CVE-2026-27970, GHSA-g93w-mfhg-p222 | | @babel/plugin-transform-modules-systemjs | 7.18.5 | high | unknown | 7.29.4 ⊘ | CVE-2026-44728, GHSA-fv7c-fp4j-7gwp | | @babel/plugin-transform-modules-systemjs | 7.25.9 | high | unknown | 7.29.4 ⊘ | CVE-2026-44728, GHSA-fv7c-fp4j-7gwp | | axios | 0.21.4 | high | transitive · dev | 0.32.0 ⊘ | CVE-2026-44495, CVE-2025-62718, CVE-2026-25639, CVE-2026-42034 | | axios | 1.7.2 | high | transitive · dev | 1.16.0 | CVE-2026-44494, CVE-2026-44495, CVE-2025-62718, CVE-2026-42044 | | body-parser | 1.20.1 | high | unknown | 1.20.3 ⊘ | CVE-2024-45590, GHSA-qwcr-r2fm-qrc7 | | braces | 3.0.2 | high | transitive · dev | 3.0.3 | CVE-2024-4068, GHSA-grv7-fg5c-xmjg | | cross-spawn | 5.1.0 | high | transitive · dev | 6.0.6 | CVE-2024-21538, GHSA-3xgq-45jj-v275 | | cross-spawn | 6.0.5 | high | transitive · dev | 6.0.6 ⊘ | CVE-2024-21538, GHSA-3xgq-45jj-v275 | | cross-spawn | 7.0.3 | high | transitive · dev | 7.0.5 | CVE-2024-21538, GHSA-3xgq-45jj-v275 | | electron | 21.4.2 | high | unknown | 39.8.5 ⊘ | CVE-2026-34776, CVE-2026-34767, CVE-2026-34774, CVE-2026-34779 | | esbuild | 0.17.19 | high | direct | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | esbuild | 0.18.20 | high | direct | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | esbuild | 0.19.10 | high | direct · dev | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | esbuild | 0.23.0 | high | direct | 0.28.1 | GHSA-67mh-4wv8-2f99, GHSA-gv7w-rqvm-qjhr | | fast-uri | 3.0.6 | high | unknown | 3.1.2 ⊘ | CVE-2026-6321, CVE-2026-6322, GHSA-q3j6-qgpj-74h6, GHSA-v39h-62p7-jpjc | | flatted | 3.2.5 | high | transitive · dev | 3.4.2 | CVE-2026-32141, CVE-2026-33228, GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh | | glob | 10.3.10 | high | transitive · dev | 10.5.0 | CVE-2025-64756, GHSA-5j98-mcp5-4vw2 | | glob | 10.3.12 | high | unknown | 10.5.0 | CVE-2025-64756, GHSA-5j98-mcp5-4vw2 | | http-cache-semantics | 4.1.0 | high | unknown | 4.1.1 ⊘ | CVE-2022-25881, GHSA-rc47-6667-2j5j | | ip | 1.1.8 | high | unknown | 1.1.9 ⊘ | CVE-2024-29415, CVE-2023-42282, GHSA-2p57-rm9w-gvfp, GHSA-78xj-cgh5-2h22 | | js-cookie | 2.2.1 | high | unknown | 3.0.7 ⊘ | CVE-2026-46625, GHSA-qjx8-664m-686j | | json5 | 1.0.1 | high | unknown | 1.0.2 ⊘ | CVE-2022-46175, GHSA-9c47-m6qq-7p4h | | json5 | 2.2.1 | high | unknown | 2.2.2 ⊘ | CVE-2022-46175, GHSA-9c47-m6qq-7p4h | | lodash | 4.17.21 | high | unknown | 4.18.0 ⊘ | CVE-2026-2950, CVE-2026-4800, CVE-2025-13465, GHSA-f23m-r3pf-42rh | | lodash-es | 4.17.21 | high | unknown | 4.18.0 ⊘ | CVE-2026-2950, CVE-2026-4800, CVE-2025-13465, GHSA-f23m-r3pf-42rh | | merge | 1.2.1 | high | unknown | 2.1.1 ⊘ | CVE-2020-28499, GHSA-7wpw-2hjm-89gp | | minimatch | 3.1.2 | high | transitive · dev | 3.1.4 | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 5.1.0 | high | unknown | 5.1.8 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 7.4.6 | high | unknown | 7.4.8 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 9.0.3 | high | transitive · dev | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | minimatch | 9.0.4 | high | unknown | 9.0.7 ⊘ | CVE-2026-27904, CVE-2026-26996, CVE-2026-27903, GHSA-23c5-xmqv-rm74 | | node-forge | 1.3.1 | high | unknown | 1.4.0 ⊘ | CVE-2026-33896, CVE-2025-66031, CVE-2025-12816, CVE-2026-33891 | | path-to-regexp | 0.1.7 | high | unknown | 0.1.13 ⊘ | CVE-2026-4867, CVE-2024-45296, CVE-2024-52798, GHSA-37ch-88jc-xwx2 | | path-to-regexp | 6.2.2 | high | unknown | 6.3.0 ⊘ | CVE-2024-45296, GHSA-9wv6-86v2-598j | | picomatch | 2.3.1 | high | transitive · dev | 2.3.2 | CVE-2026-33672, CVE-2026-33671, GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj | | picomatch | 4.0.2 | high | unknown | 4.0.4 ⊘ | CVE-2026-33672, CVE-2026-33671, GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj | | playwright | 1.48.0 | high | unknown | 1.55.1 ⊘ | CVE-2025-59288, GHSA-7mvr-c777-76hp | | rollup | 1.32.1 | high | unknown | 2.80.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc | | rollup | 2.75.7 | high | unknown | 2.80.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc | | rollup | 3.29.4 | high | unknown | 3.30.0 ⊘ | CVE-2024-47068, CVE-2026-27606, GHSA-gcx4-mw62-g8wm, GHSA-mw96-cpmx-2vgc | | rollup | 4.22.4 | high | unknown | 4.59.0 ⊘ | CVE-2026-27606, GHSA-mw96-cpmx-2vgc | | semver | 5.7.1 | high | transitive · dev | 5.7.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 6.3.0 | high | unknown | 6.3.1 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 7.0.0 | high | unknown | 7.5.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 7.3.5 | high | unknown | 7.5.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | semver | 7.3.7 | high | transitive · dev | 7.5.2 ⊘ | CVE-2022-25883, GHSA-c2qf-rxjj-qqgw | | serialize-javascript | 6.0.2 | high | unknown | 7.0.5 ⊘ | CVE-2026-34043, GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v | | seroval | 0.12.4 | high | unknown | 1.4.1 ⊘ | CVE-2026-24006, CVE-2026-23737, CVE-2026-23957, CVE-2026-23736 | | socket.io-parser | 4.2.2 | high | unknown | 4.2.6 ⊘ | CVE-2026-33151, CVE-2023-32695, GHSA-677m-j7p3-52f9, GHSA-cqmj-92xf-r6r9 | | solid-js | 1.4.4 | high | unknown | 1.9.4 ⊘ | CVE-2025-27109, GHSA-3qxh-p7jc-5xh6 | | solid-js | 1.4.5 | high | unknown | 1.9.4 ⊘ | CVE-2025-27109, GHSA-3qxh-p7jc-5xh6 | | solid-js | 1.8.5 | high | unknown | 1.9.4 ⊘ | CVE-2025-27109, GHSA-3qxh-p7jc-5xh6 | | svelte | 3.53.1 | high | unknown | 5.55.7 ⊘ | CVE-2024-45047, CVE-2026-27125, CVE-2026-27121, CVE-2026-27122 | | svgo | 3.2.0 | high | unknown | 3.3.3 ⊘ | CVE-2026-29074, GHSA-xpqw-6gx7-v673 | | tar | 6.1.11 | high | transitive · dev | 7.5.11 ⊘ | CVE-2026-24842, CVE-2026-26960, CVE-2026-23745, CVE-2026-31802 | | tar | 6.2.1 | high | transitive · dev | 7.5.11 ⊘ | CVE-2026-24842, CVE-2026-26960, CVE-2026-23745, CVE-2026-31802 | | tmp | 0.0.33 | high | transitive · dev | 0.2.6 ⊘ | CVE-2025-54798, CVE-2026-44705, GHSA-52f5-9888-hmc6, GHSA-ph9p-34f9-6g65 | | tmp | 0.2.1 | high | transitive · dev | 0.2.6 | CVE-2025-54798, CVE-2026-44705, GHSA-52f5-9888-hmc6, GHSA-ph9p-34f9-6g65 | | undici | 5.20.0 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2024-24758, CVE-2026-1527, CVE-2024-30261 | | undici | 5.28.4 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2026-1527, CVE-2025-22150, CVE-2025-47279 | | undici | 6.15.0 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2024-38372, CVE-2026-1527, CVE-2025-22150 | | undici | 6.18.2 | high | unknown | 6.24.0 ⊘ | CVE-2026-1525, CVE-2024-38372, CVE-2026-1527, CVE-2025-22150 | | vite | 4.5.0 | high | unknown | 6.4.2 ⊘ | CVE-2025-32395, CVE-2025-31125, CVE-2026-39365, CVE-2024-45812 | | wrangler | 3.53.0 | high | unknown | 3.114.17 ⊘ | CVE-2026-0933, GHSA-36p8-mvp6-cv38 | | ws | 8.11.0 | high | unknown | 8.20.1 ⊘ | CVE-2024-37890, CVE-2026-45736, GHSA-3h5v-q93c-6h6q, GHSA-58qx-3vcg-4xpx | | ws | 8.12.1 | high | unknown | 8.20.1 ⊘ | CVE-2024-37890, CVE-2026-45736, GHSA-3h5v-q93c-6h6q, GHSA-58qx-3vcg-4xpx | | @babel/helpers | 7.18.2 | medium | unknown | 7.26.10 ⊘ | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.18.3 | medium | transitive · dev | 7.26.10 | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.18.9 | medium | unknown | 7.26.10 ⊘ | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.23.2 | medium | unknown | 7.26.10 ⊘ | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | @babel/runtime | 7.23.9 | medium | transitive · dev | 7.26.10 | CVE-2025-27789, GHSA-968p-4wvh-cqc8 | | ajv | 6.12.6 | medium | transitive · dev | 6.14.0 ⊘ | CVE-2025-69873, GHSA-2g4f-4pwh-qvx6 | | ajv | 8.11.0 | medium | transitive · dev | 8.18.0 | CVE-2025-69873, GHSA-2g4f-4pwh-qvx6 | | ajv | 8.17.1 | medium | unknown | 8.18.0 ⊘ | CVE-2025-69873, GHSA-2g4f-4pwh-qvx6 | | bn.js | 4.12.0 | medium | unknown | 4.12.3 ⊘ | CVE-2026-2739, GHSA-378v-28hj-76wf | | bn.js | 5.2.1 | medium | unknown | 5.2.3 ⊘ | CVE-2026-2739, GHSA-378v-28hj-76wf | | brace-expansion | 1.1.11 | medium | transitive · dev | 1.1.13 | CVE-2026-33750, CVE-2025-5889, GHSA-f886-m6hf-6m8v, GHSA-v6h2-p8h4-qcjw | | brace-expansion | 2.0.1 | medium | transitive · dev | 2.0.3 | CVE-2026-33750, CVE-2025-5889, GHSA-f886-m6hf-6m8v, GHSA-v6h2-p8h4-qcjw | | engine.io | 6.4.1 | medium | unknown | 6.4.2 ⊘ | CVE-2023-31125, GHSA-q9mw-68c2-j6m5 | | esbuild | 0.12.29 | medium | direct | 0.25.0 ⊘ | GHSA-67mh-4wv8-2f99 | | esbuild | 0.14.54 | medium | direct | 0.25.0 ⊘ | GHSA-67mh-4wv8-2f99 | | express | 4.18.2 | medium | unknown | 4.20.0 ⊘ | CVE-2024-43796, CVE-2024-29041, GHSA-qw6h-vgh9-j6wx, GHSA-rv95-896h-c2vc | | follow-redirects | 1.15.1 | medium | transitive · dev | 1.16.0 | CVE-2024-28849, CVE-2023-26159, GHSA-cxjh-pqwp-8mfp, GHSA-jchw-25xp-jwwc | | follow-redirects | 1.15.6 | medium | transitive · dev | 1.16.0 | GHSA-r4q5-vmmm-2653 | | got | 9.6.0 | medium | unknown | 11.8.5 ⊘ | CVE-2022-33987, GHSA-pfrx-2q88-qq97 | | ip-address | 9.0.5 | medium | unknown | 10.1.1 ⊘ | CVE-2026-42338, GHSA-v2v4-37r5-5v8g | | js-yaml | 3.14.1 | medium | transitive · dev | 3.14.2 | CVE-2025-64718, GHSA-mh29-5h37-fv8m | | js-yaml | 4.1.0 | medium | unknown | 4.1.1 ⊘ | CVE-2025-64718, GHSA-mh29-5h37-fv8m | | lodash.trim | 4.5.1 | medium | unknown | 4.18.0 ⊘ | CVE-2020-28500, GHSA-29mw-wpgm-hmr9 | | lodash.trimend | 4.5.1 | medium | unknown | 4.18.0 ⊘ | CVE-2020-28500, GHSA-29mw-wpgm-hmr9 | | mdast-util-to-hast | 13.1.0 | medium | unknown | 13.2.1 ⊘ | CVE-2025-66400, GHSA-4fh9-h7wg-q85m | | micromatch | 4.0.5 | medium | transitive · dev | 4.0.8 | CVE-2024-4067, GHSA-952p-6rrq-rcjv | | nanoid | 3.3.4 | medium | unknown | 3.3.8 ⊘ | CVE-2024-55565, GHSA-mwcw-c2x4-8c55 | | nanoid | 3.3.6 | medium | unknown | 3.3.8 ⊘ | CVE-2024-55565, GHSA-mwcw-c2x4-8c55 | | nanoid | 3.3.7 | medium | unknown | 3.3.8 ⊘ | CVE-2024-55565, GHSA-mwcw-c2x4-8c55 | | postcss | 8.4.14 | medium | unknown | 8.5.10 ⊘ | CVE-2023-44270, CVE-2026-41305, GHSA-7fh5-64p2-3v2j, GHSA-qx2v-qp2m-jg93 | | postcss | 8.4.31 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | postcss | 8.4.38 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | postcss | 8.4.41 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | postcss | 8.5.3 | medium | unknown | 8.5.10 ⊘ | CVE-2026-41305, GHSA-qx2v-qp2m-jg93 | | prismjs | 1.29.0 | medium | unknown | 1.30.0 ⊘ | CVE-2024-53382, GHSA-x7hr-w5r2-h6wg | | qs | 6.10.5 | medium | unknown | 6.14.2 ⊘ | CVE-2025-15284, CVE-2026-2391, GHSA-6rw7-vpxm-498p, GHSA-w7fw-mjwx-w883 | | qs | 6.11.0 | medium | unknown | 6.14.2 ⊘ | CVE-2025-15284, CVE-2026-2391, GHSA-6rw7-vpxm-498p, GHSA-w7fw-mjwx-w883 | | qs | 6.12.1 | medium | unknown | 6.15.2 ⊘ | CVE-2025-15284, CVE-2026-8723, CVE-2026-2391, GHSA-6rw7-vpxm-498p | | socket.io | 4.6.1 | medium | unknown | 4.6.2 ⊘ | CVE-2024-38355, GHSA-25hc-qcg6-38wj | | svelte | 3.59.2 | medium | unknown | 5.55.7 ⊘ | CVE-2024-45047, CVE-2026-27125, CVE-2026-27121, CVE-2026-27122 | | svelte | 4.2.1 | medium | unknown | 5.55.7 ⊘ | CVE-2024-45047, CVE-2026-27125, CVE-2026-27121, CVE-2026-27122 | | uuid | 8.3.2 | medium | unknown | 11.1.1 ⊘ | CVE-2026-41907, GHSA-w5hq-g745-h8pq | | vue-template-compiler | 2.7.15 | medium | unknown | ⚠ no fix | CVE-2024-6783, GHSA-g3ch-rx76-35fx | | webpack-dev-server | 5.2.2 | medium | unknown | 5.2.4 ⊘ | CVE-2026-6402, GHSA-79cf-xcqc-c78w | | word-wrap | 1.2.3 | medium | transitive · dev | 1.2.4 | CVE-2023-26115, GHSA-j8xg-fqg3-53r7 | | yaml | 1.10.2 | medium | unknown | 1.10.3 ⊘ | CVE-2026-33532, GHSA-48c2-rrv3-qjmp | | yaml | 2.4.2 | medium | unknown | 2.8.3 ⊘ | CVE-2026-33532, GHSA-48c2-rrv3-qjmp | | @tootallnate/once | 1.1.2 | low | unknown | 2.0.1 ⊘ | CVE-2026-3449, GHSA-vpq2-c234-7xj6 | | @tootallnate/once | 2.0.0 | low | unknown | 2.0.1 ⊘ | CVE-2026-3449, GHSA-vpq2-c234-7xj6 | | cookie | 0.4.2 | low | unknown | 0.7.0 ⊘ | CVE-2024-47764, GHSA-pxg6-pf52-xh8x | | cookie | 0.5.0 | low | unknown | 0.7.0 ⊘ | CVE-2024-47764, GHSA-pxg6-pf52-xh8x | | diff | 4.0.2 | low | unknown | 4.0.4 ⊘ | CVE-2026-24001, GHSA-73rr-hh4g-fpgx | | on-headers | 1.0.2 | low | unknown | 1.1.0 ⊘ | CVE-2025-7339, GHSA-76c9-3jph-rj3q | | send | 0.18.0 | low | unknown | 0.19.0 ⊘ | CVE-2024-43799, GHSA-m6fv-jmcg-4jfg | | serve-static | 1.15.0 | low | unknown | 1.16.0 ⊘ | CVE-2024-43800, GHSA-cm22-4g7w-348p | | vue | 2.6.14 | low | unknown | 3.0.1 ⊘ | CVE-2024-9506, GHSA-5j4c-8p2g-v4jx | | webpack | 5.94.0 | low | unknown | 5.104.1 ⊘ | CVE-2025-68157, CVE-2025-68458, GHSA-38r7-794h-5758, GHSA-8fgc-7cc6-rx7x |


Want your project reviewed?

If you maintain an interesting JavaScript or TypeScript project and want CVE Lite CLI considered for a public case study, open an issue in the CVE Lite CLI repository.

Please include:

  • the repository link
  • why the project would make a useful case study
  • whether the dependency graph is publicly reproducible

Not every project will be selected. Preference will go to projects that are publicly useful, technically interesting, and strong examples of realistic dependency remediation workflows.