8c7874e37a3b96388620cdd46465d59178f9aabe
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream
patches (no suppressions):
postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be
silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM
protection. Affects 42.7.4-42.7.11.
httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5) HTTP/1.1 parser DoS
CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation
httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7
bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3.
Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched
versions.
Refs bom#6
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Description
ARIA — ATM Threat Monitoring and IOC Detection
Languages
Svelte
60.7%
Java
33.9%
TypeScript
3.6%
CSS
1%
Shell
0.3%
Other
0.5%