[Bug]: Critical security vulnerabilities found in package dependencies #145

New Issue

GiteaMirror · 2026-02-28T18:50:09-06:00

GiteaMirror commented

2026-02-28 18:50:09 -06:00

Originally created by @biohzrddd on GitHub (Nov 16, 2022).

Verified issue does not already exist?

I have searched and found no existing issue

What happened?

Google Cloud vulnerability scan found the following:
1x critical
1x High
5x Medium
Many x Low

The dependencies for actual-* need updated/replaced to fix vulnerabilities.

What error did you receive?

See What Happened?

Where are you hosting Actual?

Other

What browsers are you seeing the problem on?

Other

Operating System

Linux

Originally created by @biohzrddd on GitHub (Nov 16, 2022). ### Verified issue does not already exist? I have searched and found no existing issue ### What happened? Google Cloud vulnerability scan found the following: 1x critical 1x High 5x Medium Many x Low The dependencies for actual-* need updated/replaced to fix vulnerabilities. ![image](https://user-images.githubusercontent.com/10577752/202287640-5ffc03c2-1cbf-46ed-a424-3984f3842296.png) ### What error did you receive? See What Happened? ### Where are you hosting Actual? Other ### What browsers are you seeing the problem on? Other ### Operating System Linux

GiteaMirror added the bug label 2026-02-28 18:50:09 -06:00

GiteaMirror closed this issue

2026-02-28 18:50:09 -06:00

GiteaMirror commented

2026-02-28 18:50:10 -06:00

@jlongster commented on GitHub (Nov 16, 2022):

This is very vague. Please dig in and provide concrete steps for what we need to do. Often, these kinds of vulnerability scans are useless as they find thing that are only run in development mode, etc. We have very few binary deps and none of those packages look relevant to Actual. If you can't give us more concrete steps or description of what's wrong, we'll close this issue.

@jlongster commented on GitHub (Nov 16, 2022): This is very vague. Please dig in and provide concrete steps for what we need to do. Often, these kinds of vulnerability scans are useless as they find thing that are only run in development mode, etc. We have _very_ few binary deps and none of those packages look relevant to Actual. If you can't give us more concrete steps or description of what's wrong, we'll close this issue.

GiteaMirror commented

2026-02-28 18:50:10 -06:00

@biohzrddd commented on GitHub (Nov 16, 2022):

It appears Google Cloud's Container Scanning API was scanning the OS and not any of the node.js packages Actual depends on. Closing, sorry for the confusion!

@biohzrddd commented on GitHub (Nov 16, 2022): It appears Google Cloud's Container Scanning API was scanning the OS and not any of the node.js packages Actual depends on. Closing, sorry for the confusion!

Sign in to join this conversation.

Branches Tags

master

claude/fix-simplefin-batch-sync-O8LcD

matiss/modal-and-server-refactor

claude/fix-simplefin-ssrf-T31gX

claude/release-notes-validation-X7rvR

ai/custom-theme-dual-prefs

matiss/fix-6804

add-claude-github-actions-1772738270730

react-query-rules

react-query-useSchedules

matiss/separate-lint-format

dependabot/npm_and_yarn/ajv-6.14.0

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

release/v26.2.0-pre

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

prerelease

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#145