Skip to content

[Aikido] Fix 19 security issues in lodash, @microsoft/api-extractor, express and 13 more#12

Open
aikido-autofix[bot] wants to merge 1 commit into
aikido-security/update-minimist-eLUsfrom
fix/aikido-security-KAN-2645-KAN-2337-KAN-2544-KAN-2702-KAN-2465-KAN-2758-KAN-2240-KAN-2745-KAN-2721-KAN-2475-KAN-2762update-packages-24363751-m9dp
Open

[Aikido] Fix 19 security issues in lodash, @microsoft/api-extractor, express and 13 more#12
aikido-autofix[bot] wants to merge 1 commit into
aikido-security/update-minimist-eLUsfrom
fix/aikido-security-KAN-2645-KAN-2337-KAN-2544-KAN-2702-KAN-2465-KAN-2758-KAN-2240-KAN-2745-KAN-2721-KAN-2475-KAN-2762update-packages-24363751-m9dp

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Apr 20, 2026

Copy link
Copy Markdown

Upgrade dependencies to fix critical RCE vulnerability in lodash template injection, high-severity SSRF in Angular SSR, prototype pollution DoS in qs/Express, and Unicode handling bypass in validator.

⚠️ Incomplete breaking changes analysis (10/16 analyzed)

⚠️ Breaking changes analysis not available for: @microsoft/api-extractor, express, follow-redirects, @bazel/typescript, @angular-devkit/build-angular, requirejs

✅ After thoroughly searching the codebase, I found that this is an Angular framework development repository with no application source code outside of node_modules. All the packages being upgraded (lodash, @angular/platform-server, @angular/core, qs, validator, angular, z-schema, protobufjs, webpack-dev-server) are only present as dependencies in the node_modules directory.

The key findings:

  • No direct imports or usage of lodash methods like _.unset, _.omit, or _.template in application code

  • No usage of @angular/platform-server or @angular/core APIs in application code (these are framework packages being developed, not consumed)

  • No direct usage of qs, validator, angular, z-schema, protobufjs, or webpack-dev-server APIs in application code

  • The validator package is only used internally by z-schema (in node_modules)

  • The z-schema package is only used by @rushstack/node-core-library (in node_modules)

  • No webpack-dev-server configuration files or API usage found outside node_modules

Since this appears to be a build/test infrastructure setup for Angular framework development rather than an application that directly consumes these packages, the breaking changes in the upgraded packages do not affect any application code in this codebase.

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)

Version Description
4.18.0
_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0
_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

All breaking changes by upgrading validator from version 8.2.0 to 13.15.26 (CHANGELOG)

Version Description
9.0.0
normalizeEmail() no longer validates the email address
10.0.0
Allow floating points in isNumeric()
10.0.0
Disallow GMail addresses with multiple consecutive dots, or leading/trailing dots
10.0.0
Reject domain parts longer than 63 octets in isFQDN(), isURL() and isEmail()
10.3.0
Strict Gmail validation in isEmail()
10.5.0
Disabled domain-specific email validation
10.5.0
Updated isURL() to reject protocol relative URLs unless a flag is set
10.6.0
Updated isMobilePhone() to match any locale's pattern by default
11.0.0
Updated isEmail() to validate display names according to RFC2822
11.0.0
Updated isEmail() to check total email length
11.0.0
The internal toString() util is no longer exported
12.0.0
Better defaults for isLength()
13.5.0
isFQDN: make more strict
13.7.0
isRFC3339: Disallow prepended and appended strings to RFC 3339 date-time
13.15.0
isUUID require valid variant field and require RFC9562 UUID in version all
13.15.0
isDate return false instead of Error in certain cases

All breaking changes by upgrading @angular/core from version 12.2.13 to 19.2.18 (CHANGELOG)

