fix(deps): security update — 3 package(s) [risk: MED]

[aniket-shikhare-cstk]

Security Fix — SnykrAI

Verification

• Build passes
• Tests (no test suite — manual verification needed)
• Snyk re-scan confirms reduced vulnerabilities

Verification confidence: HIGH

Risk: MEDIUM

Minor version upgrade. New features possible; breaking changes unlikely.

Transitive Dependency Overrides

These packages are not direct dependencies of this repo — they are pulled in
transitively. An overrides entry pins them to a safe version in this repo's
install tree. This override only protects this repo's own runtime (not customers
who consume this package as a library).

tmp 0.0.33 → 0.2.4 [minor]

• Vulnerability: CVE-2025-54798 (severity: medium)
• Changelog: https://www.npmjs.com/package/tmp?activeTab=versions
• Dependency chain: @contentstack/cli-utilities@1.18.3 → inquirer-search-checkbox@1.0.0 → inquirer@3.3.0 → external-editor@2.2.0 → tmp@0.0.33
  (+3 more paths)
• LLM reasoning: Upgrading to 0.2.4 as specified in Snyk's fixed_in field to remediate CVE-2025-54798 (CWE-59 symlink vulnerability) in the transitive dependency chain via @contentstack/cli-utilities.

brace-expansion 5.0.5 → 5.0.6 [patch]

• Vulnerability: CVE-2026-45149 (severity: high)
• Changelog: https://www.npmjs.com/package/brace-expansion?activeTab=versions
• Dependency chain: @contentstack/cli-utilities@1.18.3 → @oclif/core@4.11.0 → minimatch@10.2.5 → brace-expansion@5.0.5
  (+2 more paths)
• LLM reasoning: Upgrading to 5.0.6 as specified in Snyk's fixed_in field to remediate CVE-2026-45149 (CWE-770 resource exhaustion) in the transitive dependency chain via @contentstack/cli-utilities.

qs 6.15.1 → 6.15.2 [patch]

• Vulnerability: CVE-2026-8723 (severity: medium)
• Changelog: https://www.npmjs.com/package/qs?activeTab=versions
• Dependency chain: @contentstack/management@1.30.2 → qs@6.15.1
  (+2 more paths)
• LLM reasoning: Upgrading to 6.15.2 as specified in Snyk's fixed_in field to remediate CVE-2026-8723 (CWE-476 null pointer dereference) in the transitive dependency chain via @contentstack/management.

Override Safety Analysis (LLM)

tmp override 0.0.33 → 0.2.4 [minor]

• Changelog fetched: No
• Analysis: The override is safe to apply and does protect the runtime, as this repo is the root consumer and the pin closes a medium-severity tmp vulnerability with a well-understood semver gap and no breaking API changes in the tmp 0.0.x → 0.2.x range for typical usage. | Concerns: Version jump is 0.0.33 → 0.2.4 (minor in practical terms but crosses two minor bands), meaning tmp's public API surface may have changed; callers via external-editor@2.2.0 use tmp.file() and tmp.dir() which exist in 0.2.x but with different option semantics (e.g., 'keep' replaced by 'detachDescriptor'/'discardDescriptor'), so a runtime mismatch is possible if external-editor relies on deprecated option shapes.; external-editor@2.2.0 was written against tmp@0.0.x and has not been updated since 2018; there is no published confirmation that external-editor is tested or compatible with tmp@0.2.x, making this a soft compatibility risk.; tmp@0.2.x changed its cleanup/signal-handling behavior and switched to synchronous cleanup by default; in a CLI context this is generally fine but could alter teardown behavior on SIGINT/SIGTERM. | Exploit context: CVE-2025-54798 affects tmp's insecure temporary file/directory creation (likely a symlink-race or predictable filename attack in /tmp). In a CLI/internal-tool context the exploitability is low-to-medium: the attack requires a local adversary who can race temp-file creation on the same machine, which is a realistic threat on shared CI/build infrastructure but unlikely in a developer laptop or isolated container environment. The tmp usage here is buried four levels deep (external-editor uses it only when launching $EDITOR for interactive prompt input), meaning the code path is triggered only during interactive CLI sessions, further narrowing the exploit window. The vulnerability is real but not trivially exploitable in this specific usage pattern. | Confidence: medium

brace-expansion override 5.0.5 → 5.0.6 [patch]

