Description
aegir publish and aegir build may leak secrets from environmental variables in the browser bundle published to npm.
Recommendation
Update the aegir package to the latest compatible version. Followings are version details:
- Affected version(s): >= 21.7.0, < 21.10.1
- Patched version(s): 21.10.1
References
Related Issues
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) - CVE-2025-4643
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Tags:
- npm
- aegir
Anything's wrong? Let us know Last updated on October 10, 2023