Version Description
13.0.0-next.1
AbstractControl.status has been narrowed from string to FormControlStatus, and statusChanges has been narrowed from Observable<any> to Observable<FormControlStatus>. This may cause breakage if the app is comparing AbstractControl.status against an invalid status string or using statusChanges events as something other than strings.
13.0.0-next.1
The default URL serializer now correctly parses question marks in query parameters. Previously, for a navigation to /path?q=hello?&other=123, query params would be parsed to {q: 'hello'}. Now they are correctly parsed to {q: 'hello?', other: '123'}.
13.0.0-next.3
null and undefined inputs for routerLink no longer behave as empty string and now disable the link's navigation. The href changed from a property HostBinding() to an attribute binding (HostBinding('attr.href')), affecting DebugElement.properties['href'] which now returns the full URL rather than the internal value.
13.0.0-next.5
SpyLocation behavior changed to match browsers: it no longer emits a 'popstate' event when Location.go is called, and simulateHashChange now triggers both a hashchange and a popstate event.
13.0.0-next.7
The router no longer replaces the browser URL when a new navigation cancels an ongoing navigation.
13.0.0-next.9
Route.loadChildren using a string value is no longer possible. The following classes were removed: NgModuleFactoryLoader, SystemJsNgModuleFactoryLoader from @angular/core; SpyNgModuleFactoryLoader, DeprecatedLoadChildren from @angular/router. The setupTestingRouter function signature changed to drop its NgModuleFactoryLoader parameter.
13.0.0-next.10
The WrappedValue class can no longer be imported from @angular/core, which may result in compile errors or runtime failures if outdated libraries still using WrappedValue are used.
13.0.0-next.12
TypeScript versions older than 4.4.2 are no longer supported.
13.0.0-next.12
The return type of SwUpdate#activateUpdate and SwUpdate#checkForUpdate changed to Promise<boolean>.
13.0.0-next.13
NodeJS versions older than v12.20.0 are no longer supported due to the Angular packages using the NodeJS package exports feature with subpath patterns.
14.0.0-next.2
Forms [email] input value will be considered as true if it is defined with any value rather than false and 'false'.
14.0.0-next.2
Objects with a length key set to zero will no longer validate as empty.
14.0.0-next.2
Change detection behavior may break unit tests that implicitly depend on a specific number and sequence of change detections.
14.0.0-next.2
Parameter types of TransferState methods are tightened, which may reveal existing problematic calls.
14.0.0-next.2
The type and value of Router.initialUrl has changed; Router.url is the recommended replacement.
14.0.0-next.4
AnimationDriver.getParentElement method has become required for implementors of this interface.
14.0.0-next.5
The type of Route.pathMatch is now more strict and may require explicit Route/Routes type annotations.
14.0.0-next.5
Resolvers now take only the first emitted value instead of the last value before completion.
14.0.0-next.6
Support for Node.js v12 has been removed.
14.0.0-next.8
TypeScript versions older than 4.6 are no longer supported.
14.0.0-next.8
In TaskTrackingZoneSpec, periodic macrotasks are now tracked until explicitly cancelled.
14.0.0-next.10
Keyframes names are now prefixed with the component's "scope name".
14.0.0-next.10
JSONP will throw an error when headers are set on a request.
14.0.0-next.12
Forms classes now accept a generic type parameter.
14.0.0-next.12
LoadChildrenCallback return type is restricted to `Type
14.0.0-next.13
The aotSummaries fields in TestBed APIs have been removed.
14.0.0-next.14
Queries including + will now actually query for + instead of space.
14.0.0-next.14
The type of component on ActivatedRoute and ActivatedRouteSnapshot no longer includes string.
14.0.0-next.14
Lazy loaded configs are now validated once loaded, which may cause errors for invalid Route configs in dev mode.
14.0.0-next.15
LocationStrategy implementors must satisfy new required class member; Location no longer depends on PlatformLocation.
14.0.0-next.15
Keyframes names are now prefixed with the component's "scope name".
14.0.0-next.15
Guard-returned UrlTree redirects are no longer scheduled within a setTimeout, which may affect tests.
14.0.0-next.16
initialNavigation: 'enabled' has been removed; use initialNavigation: 'enabledBlocking' instead.
14.0.0
The AnimationDriver.getParentElement method has become required, so any implementors of this interface are now required to provide an implementation for this method.
14.0.0
Adds new required class member that any implementors of the LocationStrategy will need to satisfy.
14.0.0
Keyframes names are now prefixed with the component's "scope name", so any TypeScript/JavaScript code which relied on the names of keyframes rules will no longer match.
14.0.0
Support for Node.js v12 has been removed.
14.0.0
TypeScript versions older than 4.6 are no longer supported.
14.0.0
Forms [email] input value will be considered as true if it is defined with any value rather than false and 'false'.
14.0.0
The aotSummaries fields in TestBed APIs have been removed.
14.0.0
Forms model classes now accept a generic type parameter.
14.0.0
Objects with a length key set to zero will no longer validate as empty.
14.0.0
Queries including + will now actually query for + instead of space.
14.0.0
JSONP will throw an error when headers are set on a request.
14.0.0
This change may cause a breaking change in unit tests that are implicitly depending on a specific number and sequence of change detections in order for their assertions to pass.
14.0.0
This may break invalid calls to TransferState methods by tightening parameter types.
14.0.0
The type of Route.pathMatch is now stricter.
14.0.0
When returning a Promise from the LoadChildrenCallback, the possible type is now restricted to `Type
14.0.0
initialNavigation: 'enabled' was deprecated in v11 and is replaced by initialNavigation: 'enabledBlocking'.
14.0.0
The type of component on ActivatedRoute and ActivatedRouteSnapshot includes string. In reality, the component cannot be anything other than a component class.
14.0.0
The type of initialUrl is set to `string
14.0.0
Lazy loaded configs are now also validated once loaded like the initial set of routes are.
14.0.0
When a guard returns a UrlTree, the router would previously schedule the redirect navigation within a setTimeout. This timeout is now removed.
14.0.0
The router now takes only the first emitted value by the resolvers and then proceeds with navigation.
14.0.0
In TaskTrackingZoneSpec, periodic macrotasks are now tracked until the task is explicitly cancelled.
15.0.0-next.1
Angular compiler option enableIvy has been removed as Ivy is the only rendering engine.
15.0.0-next.4
The title property is now required on ActivatedRouteSnapshot.
15.0.0-next.5
Keyframes names are now prefixed with the component's "scope name". Any TypeScript/JavaScript code which relied on the names of keyframes rules will no longer match.
15.0.0-next.5
The RouterOutlet now instantiates components during change detection rather than immediately during navigation. This could affect tests which do not trigger change detection after a router navigation and, in rarer cases, production code that relies on the exact timing of component availability.
15.0.0-next.6
Invalid constructors for DI may now report compilation errors when a class inherits its constructor from a base class that is missing an Angular decorator or contains parameters without an associated token.
15.0.0-next.6
Angular no longer supports Node.js versions 14.[15-19].x and 16.[10-12].x. Current supported versions are 14.20.x, 16.13.x and 18.10.x.
15.0.0-next.6
TypeScript versions older than 4.8 are no longer supported.
15.0.0-next.6
setDisabledState will always be called when a ControlValueAccessor is attached. You can opt-out with FormsModule.withConfig or ReactiveFormsModule.withConfig.
15.0.0-next.6
relativeLinkResolution is no longer configurable in the Router. This option was used as a means to opt out of a bug fix.
15.0.0
Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.
15.0.0
Existing iframe usages may have src or srcdoc preceding other attributes. Such usages may need to be updated to ensure compliance with the new stricter rules around iframe bindings.
16.0.0-next.0
Angular Compatibility Compiler (ngcc) has been removed and as a result Angular View Engine libraries will no longer work.
16.0.0-next.0
MockPlatformLocation is now provided by default in tests. Existing tests may have behaviors which rely on BrowserPlatformLocation instead, requiring updates to test providers or code to be compatible with MockPlatformLocation.
...

