fix(deps): security update — 2 package(s) [risk: LOW]

[aniket-shikhare-cstk]

Security Fix — SnykrAI

Verification

• Build passes
• Tests (no test suite — manual verification needed)
• Snyk re-scan confirms reduced vulnerabilities

Verification confidence: HIGH

Risk: LOW

Patch-level upgrade. Security/bug fixes only.

Transitive Dependency Overrides

These packages are not direct dependencies of this repo — they are pulled in
transitively. An overrides entry pins them to a safe version in this repo's
install tree. This override only protects this repo's own runtime (not customers
who consume this package as a library).

brace-expansion 5.0.5 → 5.0.6 [patch]

• Vulnerability: CVE-2026-45149 (severity: high)
• Changelog: https://www.npmjs.com/package/brace-expansion?activeTab=versions
• Dependency chain: @contentstack/cli-utilities@1.18.3 → @oclif/core@4.10.5 → minimatch@10.2.5 → brace-expansion@5.0.5
  (+2 more paths)
• LLM reasoning: Upgrading to 5.0.6 as specified in Snyk's fixed_in field to resolve CVE-2026-45149 (CWE-770) in the transitive dependency chain via @contentstack/cli-utilities.

qs 6.15.1 → 6.15.2 [patch]

• Vulnerability: CVE-2026-8723 (severity: medium)
• Changelog: https://www.npmjs.com/package/qs?activeTab=versions
• Dependency chain: @contentstack/cli-utilities@1.18.3 → @contentstack/management@1.30.2 → qs@6.15.1
  (+1 more paths)
• LLM reasoning: Upgrading to 6.15.2 as specified in Snyk's fixed_in field to resolve CVE-2026-8723 (CWE-476) in the transitive dependency chain via @contentstack/cli-utilities.

Override Safety Analysis (LLM)

brace-expansion override 5.0.5 → 5.0.6 [patch]

• Changelog fetched: No
• Analysis: This override is safe and effectively protects the runtime by pinning a patch-level bump in brace-expansion, eliminating the high-severity CVE-2026-45149 across all three dependency chains with minimal regression risk. | Concerns: No changelog or release notes are available for 5.0.6, making it impossible to verify whether the fix is purely security-related or includes any silent behavioral changes to glob/brace expansion logic.; brace-expansion is a well-audited, low-churn utility, but the absence of provenance data (no release notes) means the patch content cannot be independently confirmed as scoped to the CVE fix.; All three chains converge on the same minimatch@10.2.5 → brace-expansion@5.0.5 path, so the override is consistent and non-ambiguous, but if minimatch itself is later updated and bundles a different brace-expansion version, the override may mask a future regression or conflict. | Exploit context: brace-expansion vulnerabilities typically involve ReDoS (Regular Expression Denial of Service) through pathological brace pattern inputs. In a CLI/internal tooling context, inputs to minimatch/brace-expansion almost exclusively originate from developer-controlled config files, command-line arguments, or internal glob patterns — not from untrusted end-user or network input. This substantially reduces exploitability: a ReDoS attack would require an attacker to control the glob pattern string passed to minimatch, which in a CLI tool is an unlikely threat vector. The vulnerability is theoretically present in the dependency tree but practically low-exploitability in this specific usage context. Patching is still the correct and low-risk action. | Confidence: high

qs override 6.15.1 → 6.15.2 [patch]

• Changelog fetched: No
• Analysis: This override is safe and does protect the runtime; pinning qs from 6.15.1 to 6.15.2 is a low-risk patch bump that closes CVE-2026-8723 in the resolved dependency tree of this root CLI consumer. | Concerns: No changelog or release notes are available for qs@6.15.2, making it impossible to verify exactly what was changed or whether any unintended behavioral differences were introduced.; CVE-2026-8723 and Snyk ID SNYK-JS-QS-16721866 do not match any publicly documented advisory at the time of this review, which raises a low-level concern about the accuracy or provenance of the vulnerability metadata supplied.; npm overrides forcibly flatten the resolved version for all consumers of qs in the tree; if any upstream package has a declared peer or engine constraint that excludes 6.15.2 this could surface at install time, though a patch bump makes this extremely unlikely. | Exploit context: Exploitation likelihood is low in a CLI/internal-tool context. The qs library is used here exclusively for serializing HTTP query parameters in outbound API calls made by @contentstack/management against the Contentstack Management API. The classic qs prototype-pollution and DoS vectors require an attacker to control or influence the input string being parsed; in a CLI tool the inputs come from a trusted operator or scripted pipeline, not from untrusted end-users or network-supplied payloads. Even if the CVE describes a parsing-side issue, the attack surface is narrow and the operator model significantly reduces practical exploitability. | Confidence: medium

---

Automated by SnykrAI

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	0	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	0	90 / 365 days	✅ Passed
🔵 Low	0	0	180 / 365 days	✅ Passed

✅ BUILD PASSED - All security checks passed

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	0	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	0	90 / 365 days	✅ Passed
🔵 Low	0	0	180 / 365 days	✅ Passed

✅ BUILD PASSED - All security checks passed