@adpt/testutils (>=0.1.0-next.1 <=0.4.0-next.6), @lavamoat/git-safe-dependencies (>=0.1.1 <=0.2.1) +6 more potentially affected by CVE-2025-4759 via lockfile-lint-api (>=1.0.7 <=5.9.1)

lockfile-lint-api NPM version =1.0.7, =0.1.0-next.1, =0.1.1, =1.0.0, =4.3.1-test1, =1.3.0, =1.0.1, =4.2.2, =4.3.1, =4.7.0 Source cves: CVE-2025-4759 Source advisory: OSV:GHSA-7CFR-5CJF-32P4...

GHSA-7CFR-5CJF-32P4 lockfile-lint-api Vulnerable to Incorrect Behavior Order

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

CVE-2025-4759

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by extending the package name allowing an attacker to install other npm packages than the intended one...

@lavamoat/git-safe-dependencies (>=0.1.1 <=0.2.1) potentially affected by CVE-2025-4759 via lockfile-lint-api (=5.9.1)

lockfile-lint-api NPM version =5.9.1 is affected by a known vulnerability. The following packages have a transitive dependency on lockfile-lint-api and may be impacted: - @lavamoat/git-safe-dependencies =0.1.1, =0.2.1 Source cves: CVE-2025-4759 Source advisory: SNYK:JS-LOCKFILELINTAPI-10169587...