All breaking changes by upgrading z-schema from version 3.18.4 to 12.0.5 (CHANGELOG)

Version Description
4.0.0
Drop support for Node.js < 10. CI now tests on Node.js 10, 12, and 14.
5.0.0
breakOnFirstError now defaults to false (was true). All validation errors are reported by default. Set breakOnFirstError: true to restore previous behavior.
6.0.0
Drop support for Node.js < 16. CI now tests on Node.js 16 and 18 only.
7.0.0
Source converted from plain JavaScript to TypeScript. The library is now published as ES modules with CJS and UMD bundles.
7.0.0
Node.js >= 22 required — The engines field now requires Node.js 22 or later.
7.0.0
main field replaced by exports map. Import z-schema (ESM), z-schema/cjs (CJS), or z-schema/umd/ZSchema.js (UMD). Direct deep imports like z-schema/src/ZSchema no longer work.
7.0.0
All source files renamed from PascalCase (ZSchema.js, FormatValidators.js) to kebab-case (z-schema.ts, format-validators.ts). Any direct submodule imports will break.
7.0.0
Grunt + Jasmine replaced by Rollup + Vitest. Browserify bundles replaced by UMD bundle.
8.0.0
Schemas without $schema are now treated as draft-04. Previously, schemas missing $schema were validated without strict draft semantics. Now $schema is automatically set to http://json-schema.org/draft-04/schema#. Use { version: 'none' } to opt out.
8.0.0
Meta-schemas registered globally. Draft-04 meta-schemas are now registered via ZSchema.setRemoteReference() at module load time instead of per-instance in the constructor.
9.0.0
new ZSchema() replaced by ZSchema.create() factory. The constructor is no longer the public API. Use ZSchema.create(options) to get a typed validator instance.
9.0.0
validate() now throws by default. Returns true on success, throws ValidateError on failure. Use { safe: true } for a non-throwing API that returns { valid, err? }.
9.0.0
getLastError() / getLastErrors() removed. Errors are now returned directly from validate() — thrown as ValidateError (default) or in { err } field (safe mode).
9.0.0
isValid(), compileSchema(), getMissingReferences(), getMissingRemoteReferences(), getResolvedSchema() removed.
9.0.0
setRemoteReference() is now static only. The instance method was removed; use ZSchema.setRemoteReference().
9.0.0
validateAsyncSafe() return type changed. Returns { valid, err? } instead of { valid, errs? }.
10.0.0
Implement draft-06, draft-06 version is the new default.
12.0.0
Default schema version changed from draft-07 to draft2020-12. If your schemas rely on draft-04/06/07 behavior, set version explicitly or declare $schema in every schema.
12.0.0
Format is annotation-only by default for draft-2019-09 / draft-2020-12. In these drafts, unknown formats no longer produce errors (per the specification). Set formatAssertions: null to restore the legacy always-assert behavior.
12.0.0
New maxRecursionDepth safeguard (default: 100). Deeply nested schemas or data that previously validated may now fail with MAX_RECURSION_DEPTH_EXCEEDED. Increase the value if needed.

