Update dependency actions-toolkit to v2.1.0 #14
Security Report
❌ New vulnerabilities:
| Vulnerability | Severity |  CVSS Score |
Vulnerable Library | Direct Library | Suggested Fix | Issue | Reachability |
|---|---|---|---|---|---|---|---|
CVE-2025-25290Path to dependency file: /nexmo-changelog/package.json Path to vulnerable library: /nexmo-changelog/package.json Dependency Hierarchy: -> actions-toolkit-2.1.0.tgz (Root Library) -> rest-16.43.2.tgz -> ❌ request-5.6.3.tgz (Vulnerable Library) |
 Medium |
5.3 | Transitive request-5.6.3.tgz |
actions-toolkit-2.1.0.tgz | Transitive 8.4.1 |
#8 |
|
CVE-2025-25289Path to dependency file: /nexmo-changelog/package.json Path to vulnerable library: /nexmo-changelog/package.json Dependency Hierarchy: -> actions-toolkit-2.1.0.tgz (Root Library) -> rest-16.43.2.tgz -> ❌ request-error-1.2.1.tgz (Vulnerable Library) |
Medium |
5.3 | Transitive request-error-1.2.1.tgz |
actions-toolkit-2.1.0.tgz | Transitive 5.1.1 |
#8 |
|
CVE-2025-25289Path to dependency file: /nexmo-changelog/package.json Path to vulnerable library: /nexmo-changelog/package.json Dependency Hierarchy: -> actions-toolkit-2.1.0.tgz (Root Library) -> rest-16.43.2.tgz -> request-5.6.3.tgz -> ❌ request-error-2.1.0.tgz (Vulnerable Library) |
Medium |
5.3 | Transitive request-error-2.1.0.tgz |
actions-toolkit-2.1.0.tgz | Transitive 5.1.1 |
#8 |
|
CVE-2025-25288Path to dependency file: /nexmo-changelog/package.json Path to vulnerable library: /nexmo-changelog/package.json Dependency Hierarchy: -> actions-toolkit-2.1.0.tgz (Root Library) -> rest-16.43.2.tgz -> ❌ plugin-paginate-rest-1.1.2.tgz (Vulnerable Library) |
Medium |
5.3 | Transitive plugin-paginate-rest-1.1.2.tgz |
actions-toolkit-2.1.0.tgz | Transitive 9.2.2 |
#8 |
|
CVE-2025-25285Path to dependency file: /nexmo-changelog/package.json Path to vulnerable library: /nexmo-changelog/package.json Dependency Hierarchy: -> actions-toolkit-2.1.0.tgz (Root Library) -> rest-16.43.2.tgz -> request-5.6.3.tgz -> ❌ endpoint-6.0.12.tgz (Vulnerable Library) |
Medium |
5.3 | Transitive endpoint-6.0.12.tgz |
actions-toolkit-2.1.0.tgz | Transitive @octokit/endpoint - 9.0.6,@octokit/endpoint - 10.1.3 |
#8 |
|
CVE-2026-26996Path to dependency file: /nexmo-changelog/package.json Path to vulnerable library: /nexmo-changelog/package.json Dependency Hierarchy: -> actions-toolkit-2.1.0.tgz (Root Library) -> flat-cache-2.0.1.tgz -> rimraf-2.6.3.tgz -> glob-7.2.3.tgz -> ❌ minimatch-3.1.5.tgz (Vulnerable Library) |
 High |
7.5 | Transitive minimatch-3.1.5.tgz |
actions-toolkit-2.1.0.tgz | Transitive 10.2.1 |
#8 | |
CVE-2024-21538Path to dependency file: /nexmo-changelog/package.json Path to vulnerable library: /nexmo-changelog/package.json Dependency Hierarchy: -> actions-toolkit-2.1.0.tgz (Root Library) -> execa-1.0.0.tgz -> ❌ cross-spawn-6.0.6.tgz (Vulnerable Library) |
High |
7.5 | Transitive cross-spawn-6.0.6.tgz |
actions-toolkit-2.1.0.tgz | Transitive https://github.com/moxystudio/node-cross-spawn.git - v7.0.5,https://github.com/moxystudio/node-cross-spawn.git - v6.0.6,org.webjars.npm:cross-spawn:6.0.6 |
#8 |
✔️ Remediated vulnerabilities:
| Vulnerability | Vulnerable Library |
|---|---|
| CVE-2025-25290 | request-3.0.2.tgz |
| CVE-561003-132867 | tmp-0.0.33.tgz |
| CVE-2022-37598 | uglify-js-3.7.1.tgz |
| GHSA-7fhm-mqm4-2wp7 | acorn-6.4.0.tgz |
| CVE-2025-54798 | tmp-0.0.33.tgz |
| GHSA-7fhm-mqm4-2wp7 | minimist-1.2.0.tgz |
| GHSA-6chw-6frg-f759 | acorn-6.4.0.tgz |
| GHSA-7fhm-mqm4-2wp7 | minimist-0.0.10.tgz |
| CVE-2020-15366 | ajv-6.10.0.tgz |
| CVE-2025-25285 | endpoint-5.1.1.tgz |
| CVE-2021-23337 | lodash-4.17.19.tgz |
| GHSA-35jh-r3h4-6jhm | lodash-4.17.19.tgz |
| CVE-2020-28500 | lodash-4.17.19.tgz |
| CVE-2025-69873 | ajv-6.10.0.tgz |
| GHSA-7fhm-mqm4-2wp7 | minimist-0.0.8.tgz |
Base branch total remaining vulnerabilities: 97
Base branch commit: a92eb37bc4e41a0be70aa320ab2b1ec5e30a1477
Total libraries scanned: 646
Scan token: 3f3c3abc25d342b5ba9d164981cb7a58