Summary
The committed package-lock.json pins two dependencies to versions that have published advisories. Flagging as a hygiene heads-up — I want to be upfront that the practical impact is low (details below), but the lockfile currently ships them.
The honest caveat
The declared ranges (swiper: ^12.0.3, path-to-regexp: ^6.2.0) already permit the fixed versions — a fresh npm install resolves to patched releases, so downstream consumers installing today aren't forced onto the vulnerable versions. The gap is only that this repo's committed lockfile still pins the old versions, so the project's own npm ci / CI runs against them, and anyone reinstalling from the committed lock stays on them.
Suggested fix
npm update swiper path-to-regexp (and refresh package-lock.json), or bump the floors to ^12.1.2 / ^6.3.0. There's no Dependabot config in the repo, which is probably why the lock drifted. I checked open + closed issues and didn't find an existing report.
Disclosure: found with AI assistance; I verified the locked versions and both advisories against OSV myself.
Summary
The committed
package-lock.jsonpins two dependencies to versions that have published advisories. Flagging as a hygiene heads-up — I want to be upfront that the practical impact is low (details below), but the lockfile currently ships them.swiperpath-to-regexpThe honest caveat
The declared ranges (
swiper: ^12.0.3,path-to-regexp: ^6.2.0) already permit the fixed versions — a freshnpm installresolves to patched releases, so downstream consumers installing today aren't forced onto the vulnerable versions. The gap is only that this repo's committed lockfile still pins the old versions, so the project's ownnpm ci/ CI runs against them, and anyone reinstalling from the committed lock stays on them.Suggested fix
npm update swiper path-to-regexp(and refreshpackage-lock.json), or bump the floors to^12.1.2/^6.3.0. There's no Dependabot config in the repo, which is probably why the lock drifted. I checked open + closed issues and didn't find an existing report.Disclosure: found with AI assistance; I verified the locked versions and both advisories against OSV myself.