All breaking changes by upgrading protobufjs from version 6.8.8 to 8.0.1 (CHANGELOG)

Version Description
7.0.0
drop support for Node 4, 6, 8, 10
7.0.0
move command line tool to a new package named protobufjs-cli
7.0.0
encoding of empty Buffers
8.0.0
add Edition 2024 Support
✅ 19 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-4800
🚨 CRITICAL
[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465
MEDIUM
[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
GHSA-45q2-gjvg-7973
HIGH
[@angular/platform-server] A Server-Side Request Forgery (SSRF) vulnerability exists due to improper URL handling during Server-Side Rendering, where backslashes in URLs are normalized to forward slashes, allowing attackers to hijack the application's origin and redirect HttpClient requests or PlatformLocation references to attacker-controlled servers. This can expose internal APIs or metadata services when the application performs HTTP requests with relative URLs or uses hostname references.
CVE-2022-24999
HIGH
[qs] A prototype pollution vulnerability allows attackers to manipulate object prototypes via __proto__ keys in query strings, causing Node process hangs and denial of service in Express applications without authentication.
CVE-2025-12758
HIGH
[validator] The isLength() function fails to account for Unicode variation selectors, causing incorrect string length calculations. This allows attackers to bypass length validation, potentially leading to data truncation, buffer overflows, or denial-of-service attacks.
AIKIDO-2025-10980
MEDIUM
[validator] The isURL function fails to properly validate URLs containing URL-encoded characters, allowing attackers to bypass validation checks. This enables XSS attacks where malicious URLs can execute arbitrary JavaScript in victims' browsers, potentially compromising user data or sessions.
GHSA-r4q5-vmmm-2653
MEDIUM
[follow-redirects] Custom authentication headers (e.g., X-API-Key, X-Auth-Token) are leaked to redirect targets on cross-domain redirects because only standard headers are stripped. This enables attackers to capture sensitive credentials through malicious redirects.
CVE-2022-0155
MEDIUM
[follow-redirects] is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
AIKIDO-2024-10289
MEDIUM
[webpack] A Cross-site Scripting (XSS) vulnerability exists due to DOM Clobbering in compiled output, allowing attackers to inject malicious scripts through unsanitized HTML elements. This can compromise web pages and enable unauthorized script execution in user browsers.
AIKIDO-2025-10746
MEDIUM
[webpack] 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
CVE-2026-22610
MEDIUM
[@angular/core] A cross-site scripting (XSS) vulnerability exists in the Template Compiler where the sanitization schema fails to recognize href and xlink:href attributes of SVG <script> elements as Resource URLs, allowing malicious scripts to bypass sanitization and execute in the application context.
GHSA-28hp-fgcr-2r4h
MEDIUM
[angular] JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.
GHSA-5cp4-xmrw-59wf
MEDIUM
[angular] JQLite's HTML preprocessing transforms sanitized payloads by expanding self-closing tags, potentially converting inert HTML into executable JavaScript and triggering XSS attacks. This vulnerability affects DOM manipulation methods like append, prepend, and new JQLite when processing user-controlled HTML.
AIKIDO-2025-10745
MEDIUM
[@babel/traverse] A vulnerability allows remote code execution during compilation when processing malicious input with certain plugins that use internal evaluation methods. This affects plugins like @babel/plugin-transform-runtime and @babel/preset-env with useBuiltIns option.
AIKIDO-2026-10450
MEDIUM
[z-schema] Prototype pollution vulnerability in schema compilation allows attackers to modify Object.prototype through specially crafted schemas with keys like __proto__ or constructor, affecting all subsequently created objects.
AIKIDO-2026-10467
MEDIUM
[protobufjs] Prototype pollution vulnerability in message initialization allows attackers to inject malicious properties via the proto field, enabling prototype chain manipulation and unintended property injection across the application.
GHSA-64g7-mvw6-v9qj
MEDIUM
[shelljs] Synchronous shell.exec() output may be visible to other users on the same system in multi-user environments or when running as root, allowing information disclosure through process output visibility.
AIKIDO-2025-10649
MEDIUM
[webpack-dev-server] Improper Origin header validation in WebSocket connections allows attackers to bypass CSRF protections and steal source code by connecting from malicious websites using IP address origins.
CVE-2024-38999
LOW
[requirejs] jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
🔗 Related Tasks

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants