@agent-harness-experimental/workflow (>=0.0.1 <=0.0.4), @commandkit/workflow (>=0.0.0-dev.20251108074143 <=1.2.1-dev.20260414125348) +48 more potentially affected by CVE-2026-42570 via devalue (=5.6.3)

devalue NPM version =5.6.3 is affected by a known vulnerability. The following packages have a transitive dependency on devalue and may be impacted: - @agent-harness-experimental/workflow =0.0.1, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0, =3.8.7,...

@agent-harness-experimental/workflow (>=0.0.1 <=0.0.4), @commandkit/workflow (>=0.0.0-dev.20251108074143 <=1.2.1-dev.20260414125348) +75 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.3)

devalue NPM version =5.0.0, =0.0.1, =0.0.0-dev.20251108074143, =4.2.3, =3.8.8, =3.8.8, =3.8.7, =3.8.7, =0.1.1, =4.3.15, =0.2.0, =3.8.7, =0.2.0, =0.0.9, =1.22.40-beta.development.0, =1.21.56-beta.0, =1.22.82-beta.development.0 and more Source cves: unknown CVE Source advisory:...

@aabelmann/ui-layer (=0.0.1), @adinvadim/convex-vue (>=1.1.0 <=1.3.0) +753 more potentially affected by unknown CVE via devalue (>=4.0.1 <=5.6.3)

devalue NPM version =4.0.1, =1.1.0, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.2.2, =0.2.2, =0.2.2, =0.3.0, =0.5.7, =0.0.1-beta.3, =0.0.1-alpha.1, =0.0.1-alpha.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-MWV9-GP5H-FRR4...

0xrtest (=1.0.0), 3nit-utils (>=0.30.0 <=1.0.2) +1407 more potentially affected by CVE-2026-30226 via devalue (>=1.1.1 <=5.6.3)

devalue NPM version =1.1.1, =0.30.0, =0.0.0-canary.0, =0.0.11, =0.1.0, =1.1.0, =1.0.1, =1.1.0, =0.0.27, =1.0.4, =1.0.0, =1.0.1 and more Source cves: CVE-2026-30226 Source advisory: OSV:GHSA-CFW5-2VXH-HR84...

@aabelmann/ui-layer (=0.0.1), @adinvadim/convex-vue (>=1.1.0 <=1.3.0) +753 more potentially affected by CVE-2026-30226 via devalue (>=4.0.1 <=5.6.3)

devalue NPM version =4.0.1, =1.1.0, =1.0.4, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.2.2, =0.2.2, =0.2.2, =0.3.0, =0.5.7, =0.0.1-beta.3, =0.0.1-alpha.1, =0.0.1-alpha.4 and more Source cves: CVE-2026-30226 Source advisory: SNYK:JS-DEVALUE-15467451...

devalue 安全漏洞

devalue is an enhanced JavaScript object serialization library developed by Svelte. Versions of devalue 5.6.3 and earlier contained a security vulnerability. This vulnerability stemmed from the susceptibility of devalue.parse and devalue.unflatten to prototype pollution attacks involving speciall...

Allocation of Resources Without Limits or Throttling

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the uneval or stringify functions. An attack...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.2)

devalue NPM version =5.0.0, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =4.0.1 and...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.2)

devalue NPM version =5.0.0, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =4.0.1 and...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by CVE-2026-22775 via devalue (>=5.1.1 <=5.6.0)

devalue NPM version =5.1.1, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.97, =1.1.53, =2.0.0, =1.2.263, =3.1.3, =4.0.1 and mo...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by CVE-2026-22775 via devalue (>=5.1.1 <=5.6.0)

devalue NPM version =5.1.1, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.97, =1.1.53, =2.0.0, =1.2.263, =3.1.3, =4.0.1 and mo...

Asymmetric Resource Consumption (Amplification)

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification due to the improper validation in ArrayBuffer if input...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +34 more potentially affected by CVE-2026-22774 via devalue (>=5.3.2 <=5.6.0)

devalue NPM version =5.3.2, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.3.4, =0.20.8 and more...

Asymmetric Resource Consumption (Amplification)

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification due to the improper ArrayBuffer type validation in the...

@jill64/svelte-dark-theme (>=2.3.65 <=5.1.7), @jill64/svelte-i18n (>=1.1.27 <=2.2.1) +9 more potentially affected by CVE-2025-57820 via devalue (>=5.0.0 <=5.1.1)

devalue NPM version =5.0.0, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =0.0.2-dev.84, =1.0.23, =1.0.22, =1.0.0, =1.0.6, =2.1.10, =2.1.15 Source cves: CVE-2025-57820 Source advisory: SNYK:JS-DEVALUE-12205530...

0xrtest (=1.0.0), 3nit-utils (>=0.30.0 <=1.0.2) +1341 more potentially affected by CVE-2025-57820 via devalue (>=1.1.1 <=5.1.1)

devalue NPM version =1.1.1, =0.30.0, =0.0.0-canary.0, =0.0.11, =0.1.0, =1.1.0, =1.0.1, =1.1.0, =0.0.27, =1.0.4, =1.0.0, =1.0.1 and more Source cves: CVE-2025-57820 Source advisory: OSV:GHSA-VJ54-72F3-P5JV...

3nit-utils (>=0.30.0 <=1.0.2), @aller/theming (>=1.0.0 <=1.0.2) +25 more potentially affected by unknown CVE via devalue (=2.0.0)

devalue NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on devalue and may be impacted: - 3nit-utils =0.30.0, =1.0.0, =1.2.1-next.3, =0.0.1, =0.1.1, =1.11.8, =4.1.1, =0.1.2, =0.1.1, =0.0.2-canary.2, =9.0.5, =9.1.5-canary.9 and more Sour...