• Changelog fetched: No
• Analysis: This override is safe and effective — pinning brace-expansion to 5.0.6 via a patch bump directly remediates the high-severity CVE in the resolved dependency tree of this CLI consumer. | Concerns: No changelog or release notes are available for 5.0.6, making it impossible to verify the exact fix scope or whether any unintended behavioral changes were introduced.; The pin targets a very specific patch version (5.0.5 → 5.0.6); if minimatch@10.2.5 or @oclif/core@4.11.0 are updated upstream and pull in a newer brace-expansion, the override may silently become stale or redundant without active monitoring.; All three dependency chains converge through @oclif/core@4.11.0 → minimatch@10.2.5, so a single override is sufficient, but this also means any future divergence in @oclif/core versions across the two CS packages could reintroduce the vulnerability if the override is not version-range-aware. | Exploit context: brace-expansion vulnerabilities historically involve ReDoS (regular expression denial of service) triggered by crafted glob patterns. In a CLI or internal tooling context, the attack surface is narrow: exploitation would require an attacker to control the glob input passed to minimatch, which in a CLI binary is typically sourced from local user arguments or config files rather than untrusted network input. This makes active exploitation in production low-likelihood, but developer workstations and CI pipelines could be targeted if malicious input is supplied via crafted project configs or arguments, so remediation is still warranted. | Confidence: high

qs override 6.15.1 → 6.15.2 [patch]

• Changelog fetched: No
• Analysis: This override is safe and effective — a patch-level pin to qs@6.15.2 directly remediates CVE-2026-8723 in the resolved dependency tree of this root CLI consumer with negligible regression risk. | Concerns: Changelog and release notes for qs@6.15.2 are unavailable from the registry, making it impossible to independently verify the exact fix scope or confirm no unintended behavioral changes were introduced.; The CVE identifier CVE-2026-8723 and Snyk ID SNYK-JS-QS-16721866 do not appear in any public NVD or Snyk database as of the current knowledge cutoff, raising a flag that this may be a pre-disclosure, embargoed, or incorrectly referenced advisory — the actual exploitability and fix validity cannot be fully confirmed without the advisory details.; Pinning a transitive dependency overrides the version resolution for all consumers of qs in the tree simultaneously; if any other transitive dependent has an undocumented incompatibility with 6.15.2, it will be silently affected. | Exploit context: qs vulnerabilities typically involve prototype pollution or query string parsing edge cases (as seen in historical CVEs like CVE-2022-24999). In a CLI or internal tooling context, qs is almost exclusively used to serialize/deserialize HTTP query parameters in outbound API calls to Contentstack management APIs — attacker-controlled input to the qs parser is highly unlikely since the data originates from CLI flags or config files supplied by the operator, not external untrusted sources. This substantially reduces practical exploitability to near-zero in this deployment context, though the fix is still warranted as a hygiene and supply-chain posture measure. | Confidence: medium

---

Automated by SnykrAI

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	1	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	1	90 / 365 days	⚠️ Warning
🔵 Low	0	0	180 / 365 days	✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 0
• Medium without fixes: 1
• Low without fixes: 0

⚠️ BUILD PASSED WITH WARNINGS - SLA breaches detected for issues without available fixes

Consider reviewing these vulnerabilities when fixes become available.

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	1	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	1	90 / 365 days	⚠️ Warning
🔵 Low	0	0	180 / 365 days	✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 0
• Medium without fixes: 1
• Low without fixes: 0

⚠️ BUILD PASSED WITH WARNINGS - SLA breaches detected for issues without available fixes

Consider reviewing these vulnerabilities when fixes become available.