cve-monitor: scanning /home/runner/work/ZeroAuth/ZeroAuth (dry-run=0)
cve-monitor: running npm audit --json in /home/runner/work/ZeroAuth/ZeroAuth
./scripts/cve-monitor.sh: line 84: echo: write error: Broken pipe
npm audit summary: {"info":0,"low":18,"moderate":25,"high":11,"critical":0,"total":54}
npm audit: 11 high/critical advisories found
- axios (high): Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF
- bfj (high): see npm audit
- fast-uri (high): fast-uri vulnerable to path traversal via percent-encoded dot segments
- jsonpath (high): see npm audit
- lodash (high): lodash vulnerable to Code Injection via `_.template` imports key names
- path-to-regexp (high): path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
- picomatch (high): Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
- serialize-javascript (high): Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
- tmp (high): tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
- underscore (high): Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
- undici (high): Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
cve-monitor: osv-scanner not installed on this runner; skipping
::warning::osv-scanner not found — npm audit only. See C-032 setup notes.
cve-monitor: at least one HIGH or CRITICAL CVE found — failing
Nightly CVE monitor — high/critical finding
Run: https://github.com/zeroauth-dev/ZeroAuth/actions/runs/26673136348
Workflow:
CVE MonitorCommit: 326626b
Closes audit-findings.md C-14 instrumentation; see
docs/plan/bfsi-v1/04-commits.mdcommit C-032 for context.Scanner output