Skip to content

feat: implement filter functionality#169

Open
crfmc wants to merge 87 commits into
mainfrom
crfmc/filters
Open

feat: implement filter functionality#169
crfmc wants to merge 87 commits into
mainfrom
crfmc/filters

Conversation

@crfmc

@crfmc crfmc commented Dec 23, 2025

Copy link
Copy Markdown
Collaborator
  • Add filtering interface from configuration file

crfmc added 27 commits October 1, 2025 13:34
- feat: update file upload styles and icons
- refactor: move components out of app.tsx
- feat: implement cohort selection
- feat: update default names of cohorts
- refactor: remove useMemo call
- feat: allow array format for file upload
- feat: add url param for cohortId
- feat: enable proper file renaming
- feat: add placeholder error banner for malformed external url
- feat: when users upload cohort, switch to the first samples
- refactor: reorganize components/files
- feat: update validation for uploaded files
- feat: implement better error banners
- refactor: improve helper functions
- fix: un-nest all CSS declarations
- feat: warning banner when external demo fails
- feat: adjust text for upload url button
- style: update colors and spacing
- style: update navigation bar styles for safari
- feat: update text
- feat: use file name as default
@dbmi-svc-checkmarx

dbmi-svc-checkmarx commented Dec 23, 2025

Copy link
Copy Markdown

Logo
Checkmarx One – Scan Summary & Details1679bbe8-066a-4398-8823-142165af369b


New Issues (81) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 CRITICAL CVE-2026-33896 Npm-node-forge-1.3.1
detailsRecommended version: 1.4.0
Description: `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstr...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
2 CRITICAL CVE-2026-42043 Npm-axios-0.25.0
detailsRecommended version: 0.31.1
Description: Axios is a promise based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1 , an attacker who can influ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
3 CRITICAL CVE-2026-42043 Npm-axios-1.6.2
detailsRecommended version: 1.15.1
Description: Axios is a promise based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1 , an attacker who can influ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
4 CRITICAL CVE-2026-42264 Npm-axios-1.6.2
detailsRecommended version: 1.15.2
Description: Axios is a promise-based HTTP client for the browser and Node.js. From version 1.0.0 prior to version 1.15.2, five config properties (auth, baseURL...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
5 CRITICAL CVE-2026-4800 Npm-lodash-4.17.21
detailsRecommended version: 4.18.0
Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
6 CRITICAL CVE-2026-9277 Npm-shell-quote-1.8.1
detailsRecommended version: 1.8.4
Description: shell-quote `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-esc...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
7 HIGH CVE-2024-52011 Npm-vite-2.9.8
detailsRecommended version: 5.4.9
Description: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
8 HIGH CVE-2024-52011 Npm-launch-editor-2.6.0
detailsRecommended version: 2.9.0
Description: launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
9 HIGH CVE-2026-12143 Npm-form-data-4.0.0
detailsRecommended version: 4.0.6
Description: form-data is a library for creating readable multipart/form-data streams. In versions through 2.5.5, 3.x through 3.0.4 and 4.x through 4.0.5, the `...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
10 HIGH CVE-2026-13149 Npm-brace-expansion-1.1.11
detailsRecommended version: 1.1.16
Description: brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of conse...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
11 HIGH CVE-2026-13311 Npm-shell-quote-1.8.1
detailsRecommended version: 1.9.0
Description: shell-quote prior to 1.8.5 finalizes parsed tokens in `parse()` using `Array.prototype.concat` as a reduce accumulator, which reallocates and copie...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
12 HIGH CVE-2026-25535 Npm-jspdf-2.5.1
detailsRecommended version: 4.2.0
Description: jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
13 HIGH CVE-2026-25755 Npm-jspdf-2.5.1
detailsRecommended version: 4.2.0
Description: jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
14 HIGH CVE-2026-25940 Npm-jspdf-2.5.1
detailsRecommended version: 4.2.0
Description: jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to in...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
15 HIGH CVE-2026-26996 Npm-minimatch-3.1.2
detailsRecommended version: 3.1.3
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
16 HIGH CVE-2026-27606 Npm-rollup-2.61.0
detailsRecommended version: 2.80.0
Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
17 HIGH CVE-2026-27903 Npm-minimatch-3.1.2
detailsRecommended version: 3.1.3
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
18 HIGH CVE-2026-27904 Npm-minimatch-3.1.2
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
19 HIGH CVE-2026-29074 Npm-svgo-2.8.0
detailsRecommended version: 2.8.1
Description: SVGO is a Node.js library and command-line application for optimizing SVG files. Versions 2.1.0 through 2.8.0, 3.0.0 through 3.3.2, and versions pr...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
20 HIGH CVE-2026-32141 Npm-flatted-3.2.2
detailsRecommended version: 3.4.0
Description: flatted is a circular JSON parser. Prior to 3.4.0, flatted's "parse()" function uses a recursive "revive()" phase to resolve circular references in...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
21 HIGH CVE-2026-33228 Npm-flatted-3.2.2
detailsRecommended version: 3.4.2
Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
22 HIGH CVE-2026-33671 Npm-picomatch-2.3.0
detailsRecommended version: 2.3.2
Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
23 HIGH CVE-2026-33671 Npm-picomatch-2.3.1
detailsRecommended version: 2.3.2
Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
24 HIGH CVE-2026-33750 Npm-brace-expansion-1.1.11
detailsRecommended version: 1.1.13
Description: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. In versions prior to 1.1.13, 2.0.0 prior to 2.0.3, 3...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
25 HIGH CVE-2026-33891 Npm-node-forge-1.3.1
detailsRecommended version: 1.4.0
Description: A Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the "BigInteger.modInverse()" function (inherit...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
26 HIGH CVE-2026-33894 Npm-node-forge-1.3.1
detailsRecommended version: 1.4.0
Description: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 s...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
27 HIGH CVE-2026-33895 Npm-node-forge-1.3.1
detailsRecommended version: 1.4.0
Description: Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid s...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
28 HIGH CVE-2026-34043 Npm-serialize-javascript-6.0.1
detailsRecommended version: 7.0.5
Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
29 HIGH CVE-2026-42033 Npm-axios-0.25.0
detailsRecommended version: 0.31.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, when Object.prototype has ...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
30 HIGH CVE-2026-42033 Npm-axios-1.6.2
detailsRecommended version: 1.15.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, when Object.prototype has ...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
31 HIGH CVE-2026-42035 Npm-axios-1.6.2
detailsRecommended version: 1.15.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, a prototype pollution gadg...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
32 HIGH CVE-2026-42035 Npm-axios-0.25.0
detailsRecommended version: 0.31.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, a prototype pollution gadg...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
33 HIGH CVE-2026-42038 Npm-axios-0.25.0
detailsRecommended version: 0.31.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, he fix for no_proxy hostname normalisa...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
34 HIGH CVE-2026-42038 Npm-axios-1.6.2
detailsRecommended version: 1.15.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, he fix for no_proxy hostname normalisa...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
35 HIGH CVE-2026-44431 Python-urllib3-1.26.15
detailsRecommended version: 2.7.0
Description: When following cross-origin redirects for requests made using urllib3's high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and ...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
36 HIGH CVE-2026-44487 Npm-axios-1.6.2
detailsRecommended version: 1.16.0
Description: Axios's Node.js versions prior to `0.32.0` on the `0.x` line and versions prior to `1.16.0` on the `1.x`, HTTP adapter may forward a `Proxy-Authori...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
37 HIGH CVE-2026-44487 Npm-axios-0.25.0
detailsRecommended version: 0.32.0
Description: Axios's Node.js versions prior to `0.32.0` on the `0.x` line and versions prior to `1.16.0` on the `1.x`, HTTP adapter may forward a `Proxy-Authori...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
38 HIGH CVE-2026-44490 Npm-axios-1.6.2
detailsRecommended version: 1.16.0
Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.0.0 prior to 1.16.0, axios exposes two read-side prototype-...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
39 HIGH CVE-2026-44490 Npm-axios-0.25.0
detailsRecommended version: 0.32.0
Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.0.0 prior to 1.16.0, axios exposes two read-side prototype-...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
40 HIGH CVE-2026-44492 Npm-axios-1.6.2
detailsRecommended version: 1.16.0
Description: shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
41 HIGH CVE-2026-44492 Npm-axios-0.25.0
detailsRecommended version: 0.32.0
Description: shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
42 HIGH CVE-2026-45736 Npm-ws-8.5.0
detailsRecommended version: 8.20.1
Description: ws is an open source WebSocket client and server for Node.js. In versions 8.0.0 prior to 8.20.1, the `websocket.close()` implementation is vulnerab...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
43 HIGH CVE-2026-45736 Npm-ws-8.13.0
detailsRecommended version: 8.20.1
Description: ws is an open source WebSocket client and server for Node.js. In versions 8.0.0 prior to 8.20.1, the `websocket.close()` implementation is vulnerab...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
44 HIGH CVE-2026-4867 Npm-path-to-regexp-0.1.7
detailsRecommended version: 0.1.13
Description: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a peri...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
45 HIGH CVE-2026-48779 Npm-ws-7.5.9
detailsRecommended version: 7.5.11
Description: A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into al...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
46 HIGH CVE-2026-48779 Npm-ws-8.5.0
detailsRecommended version: 8.21.0
Description: A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into al...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
47 HIGH CVE-2026-48779 Npm-ws-8.13.0
detailsRecommended version: 8.21.0
Description: A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into al...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
48 HIGH CVE-2026-53571 Npm-vite-2.9.8
detailsRecommended version: 6.4.3
Description: The contents of files that are specified by [`server.fs.deny`](https://vite\.dev/config/server\-options\#server\-fs\-deny\) can be returned to the browse...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
49 HIGH CVE-2026-59869 Npm-js-yaml-4.1.0
detailsRecommended version: 4.3.0
Description: js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 prior to 3.15.0 and from 4.0.0 prior to 4.3.0, from 5.0.0 prior to 5.1.0, js-yaml can sp...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
50 HIGH CVE-2026-59869 Npm-js-yaml-3.14.1
detailsRecommended version: 3.15.0
Description: js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 prior to 3.15.0 and from 4.0.0 prior to 4.3.0, from 5.0.0 prior to 5.1.0, js-yaml can sp...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
51 HIGH CVE-2026-9375 Python-urllib3-1.26.15
detailsRecommended version: 2.7.0
Description: urllib3 versions through 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli suppor...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
52 HIGH Cxf5fb15b0-6576 Npm-serialize-javascript-6.0.1
detailsRecommended version: 7.0.3
Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
53 MEDIUM CVE-2025-62718 Npm-axios-1.6.2
detailsRecommended version: 1.15.0
Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when chec...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
