Daniel Ellis
Daniel Ellis
The advisory against `@eslint/plugin-kit` ([GHSA-xffm-g5w8-qvg7](https://github.com/advisories/GHSA-xffm-g5w8-qvg7)) has an incorrect fix version. It is marked as affecting versions < 0.3.3, and being patched in the 0.3.3 release, however it wasn't actually patched...
**Describe the bug** NPM package is dependent on vulnerable version of `js-yaml` (`3.13.1`) **Additional context** * [CVE-2025-64718](https://nvd.nist.gov/vuln/detail/CVE-2025-64718) * [SNYK-JS-JSYAML-13961110](https://security.snyk.io/vuln/SNYK-JS-JSYAML-13961110) NVD suggests that it's only patched in `4.1.1`, however it has...