# Node.js / npm ecosystem

# glob CLI command injection (CVE-2025-64756)
# Only affects glob -c/--cmd; we only use glob as a library in Vite/SvelteKit.
CVE-2025-64756

# Go stdlib false positives in esbuild binary
# esbuild doesn't use the vulnerable archive/tar or crypto/x509 paths in a way that's exploitable.
CVE-2025-58183
CVE-2025-61729

# Additional Go stdlib findings in embedded binaries
# These are from bundled toolchain/binary context, not executable paths used by the app runtime.
CVE-2025-68121
CVE-2025-61726
CVE-2025-61728

# jaraco.context Has a Path Traversal Vulnerability Fixed via setuptools
GHSA-58pv-8j8x-9vj2
CVE-2026-23949
CVE-2026-24049