54 MEDIUM CVE-2025-62718 Npm-axios-0.25.0
detailsRecommended version: 0.31.0
Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when chec...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
55 MEDIUM CVE-2026-14620 Npm-webpack-dev-server-4.15.1
detailsRecommended version: 5.2.6
Description: webpack-dev-server versions through 5.2.5 expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalida...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
56 MEDIUM CVE-2026-14631 Npm-webpack-dev-server-4.15.1
detailsRecommended version: 5.2.6
Description: webpack-dev-server versions through 5.2.5 terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
57 MEDIUM CVE-2026-14802 Npm-react-dev-utils-12.0.1
detailsDescription: A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser....
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
58 MEDIUM CVE-2026-31898 Npm-jspdf-2.5.1
detailsRecommended version: 4.2.1
Description: jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
59 MEDIUM CVE-2026-31938 Npm-jspdf-2.5.1
detailsRecommended version: 4.2.1
Description: jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows a...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
60 MEDIUM CVE-2026-33532 Npm-yaml-1.10.2
detailsRecommended version: 1.10.3
Description: yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
61 MEDIUM CVE-2026-33672 Npm-picomatch-2.3.0
detailsRecommended version: 2.3.2
Description: Picomatch is a glob matcher written JavaScript. Versions prior to 2.3.2, 3.0.0 prior to 3.0.2 and 4.0.0 prior to 4.0.4, are vulnerable to a method ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
62 MEDIUM CVE-2026-33672 Npm-picomatch-2.3.1
detailsRecommended version: 2.3.2
Description: Picomatch is a glob matcher written JavaScript. Versions prior to 2.3.2, 3.0.0 prior to 3.0.2 and 4.0.0 prior to 4.0.4, are vulnerable to a method ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
63 MEDIUM CVE-2026-40175 Npm-axios-0.25.0
detailsRecommended version: 0.31.0
Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.0 and 1.x prior to 1.15.0, the Axios library is vulnerable to a spe...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
64 MEDIUM CVE-2026-40175 Npm-axios-1.6.2
detailsRecommended version: 1.15.0
Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.0 and 1.x prior to 1.15.0, the Axios library is vulnerable to a spe...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
65 MEDIUM CVE-2026-40895 Npm-follow-redirects-1.15.3
detailsRecommended version: 1.16.0
Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
66 MEDIUM CVE-2026-40895 Npm-follow-redirects-1.15.2
detailsRecommended version: 1.16.0
Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
67 MEDIUM CVE-2026-42036 Npm-axios-1.6.2
detailsRecommended version: 1.15.1
Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns th...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
68 MEDIUM CVE-2026-42036 Npm-axios-0.25.0
detailsRecommended version: 0.31.1
Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns th...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
69 MEDIUM CVE-2026-42039 Npm-axios-0.25.0
detailsRecommended version: 0.31.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, FormData recursively walks nested obje...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
70 MEDIUM CVE-2026-42039 Npm-axios-1.6.2
detailsRecommended version: 1.15.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, FormData recursively walks nested obje...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
71 MEDIUM CVE-2026-42041 Npm-axios-0.25.0
detailsRecommended version: 0.31.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. From 1.x prior to 1.15.1 and from 0.x prior to 0.31.1, the Axios library is vulne...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
72 MEDIUM CVE-2026-42041 Npm-axios-1.6.2
detailsRecommended version: 1.15.1
Description: Axios is a promise-based HTTP client for the browser and Node.js. From 1.x prior to 1.15.1 and from 0.x prior to 0.31.1, the Axios library is vulne...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
73 MEDIUM CVE-2026-53550 Npm-js-yaml-4.1.0
detailsRecommended version: 4.2.0
Description: js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
74 MEDIUM CVE-2026-53550 Npm-js-yaml-3.14.1
detailsRecommended version: 3.15.0
Description: js-yaml is a JavaScript YAML parser and dumper. Prior to 4.2.0, a crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
75 MEDIUM CVE-2026-55602 Npm-http-proxy-middleware-2.0.6
detailsRecommended version: 2.0.10
Description: http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-ta...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
76 MEDIUM CVE-2026-9595 Npm-webpack-dev-server-4.15.1
detailsRecommended version: 5.2.5
Description: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and "ws: true", it also intercepts the dev server's own HMR WebSock...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
77 MEDIUM Cx4b2128cb-8703 Npm-dompurify-2.4.5
detailsRecommended version: 3.3.2
Description: DOMPurify allows `ADD_ATTR` to be provided as a predicate function via `EXTRA_ELEMENT_HANDLING.attributeCheck`. When the predicate returns `true`, ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
78 MEDIUM Cx9cf6447f-1ecc Npm-dompurify-2.4.5
detailsRecommended version: 3.4.0
Description: In `src/purify.ts:1117-1123`, `ADD_TAGS` as a function (via `EXTRA_ELEMENT_HANDLING.tagCheck`) bypasses `FORBID_TAGS` due to short-circuit evaluati...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
79 MEDIUM Cxb4a5145b-8389 Npm-dompurify-2.4.5
detailsRecommended version: 3.3.2
Description: When `USE_PROFILES` is enabled, DOMPurify rebuilds `ALLOWED_ATTR` as a plain array before populating it with the requested allowlists. Because the ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
80 MEDIUM Cxd0f78996-5d14 Npm-dompurify-2.4.5
detailsRecommended version: 3.3.2
Description: A mutation-XSS (mXSS) condition was confirmed when sanitized HTML is reinserted into a new parsing context using `innerHTML` and special wrappers. ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
81 LOW CVE-2026-12590 Npm-body-parser-1.20.1
detailsRecommended version: 1.20.6
Description: Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value s...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package

