Skip to content

Downstream dependency on-headers presents a low-severity CVE #7446

New issue
New issue
Open
Open
Downstream dependency on-headers presents a low-severity CVE#7446
Labels
type: bugcode to address defects in shipped code
@taylorreece

Description

@taylorreece
taylorreece
opened on Jul 21, 2025

Describe the bug

express-logging is a dependency of netlify-cli, and it has a downstream dependency on on-headers. on-headers recently popped a low-severity CVE GHSA-76c9-3jph-rj3q

When you install netlify-cli, due to the shrinkwrap file, you end up version 1.0.2 of on-headers rather than the patched 1.1.0.

I'll put up a PR in a sec that updates the downstream dependency in package-lock.json to 1.1.0, so users of netlify-cli install the correct version.

Steps to reproduce

Install netlify-cli, get a vulnerable downstream dependency on-headers of 1.0.2 rather than 1.1.0.

Configuration

No response

Environment

System:
OS: macOS 15.5
CPU: (10) arm64 Apple M1 Pro
Memory: 74.25 MB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.12.0 - ~/.asdf/installs/nodejs/22.12.0/bin/node
Yarn: 1.22.19 - ~/.asdf/shims/yarn
npm: 10.9.0 - ~/.asdf/plugins/nodejs/shims/npm

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bugcode to address defects in shipped code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions