[VANTA] [VULNERABILITY] <HIGH> GHSA-5c6j-r48x-rmvq, fix before 2026-04-01

[commercelayer-ci]

Important

CLOSE THE ISSUE ONLY IF YOU PLAN TO DEPLOY THE FIX BEFORE THE DEADLINE IN THE TITLE.

DO NOT MANUALLY MODIFY THE ISSUE TITLE OR TEXT BODY.

FIXED npm-serialize-javascript <= 7.0.2 GHSA-5c6j-r48x-rmvq HIGH

npm-serialize-javascript <= 7.0.2 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning GHSA-5c6j-r48x-rmvq HIGH remediate by: 2026-04-01T14:19:30.006Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/47

Related URLs

• GHSA-5c6j-r48x-rmvq
• https://nvd.nist.gov/vuln/detail/CVE-2020-7660
• yahoo/serialize-javascript@2e609d0
• GHSA-hxcc-f52p-wc94
• https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3
• GHSA-5c6j-r48x-rmvq

^{npm-fast-xml-parser >= 5.0.0, < 5.3.8 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-27942 LOW remediate by: 2026-06-01T14:21:07.775Z}

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/48

Related URLs

• GHSA-fj3w-jwp8-x2g3
• https://nvd.nist.gov/vuln/detail/CVE-2026-27942
• fix: prevent stack overflow in XMLBuilder with preserveOrder (#781) NaturalIntelligence/fast-xml-parser#791
• NaturalIntelligence/fast-xml-parser@c13a961
• GHSA-fj3w-jwp8-x2g3

FIXED npm-minimatch >= 9.0.0, < 9.0.6 CVE-2026-26996 HIGH

FIXED npm-minimatch >= 9.0.0, < 9.0.6 CVE-2026-26996 HIGH

npm-minimatch >= 9.0.0, < 9.0.6 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-26996 HIGH remediate by: 2026-03-27T08:50:05.811Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/35

Related URLs

• GHSA-3ppc-4f35-3m26
• isaacs/minimatch@2e111f3
• https://nvd.nist.gov/vuln/detail/CVE-2026-26996
• GHSA-3ppc-4f35-3m26

FIXED npm-minimatch >= 9.0.0, < 9.0.7 CVE-2026-27903 HIGH

FIXED npm-minimatch >= 9.0.0, < 9.0.7 CVE-2026-27903 HIGH

npm-minimatch >= 9.0.0, < 9.0.7 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-27903 HIGH remediate by: 2026-03-30T22:15:05.999Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/38

Related URLs

• GHSA-7r86-cg39-jmmj
• https://nvd.nist.gov/vuln/detail/CVE-2026-27903
• isaacs/minimatch@0bf499a
• GHSA-7r86-cg39-jmmj

FIXED npm-minimatch >= 9.0.0, < 9.0.7 CVE-2026-27904 HIGH

FIXED npm-minimatch >= 9.0.0, < 9.0.7 CVE-2026-27904 HIGH

npm-minimatch >= 9.0.0, < 9.0.7 CODE_REPOSITORY/commercelayer-cli-plugin-provisioning CVE-2026-27904 HIGH remediate by: 2026-03-30T22:15:05.999Z

• https://github.com/commercelayer/commercelayer-cli-plugin-provisioning/security/dependabot/39

Related URLs

• GHSA-23c5-xmqv-rm74
• https://nvd.nist.gov/vuln/detail/CVE-2026-27904
• isaacs/minimatch@11d0df6
• GHSA-23c5-xmqv-rm74

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-provisioning

All the listed vulnerabilities are still detected.
Please resolve within 7 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-provisioning

All the listed vulnerabilities are still detected.
Please resolve within 6 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-provisioning

All the listed vulnerabilities are still detected.
Please resolve within 5 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-provisioning

All the listed vulnerabilities are still detected.
Please resolve within 4 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-provisioning

All the listed vulnerabilities are still detected.
Please resolve within 3 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-provisioning

GHSA-5c6j-r48x-rmvq still detected.
Please resolve within 7 days.

[commercelayer-ci]

CODE_REPOSITORY/commercelayer-cli-plugin-provisioning

GHSA-5c6j-r48x-rmvq still detected.
Please resolve within 6 days.