## 99 npm Dependency Vulnerabilities Found Across Backend and Frontend, Including 2 Critical Flaws
A comprehensive security audit has surfaced 99 dependency vulnerabilities spanning both the backend and frontend of the project. The findings include two critical-severity flaws—one in the basic-ftp package used by the backend and another in handlebars affecting the frontend via prototype pollution. The severity distribution reveals a widespread exposure: 57 high-severity issues across both codebases, supplemented by 24 moderate and 16 low-level vulnerabilities. The breadth of affected packages suggests a substantial attack surface that could be leveraged through known exploitation paths.

The backend carries 47 documented vulnerabilities, with 28 rated high severity. Notable high-risk dependencies include express, axios, electron, and electron-builder, all of which appear in the project dependency tree. The single critical flaw tied to basic-ftp compounds concerns around server-side exposure. The frontend mirrors this pattern with 52 vulnerabilities, including 29 high-severity issues concentrated in express, axios, css-select, and webpack-dev-server. The handlebars critical vulnerability represents a particularly serious risk due to its potential for prototype pollution attacks, which could allow attackers to manipulate object behavior in unexpected ways.

The audit results signal significant remediation pressure on the development team. Both axios and express appear on both sides of the stack, meaning a single patch could resolve duplication, but their widespread usage also amplifies the potential blast radius if exploited. The electron dependency, used for desktop builds, introduces client-side risk beyond web-facing surfaces. Officials managing this project face escalating urgency to prioritize patches for the two critical flaws, assess exploitability of the high-severity issues, and implement a more rigorous dependency scanning process to prevent similar accumulation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: npm, vulnerability, prototype pollution, handlebars, express
- **Credibility**: unverified
- **Published**: 2026-05-02 15:54:09
- **ID**: 79022
- **URL**: https://whisperx.ai/en/intel/79022