Fixed Issues (1) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
MEDIUM CVE-2025-50537 Npm-eslint-7.32.0

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

- feat:  utils for checking type and accessing nested field
- feat: template for binary filter
Comment on lines +39 to +45
filters: [
{
field: 'cancer',
title: 'Cancer Type',
type: 'string'
}
],

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is a type error. I wonder if this should be the following instead:

Suggested change
filters: [
{
field: 'cancer',
title: 'Cancer Type',
type: 'string'
}
],
filters: {
cancer_type: {
field: 'cancer',
title: 'Cancer Type',
type: 'string'
}
},

Given how it is defined:

export type Cohort = {
    name?: string;
    samples: any;
    filters?: { [key: string]: CohortFilter };
};

name: formattedDataName,
samples: formattedDataSamples
samples: formattedDataSamples,
filters: data.filters ?? []

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be an object?

Suggested change
filters: data.filters ?? []
filters: data.filters ?? {}

@dominikglodzikhms

Copy link
Copy Markdown
Collaborator

Sehi found 2 critical issues:

  • Switching a cohort after applying a filter crashes the App (the app becomes empty).
  • Clicking a SV, and then clicking the same SV again make the App non-interactive (the semi-transparent overlay does not disappear).

crfmc added 11 commits June 23, 2026 08:43
- fix: type errors
- fix: reset filters when cohort changes
- refactor: update keyboard navigation
- fix: update range values when showing as chips
- fix: add early return when dropdown doesn't exists
feat: open clinical panel by default
- fix: support negative values for bins using regex
- fix: use forEach for filter identifiers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants